Skip to content

Configuring OMNI for Privacera PolicySync Connectors

This guide provides an overview and step-by-step guidance for configuring OMNI mode in Privacera PolicySync connectors.

Deployment Type

If you already have Privacera deployed with the connector (UnityCatalog & Snowflake), then follow Existing Deployment first and if you are doing a fresh installation refer Configuring Omni directly.

Existing Deployment

Perform the following steps to cleanup the Connector PVC before configuring the Omni Metadata Feature.

We require this action to trigger Metadata Sync from Connector to the Metadata Service for all previously loaded connector resources.

DEPLOYMENT_ENV_NAME

You can get your deployment by running the command

Bash
1
2
3
4
cd ~/privacera/privacera-manager
grep DEPLOYMENT_ENV_NAME config/vars.privacera.yml
cd ~/privacera/privacera-manager
grep DEPLOYMENT_ENV_NAME config/vars.privacera.yml
And set it as an environment variable
Bash
1
2
export DEPLOYMENT_ENV_NAME=<your-deployment-name>
export DEPLOYMENT_ENV_NAME=<your-deployment-name>

  1. List all the deployments in the namespace.

    Bash
    1
    kubectl get deployments -n $DEPLOYMENT_ENV_NAME

  2. Identify the respective connector deployment and run the following command to scale down the connector deployment to 0.

    Bash
    1
    kubectl scale deployment <connector-deployment-name> --replicas=0 -n $DEPLOYMENT_ENV_NAME

  3. List all the PVC in the namespace

    Bash
    1
    kubectl get pvc -n $DEPLOYMENT_ENV_NAME

  4. Identify the respective connector PVC name. Run the following command to delete the connector PVC.

    Bash
    1
    kubectl delete pvc <connector-pvc-name> -n $DEPLOYMENT_ENV_NAME

Once these steps are completed, refer below section for configuring the Omni feature.

Configuring Omni

Data Plane Version Requirement

The data plane must be version 9.2.0.2 or greater to use OMNI mode. If you need to upgrade your data plane, refer to the Upgrading Privacera Manager guide.

Note for Fresh Install Deployment

Please ensure you have completed the Data Plane Configuration before proceeding with this below setup.

  1. Run the following command to navigate to the /privacera-manager directory.

  2. Run the following command to navigate to the /privacera-manager directory.

    Bash
    1
2
    cd ~/privacera/privacera-manager
cd ~/privacera/privacera-manager

  3. Add the below properties to the file config/custom-vars/vars.privacera-cloud.yml.

  4. Add the below properties to the file config/custom-vars/vars.privacera-cloud.yml.

    YAML
    1
2
3
4
    # Metadata Sync agent and Tag Enricher URL
CONNECTOR_OMNI_METADATA_SYNC_HTTP_BASE_URL: "{{PRIVACERA_CLOUD_RANGER_ADMIN_URL}}/omni-metadata"
CONNECTOR_OMNI_METADATA_TAG_ENRICHER_HTTP_BASE_URL: "{{PRIVACERA_CLOUD_RANGER_ADMIN_URL}}/omni-metadata"
PRIVACERA_USERSYNC_LOADER_OMNI_URL: "{{PRIVACERA_CLOUD_RANGER_ADMIN_URL}}/omni-metadata"

  5. Make sure you have Enabled the Ranger Service Definitions for Access Connectors

    Note

    If you already have the Connector Service enabled you should skip the above step.

  6. Notify Privacera Support to Configure OMNI.

  7. Notify Privacera Support to Configure OMNI.

  8. Configure your PolicySync Connector with Omni

    Note

    Currently Omni is supported only for Snowflake and Databrick Unity Catalog connectors.

    Please ensure you have completed the base setup configuration for the respective connector Snowflake and Databrick Unity Catalog before proceeding with this below step.

    In the above Setup document you should skip this step for Snowflake and Unity Catalog.

    • Add the below properties to the file config/custom-vars/connectors/<connector-name>/<instance-name>/vars.connector.<TYPE>.yml

    • Add the below properties to the file config/custom-vars/connectors/<connector-name>/<instance-name>/vars.connector.<TYPE>.yml

      • Replace <connector-name> with your connector name (e.g., snowflake, databricks-unity-catalog).
      • Replace <instance-name> with your instance name (e.g., instance1, instance2).
      • Replace <TYPE> with your connector name (e.g., snowflake, databricks.unity.catalog).
    YAML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    # Uncomment below property to enable RLF Expression Merging for policies
CONNECTOR_RANGER_MERGE_ROWFILTER_EXPRESSION_ENABLED: "true"

# Uncomment below property to enable evaluating RLF for tag-based policies
CONNECTOR_RANGER_EVALUATE_TAG_ROWFILTER_EXPRESSION_ENABLED: "true"

# Uncomment below properties to enable Omni Metadata Sync
CONNECTOR_OMNI_METADATA_SYNC_ENABLED: "true"

# Uncomment below properties to enable Omni Metadata Tag Enricher
#CONNECTOR_OMNI_METADATA_TAG_ENRICHER_ENABLED: "true"
#CONNECTOR_OMNI_METADATA_TAG_ENRICHER_ENABLED: "true"

  9. Apply the Configuration to "Data Plane"

    See the Apply the Configuration section below for instructions.

  10. Notify Privacera Support to:

    • Migrate existing Ranger tags and resources to OMNI (if you have existing Ranger tags that need to be used)
    • Update the Service Definitions for the respective PolicySync Connector to use OMNI tags

    Important Migration Requirement

    If you have existing tag-based policies in Ranger, you must complete the migration of tags and resources from Ranger to OMNI before updating the service definition with OMNI MetadataTagEnricher. Failure to do so will result in revoked permissions on resources that rely on tag-based policies.

  11. Update your PolicySync Connector by enabling MetadataTagEnricher

    Uncomment the CONNECTOR_OMNI_METADATA_TAG_ENRICHER_ENABLED property in the file config/custom-vars/connectors/<connector-name>/<instance-name>/vars.connector.<TYPE>.yml (see step 5 above) and set it to "true", then apply the configuration to the Data Plane.

  12. Apply the Configuration to "Data Plane"

    See the Apply the Configuration section below for instructions.

  13. Notify Privacera Support to:

    • Migrate existing Ranger tags and resources to OMNI (if you have existing Ranger tags that need to be used)
    • Update the Service Definitions for the respective PolicySync Connector to use OMNI tags

    Important Migration Requirement

    If you have existing tag-based policies in Ranger, you must complete the migration of tags and resources from Ranger to OMNI before updating the service definition with OMNI MetadataTagEnricher. Failure to do so will result in revoked permissions on resources that rely on tag-based policies.

  14. Update your PolicySync Connector by enabling MetadataTagEnricher

    Uncomment the CONNECTOR_OMNI_METADATA_TAG_ENRICHER_ENABLED property in the file config/custom-vars/connectors/<connector-name>/<instance-name>/vars.connector.<TYPE>.yml (see step 5 above) and set it to "true", then apply the configuration to the Data Plane.

Apply the Configuration

After all the changes are done you can start the connector by running the following instructions:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install