Skip to content

Configuring OMNI for Privacera PolicySync Connectors

This guide provides an overview and step-by-step guidance for configuring OMNI mode in Privacera PolicySync connectors.

Deployment Type

If you already have Privacera deployed with the connector (UnityCatalog & Snowflake), then follow Existing Deployment first and if you are doing a fresh installation refer Configuring Omni directly.

Existing Deployment

Perform the following steps to cleanup the Connector PVC before configuring the Omni Metadata Feature.

We require this action to trigger Metadata Sync from Connector to the Metadata Service for all previously loaded connector resources.

DEPLOYMENT_ENV_NAME

You can get your deployment by running the command

Bash
1
    grep DEPLOYMENT_ENV_NAME ~/privacera/privacera-manager/config/vars.privacera.yml
And set it as an environment variable
Bash
1
    export DEPLOYMENT_ENV_NAME=<your-deployment-name>

  1. List all the deployments in the namespace.

    Bash
    1
    kubectl get deployments -n $DEPLOYMENT_ENV_NAME

  2. Identify the respective connector deployment and run the following command to scale down the connector deployment to 0.

    Bash
    1
    kubectl scale deployment <connector-deployment-name> --replicas=0 -n $DEPLOYMENT_ENV_NAME

  3. List all the PVC in the namespace

    Bash
    1
    kubectl get pvc -n $DEPLOYMENT_ENV_NAME

  4. Identify the respective connector PVC name. Run the following command to delete the connector PVC.

    Bash
    1
    kubectl delete pvc <connector-pvc-name> -n $DEPLOYMENT_ENV_NAME

Once these steps are completed, refer below section for configuring the Omni feature.

Configuring Omni

Note for Fresh Install Deployment

Please ensure you have completed the Data Plane Configuration before proceeding with this below setup.

  1. Run the following command to navigate to the /config directory.

    Bash
    1
    cd ~/privacera/privacera-manager/config

  2. Add the below properties to the file custom-vars/vars.privacera-cloud.yml.

    YAML
    1
2
3
4
    # Metadata Sync agent and Tag Enricher URL
CONNECTOR_OMNI_METADATA_SYNC_HTTP_BASE_URL: "{{PRIVACERA_CLOUD_RANGER_ADMIN_URL}}/omni-metadata"
CONNECTOR_OMNI_METADATA_TAG_ENRICHER_HTTP_BASE_URL: "{{PRIVACERA_CLOUD_RANGER_ADMIN_URL}}/omni-metadata"
PRIVACERA_USERSYNC_LOADER_OMNI_URL: "{{PRIVACERA_CLOUD_RANGER_ADMIN_URL}}/omni-metadata"

  3. Make sure you have Enabled the Ranger Service Definitions for Access Connectors

    Note

    If you already have the Connector Service enabled you should skip the above step.

  4. Notify Privacera Support to update the Ranger Service Definition for the respective PolicySync Connector and configure the Nebula Space.

  5. Configure your PolicySync Connector with Omni

    Note

    Currently Omni is supported only for Snowflake and Databrick Unity Catalog connectors.

    Please ensure you have completed the base setup configuration for the respective connector Snowflake and Databrick Unity Catalog before proceeding with this below step.

    In the above Setup document you should skip this step for Snowflake and Unity Catalog.

    • Add the below properties to the file custom-vars/connectors/<connector-name>/<instance-name>/vars.connector.<TYPE>.yml

      • Replace <connector-name> with your connector name (e.g., snowflake, databricks-unity-catalog).
      • Replace <instance-name> with your instance name (e.g., instance1, instance2).
      • Replace <TYPE> with your connector name (e.g., snowflake, databricks.unity.catalog).
    YAML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
    # Uncomment below property to enable RLF Expression Merging for policies
CONNECTOR_RANGER_MERGE_ROWFILTER_EXPRESSION_ENABLED: "true"

# Uncomment below property to enable evaluating RLF for tag-based policies
CONNECTOR_RANGER_EVALUATE_TAG_ROWFILTER_EXPRESSION_ENABLED: "true"

# Uncomment below properties to enable Omni Metadata Sync
CONNECTOR_OMNI_METADATA_SYNC_ENABLED: "true"

# Uncomment below properties to enable Omni Metadata Tag Enricher
CONNECTOR_OMNI_METADATA_TAG_ENRICHER_ENABLED: "true"

Apply the Configuration

After all the changes are done you can start the connector by running the following instructions:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install