Skip to main content

Privacera Documentation

Connect Presto to PrivaceraCloud

This topic describes how to connect the Presto application to PrivaceraCloud and how PrivaceraCloud integrates with your Qubole Presto cluster using a plug-In.

Connect Presto application to PrivaceraCloud

  1. Go to Settings > Applications.

  2. On the Applications screen, select Presto.

  3. Enter the application Name and Description, and then click Save.

    You can see Privacera Access Management and Privacera Discovery with the toggle buttons.

    Note

    If you don't see Data Discovery in your application, enable it in Settings > Account > Discovery. For more information, see About the Account page on PrivaceraCloud.

Enable Access Management for Presto

You only need to enable Privacera Access Management to start controlling access on Presto.

  1. Click the toggle button to enable Privacera Access Management for your application.

    You will see this message: Save the setting to start controlling access on Presto.

  2. Click Save.

Enable Data Discovery for Presto

Click the toggle button to enable Data Discovery for your application.

  1. On the BASIC tab, enter values in the following fields.

    • JDBC URL

    • JDBC Username 

    • JDBC Password

  2. On the ADVANCED tab, you can add custom properties.

  3. Using the IMPORT PROPERTIES button, you can browse and import application properties.

  4. Click the TEST CONNECTION button to check if the connection is successful, and then click Save.

    To add a resources using this connection as Privacera Discovery targets, see Privacera Discovery scan targets.

Connect Presto on Qubole cluster PrivaceraCloud

PrivaceraCloud uses a Plug-in to integrate with your Qubole Presto cluster.

Connecting your Qubole Presto cluster to PrivaceraCloud consists of the following steps:

  • Create a service user on PrivaceraCloud for data user access control call-in from Presto to PrivaceraCloud.

  • Create, or identify and use an existing, unique call-in authentication (access control) and audit URLs from your Qubole Presto cluster to PrivaceraCloud.

  • Configure your Qubole Presto cluster to first load the necessary Privacera hosted Apache Ranger Plug-in components (on boot), and execute the call-in for access control and audit.

PrivaceraCloud Steps

  1. Create a new data access service user for interaction with Qubole.

    1. Open Users, groups, and roles and Click + Add.

    2. Create a new service data access user. Assign it to an Admin role. Record the User Name and Password.

    These are referred to as ADMIN_ROLE_USER and ADMIN_ROLE_PASSWORD in the following steps and will be substituted in configuration properties.

  2. Obtain API Key associated Ranger URLs for call back from Qubole cluster to Privacera.

    1. Open Settings: Api Key.

    2. You can use an existing Active API Key or create a new one. Expiry = Never Expires is recommended. To generate new API key, see API Key on PrivaceraCloud.

    3. Click the i icon to see the API Key Info.

    4. Copy and store the values for each of the Ranger Admin URL and Ranger Audit URL. These will be referenced as RANGER_ADMIN_URL and RANGER_AUDIT_URL in the following steps.

Presto Qubole console steps

  1. Open or create a new Presto cluster.

  2. Proceed to Advanced Configuration.

  3. In the PRESTO SETTINGS > Override Presto Configuration text box, add the following information. Substitute values obtained above for ADMIN_ROLE_USER, ADMIN_ROLE_PASSWORD, RANGER_ADMIN_URL, and RANGER_AUDIT_URL.

    bootstrap.properties:
     mkdir -p /media/ephemeral0/rangerssl/
     hadoop credential create sslTrustStore -value changeit -provider localjceks://file/media/ephemeral0/rangerssl/ranger.jceks
     chmod a+r /media/ephemeral0/rangerssl/ranger.jceks
     wget https://privacera-public1.s3.amazonaws.com/0001-httpcore-4.4.14.jar -P /usr/lib/presto/plugin/ranger
    
     access-control.properties:
     access-control.name=ranger-access-control
     ranger.username=<ADMIN_ROLE_USER>
     ranger.password=<ADMIN_ROLE_USER_PASSWORD>
     ranger.hive.security-config-xml=/usr/lib/presto/etc/ranger-hive-security.xml
     ranger.hive.audit-config-xml=/usr/lib/presto/etc/ranger-hive-audit.xml
    
     ranger-hive-security.xml:
     <configuration>
     <property>
          <name>ranger.plugin.hive.service.name</name>
          <value>privacera_hive</value>
     </property>
     <property>
          <name>ranger.plugin.hive.policy.pollIntervalMs</name>
          <value>5000</value>
     </property>
     <property>
          <name>ranger.service.store.rest.url</name>
          <value>
               <RANGER_ADMIN_URL>
          </value>
     </property>
     <property>
          <name>ranger.plugin.hive.policy.rest.url</name>
          <value>
               <RANGER_ADMIN_URL>
          </value>
     </property>
     <property>
          <name>ranger.service.store.rest.ssl.config.file</name>
          <value>/usr/lib/presto/etc/ranger-ssl.xml</value>
     </property>
     <property>
          <name>ranger.plugin.hive.policy.rest.ssl.config.file</name>
          <value>/usr/lib/presto/etc/ranger-ssl.xml</value>
     </property>
     </configuration>
    
    ranger-ssl.xml:
     <configuration>
     <property>
          <name>xasecure.policymgr.clientssl.truststore</name>
          <value>/etc/pki/ca-trust/extracted/java/cacerts</value>
     </property>
     <property>
          <name>xasecure.policymgr.clientssl.truststore.password</name>
          <value>crypted</value>
     </property>
     <property>
          <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
          <value>jceks://file/media/ephemeral0/rangerssl/ranger.jceks</value>
     </property>
     </configuration>
    
    ranger-hive-audit.xml:
     <configuration>
     <property>
          <name>xasecure.audit.is.enabled</name>
          <value>true</value>
     </property>
     <property>
          <name>xasecure.audit.solr.is.enabled</name>
          <value>true</value>
     </property>
     <property>
          <name>xasecure.audit.solr.async.max.queue.size</name>
          <value>1</value>
     </property>
     <property>
          <name>xasecure.audit.solr.async.max.flush.interval.ms</name>
          <value>1000</value>
     </property>
     <property>
          <name>xasecure.audit.solr.solr_url</name>
          <value>
               <RANGER_AUDIT_URL>
          </value>
     </property>
     </configuration>
  4. Click Update or Update and Push.

  5. Click Start or Stop and start the cluster.