Skip to main content

Privacera Documentation

Connect Starburst Enterprise Presto to PrivaceraCloud

Starburst Enterprise platform (SEP) is a commercial distribution of PrestoSQL. It includes additional security features, more connectors, and a cost-based query optimizer not available in the open source version.

As with open source PrestoSQL, SEP is designed to support an external Apache Ranger. There are two ways to configure this:

  • System-level: Configure SEP so that resource policies defined in PrivaceraCloud under the privacera_starburstenterprisepresto resource service control access to Starburst resources.

  • System-Plus-Hive: Configure SEP so that resource policies defined in PrivaceraCloud under both the privacera_starburstenterprisepresto and privacera_hive resource services control access to Starburst resources;

Create a SEP service user

Create a service-user identity that will be used authenticate to your PrivaceraCloud account from the SEP:

  1. Go to Access Manager > Users/Groups/Roles and create a user.

  2. Record the user name. This will be referred to as ${RANGER_API_USERNAME} in the SEP configuration steps.

  3. Set the Role to Admin and record the password. This will be referred to as ${RANGER_API_PSWD} in the SEP configuration steps.

Get the account specific API URL

  1. Go to Settings > API Key and click GENERATE API KEY.

  2. In the Generate Api Key dialog, set the purpose to REST API Access or similar, and then click the Never Expires check box.

  3. Click the GENERATE API KEY* button.

  4. Click the Copy Url button, and then click Close. Paste and store the URL value. This will be referred to as variable "${RANGER_URL} in the steps that follow.

    The API Key page will display the added Api Key.

The Ranger Admin URL (${RANGER_URL}) will look similar to:

https://api.privaceracloud.com/api/13afxxxxxx6b981fxxxxxx2dc7cdd7xxxxxxa921636xxxxxx2d189d425b5f01

A full URL Ranger API service URI is:

<RangerAdminURL>/service/<Ranger API Resource Path>.

Connect Starburst Enterprise Presto application to PrivaceraCloud

Use the following steps to connect Starburst Enterprise Presto application to the PrivaceraCloud for Privacera Access Management.

  1. Go to Settings > Applications.

  2. On the Applications screen, select StarburstStarburst Presto.

  3. Enter the application Name and Description, and then click Save.

  4. Click the toggle button to enable the Privacera Access Management for Starburst Enterprise Presto.

    The following message displays: Save the setting to start controlling access on Starburst Enterprise Presto.

  5. Click Save.

    The starburst-enterprise-presto service will be available in Access Manager > Resource Policies.

Configure Starburst Enterprise (SEP) to use your Account PrivaceraCloud Ranger

  1. SSH to the Hadoop cluster.

  2. Use the following sequence of commands, and using wget, download and extract starburst presto v350 jar.

    mkdir downloads
    cd downloads
    wget https://s3.us-east-2.amazonaws.com/software.starburstdata.net/350e/350-e.3/starburst-presto-server-350-e.3.tar.gz -O presto-server.tar.gz presto-server.tar.gz 
    tar zxvf presto-server.tar.gz
    mv presto-server-350-e.3 presto-server
    cd presto-server
  3. Create a folder etc in which you need to create files and edit them to add the necessary properties.

    mkdir etc
    cd etc/
  4. Create an SSL truststore to communicate with Apache Ranger. The chmod command is used to change permission of the ranger.jceks file.

    hadoop credential create sslTrustStore -value changeit -provider localjceks://file/home/hadoop/downloads/presto-server/etc/ranger.jceks
    chmod a+r /home/hadoop/downloads/presto-server/etc/ranger.jceks
    
  5. Create a catalog directory in which you need to create a hive.properties, so that you can use hive as a catalog for query.

    mkdir catalog
  6. Change the default java interpreter on your cluster. By default it will be set to java 8, change it to java 11.

    sudo update-alternatives --config java   ---- Select one with Java 11

Now, in the folder etc, you can start configuring properties.

All the following files must be configured:

File

Standard location

Use

hive.properties

etc/catalog

Global Hive properties

config.properties

etc

Points to plugin configuration files

access-control-privacera.properties

etc

Values for Privacera access control

ranger-policymgr-ssl.xml

etc

Values for Ranger Policy Manager

ranger-hive-audit.xml

etc

Values for Ranger Hive and Audit

access-control-priv-hive.properties

etc

Values for Hive Policies (used only for "System-Plus-Hive" configuration)

  1. Use the following command to create hive.properties file in the ${PRESTO_CONFIG_PATH}/etc/catalog/ folder:

    vi hive.properties
    • Add the following content and save this file.

      hive.metastore=glue
      hive.security=allow-all
  2. Use the following command to create access-control-privacera.properties in the ${PRESTO_CONFIG_PATH}/etc/ folder:

    vi access-control-privacera.properties
    1. Add the following content, substituting the values for ${RANGER_URL}, ${RANGER_API_USERNAME}, and ${RANGER_API_PSWD}, as they are referenced in the text below. Substitute values for ${PRESTO_CONFIG_PATH} and ${PRESTO_TEMP_DIRECTORY} should correct for your environment.

      access-control.name=privacera-starburst
      ranger.policy-rest-url=https://${RANGER_URL}
      ranger.service-name=privacera_starburstenterprisepresto
      ranger.presto-plugin-username=${Ranger API username}
      ranger.presto-plugin-password=${Ranger API user password}
      ranger.policy-refresh-interval=3s
      # Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml
      ranger.config-resources=${PRESTO_CONFIG_PATH}/etc/ranger-hive-audit.xml
      # Example: ranger.policy-cache-dir=/tmp/ranger
      ranger.policy-cache-dir=${PRESTO_TEMP_DIRECTORY}
      ranger.plugin-policy-ssl-config-file=${PRESTO_CONFIG_PATH}/etc/ranger-policymgr-ssl.xml
    2. Save this file.

  3. Use the following command to create ranger-policymgr-ssl.xml file in the ${PRESTO_CONFIG_PATH}/etc/ folder.

    vi ranger-policymgr-ssl.xml
    • Add the following XML tags:

      ```xml
      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
          <property>
              <name>xasecure.policymgr.clientssl.truststore</name>
              <value>${JAVA_PATH}/lib/security/cacerts</value>
          </property>
          <property>
              <name>xasecure.policymgr.clientssl.truststore.password</name>
              <value>crypted</value>
          </property>
          <property>
              <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
              <value>jceks://file/home/hadoop/downloads/presto-server/etc/ranger.jceks</value>
          </property>
      </configuration>
      ```
  4. Use the following command to create ranger-hive-audit.xml file in the ${PRESTO_CONFIG_PATH}/etc/ folder.

    vi ranger-hive-audit.xml
    • Add the following XML tags and substitute ${RANGER_URL} where used.

      ```xml
      <?xml version="1.0" encoding="UTF-8"?>
          <configuration>
              <property>
                  <name>ranger.plugin.hive.service.name</name>
                  <value>privacera_hive</value>
              </property>
              <property>
                  <name>ranger.plugin.hive.policy.pollIntervalMs</name>
                  <value>5000</value>
              </property>
              <property>
                  <name>ranger.service.store.rest.url</name>
                  <value>
                      https://${RANGER_URL}
                  </value>
              </property>
              <property>
                  <name>ranger.plugin.hive.policy.rest.url</name>
                  <value>
                      https://${RANGER_URL}
                  </value>
              </property>
              <property>
                  <name>ranger.plugin.hive.policy.source.impl</name>
                  <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
                  <description>
                      Class to retrieve policies from the source
                  </description>
              </property>
              <property>
                  <name>ranger.plugin.hive.policy.rest.ssl.config.file</name>
                  <value>/home/hadoop/downloads/presto-server/etc/ranger-policymgr-ssl.xml</value>
                  <description>
                      Path to the file containing SSL details to contact Ranger Admin
                  </description>
              </property>
              <property>
                  <name>ranger.service.store.rest.ssl.config.file</name>
                  <value>/home/hadoop/downloads/presto-server/etc/ranger-policymgr-ssl.xml</value>
              </property>
              <property>
                  <name>ranger.plugin.hive.policy.cache.dir</name>
                  <value>/tmp/ranger</value>
                  <description>
                      Directory where Ranger policies are cached after successful retrieval from the source
                  </description>
              </property>
              <property>
                  <name>ranger.plugin.starburst-enterprise-presto.policy.cache.dir</name>
                  <value>/tmp/ranger</value>
                  <description>
                      Directory where Ranger policies are cached after successful retrieval from the source
                  </description>
              </property>
              <property>
                  <name>xasecure.audit.destination.solr</name>
                  <value>true</value>
              </property>
              <property>
                  <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
                  <value>presto temp file location</value>
              </property>
              <property>
                  <name>xasecure.audit.destination.solr.urls</name>
                  <value>
                      https://${RANGER_AUDIT_URL}
                  </value>
              </property>
              <property>
                  <name>xasecure.audit.is.enabled</name>
                  <value>true</value>
              </property>
              <property>
                  <name>xasecure.audit.solr.is.enabled</name>
                  <value>true</value>
              </property>
              <property>
                  <name>xasecure.audit.solr.async.max.queue.size</name>
                  <value>1</value>
              </property>
              <property>
                  <name>xasecure.audit.solr.async.max.flush.interval.ms</name>
                  <value>1000</value>
              </property>
          </configuration>
          ```
  5. Use the following command to create access-control-priv-hive.properties in the ${PRESTO_CONFIG_PATH}/etc/ folder:

    vi access-control-priv-hive.properties
    • Add the following content, substituting the values for ${RANGER_URL}, ${RANGER_API_USERNAME}, and ${RANGER_API_PSWD}, as they are referenced in the text below.

      access-control.name=privacera
      ranger.policy-rest-url=https://${RANGER_URL}
      ranger.service-name=privacera_hive
      privacera.catalogs=hive
      ranger.presto-plugin-username=${RANGER_API_USERNAME}
      ranger.presto-plugin-password=${RANGER_API_PSWD}
      ranger.policy-refresh-interval=3s
      # Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml
      ranger.config-resources={PRESTO_CONFIG_PATH}/etc/ranger-hive-audit.xml
      # Example: ranger.policy-cache-dir=/tmp/ranger
      ranger.policy-cache-dir=${PRESTO_TEMP_DIRECTORY}
      # Fallback allow-all allows privacera_starburst catalog-level permissions as fallback
      privacera.fallback-access-control=allow-all
      ranger.plugin-policy-ssl-config-file={PRESTO_CONFIG_PATH}/etc/ranger-policymgr-ssl.xml
      ranger.enable-row-filtering=true

      Note

      If configuring for System-Level only, do not create this file, because you have already done the "System-Level" configuration in access-control-privacera.properties file.

  6. Use the following command to create config.properties file in the ${PRESTO_CONFIG_PATH}/etc/ folder.

    • If configuring for System-Level, add the following to this file:

      access-control.config-files=etc/access-control-privacera.properties
    • If configuring for System-Plus-Hive, add the following to this file (note that this is a single line):

      access-control.config-files=etc/access-control-privacera.properties,etc access-control-priv-hive.properties
  7. Restart Starburst.