Skip to content

Enable or disable Ranger policy delta in Ranger Admin

Overview

Ranger Policy Delta is a feature in Apache Ranger that enhances policy loading efficiency by fetching only the incremental changes (deltas) from the database instead of reloading the entire policy set. This optimization improves performance, reduces network load, and accelerates policy synchronization across Ranger plugins. By enabling policy delta, Ranger Admin ensures streamlined policy updates, minimizing resource consumption while keeping access controls up to date. To maintain consistency between the in-memory policy cache and the database, the policy cache is refreshed at regular intervals when policy delta is enabled. This behavior is controlled by the RANGER_ADMIN_POLICY_CACHE_REFRESH_INTERVAL_MINUTES configuration property. By default, the interval is set to 60 minutes, but it can be customized based on system requirements.

Configure Ranger Policy Delta

The Ranger Policy Delta feature is disabled by default. To enable it, set the ENABLE_RANGER_ADMIN_SUPPORTS_POLICY_DELTAS property to true in the vars.ranger.admin.yml file.

Follow these steps to configure the Policy delta feature for Ranger Admin service:

  1. SSH into the instance where Privacera Manager is installed.
  2. Navigate to the privacera-manager directory using the following command:
    Bash
    1
    cd ~/privacera/privacera-manager/
  3. Run the following command to copy the sample vars. The -n flag ensures that the file is not overwritten if it already exists:
    Bash
    1
    cp -n config/sample-vars/vars.ranger.admin.yml config/custom-vars/

  4. Run the following command to open the .yml file for editing.

    Bash
    1
    vi config/custom-vars/vars.ranger.admin.yml

    1. Add or update the following property:
    Variable Definition Default
    ENABLE_RANGER_ADMIN_SUPPORTS_POLICY_DELTAS The value 'true' enables policy delta feature. false
    RANGER_ADMIN_POLICY_CACHE_REFRESH_INTERVAL_MINUTES (Optional) Configures the interval (in minutes) for refreshing the internal policy cache. Only needed if you want to change the default 60-minute interval. 60
    YAML
    1
2
3
    ENABLE_RANGER_ADMIN_SUPPORTS_POLICY_DELTAS: "true"
# Optional: Only add this if you want to change the default 60-minute refresh interval
# RANGER_ADMIN_POLICY_CACHE_REFRESH_INTERVAL_MINUTES: "60"

  5. Once the property is configured, update your Privacera Manager platform instance by following the

    Bash
    1
2
3
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

Comments