Skip to content

Enable or disable Ranger policy delta in Ranger Admin

Overview

Ranger Policy Delta is a feature in Apache Ranger that enhances policy loading efficiency by fetching only the incremental changes (deltas) from the database instead of reloading the entire policy set. This optimization improves performance, reduces network load, and accelerates policy synchronization across Ranger plugins. By enabling policy delta, Ranger Admin ensures streamlined policy updates, minimizing resource consumption while keeping access controls up to date. To maintain consistency between the in-memory policy cache and the database, the policy cache is refreshed at regular intervals when policy delta is enabled. This behavior is controlled by the RANGER_ADMIN_POLICY_CACHE_REFRESH_INTERVAL_MINUTES configuration property. By default, the interval is set to 60 minutes, but it can be customized based on system requirements.

Additionally, to prevent unbounded growth of the policy change log table, periodic cleanup is performed when the policy delta feature is enabled. This behavior can be disabled by setting RANGER_ADMIN_POLICY_DELTA_PURGE_ENABLE to false if cleanup is not needed. The cleanup interval, specified in hours, is controlled by the RANGER_ADMIN_POLICY_DELTA_PURGE_INTERVAL_HOURS property. The RANGER_ADMIN_POLICY_DELTA_RETENTION_DAYS property specifies the minimum number of days to retain the policy change log entries, with default value of 7 days.

Configure Ranger Policy Delta

The Ranger Policy Delta feature is disabled by default. To enable it, set the ENABLE_RANGER_ADMIN_SUPPORTS_POLICY_DELTAS property to true in the vars.ranger.admin.yml file.

Follow these steps to configure the Policy delta feature for Ranger Admin service:

  1. SSH into the instance where Privacera Manager is installed.
  2. Navigate to the privacera-manager directory using the following command:
    Bash
    cd ~/privacera/privacera-manager/
    
  3. Run the following command to copy the sample vars. The -n flag ensures that the file is not overwritten if it already exists:
    Bash
    cp -n config/sample-vars/vars.ranger.admin.yml config/custom-vars/
    
  4. Run the following command to open the .yml file for editing.

    Bash
    vi config/custom-vars/vars.ranger.admin.yml
    

    1. Add or update the following properties:
    Variable Definition Default
    ENABLE_RANGER_ADMIN_SUPPORTS_POLICY_DELTAS The value 'true' enables policy delta feature. false
    RANGER_ADMIN_POLICY_CACHE_REFRESH_INTERVAL_MINUTES (Optional) Configures the interval (in minutes) for refreshing the internal policy cache. Only needed if you want to change the default 60-minute interval. 60
    RANGER_ADMIN_POLICY_DELTA_PURGE_ENABLE (Optional) Enables the purging of the policy change log table. true
    RANGER_ADMIN_POLICY_DELTA_PURGE_INTERVAL_HOURS (Optional) Specifies the interval (in hours) at which the policy change log table is cleaned up when policy delta purge is enabled. 24
    RANGER_ADMIN_POLICY_DELTA_RETENTION_DAYS (Optional) Specifies the minimum number of days to retain the policy change log entries 7
    YAML
    1
    2
    3
    4
    ENABLE_RANGER_ADMIN_SUPPORTS_POLICY_DELTAS: "true"
    # Optional: Only add this if you want to change the default 60-minute refresh interval
    # RANGER_ADMIN_POLICY_CACHE_REFRESH_INTERVAL_MINUTES: "60"
    # RANGER_ADMIN_POLICY_DELTA_PURGE_INTERVAL_HOURS: "24"
    
  5. Once the property is configured, update your Privacera Manager platform instance by following the

    Bash
    1
    2
    3
    cd ~/privacera/privacera-manager
    ./privacera-manager.sh setup
    ./pm_with_helm.sh upgrade 
    

Comments