Enable or disable Ranger policy delta in Ranger Admin¶
Overview¶
Ranger Policy Delta is a feature in Apache Ranger that enhances policy loading efficiency by fetching only the incremental changes (deltas) from the database instead of reloading the entire policy set. This optimization improves performance, reduces network load, and accelerates policy synchronization across Ranger plugins. By enabling policy delta, Ranger Admin ensures streamlined policy updates, minimizing resource consumption while keeping access controls up to date. To maintain consistency between the in-memory policy cache and the database, the policy cache is refreshed at regular intervals when policy delta is enabled. This behavior is controlled by the RANGER_ADMIN_POLICY_CACHE_REFRESH_INTERVAL_MINUTES
configuration property. By default, the interval is set to 60 minutes, but it can be customized based on system requirements.
Additionally, to prevent unbounded growth of the policy change log table, periodic cleanup is performed when the policy delta feature is enabled. This behavior can be disabled by setting RANGER_ADMIN_POLICY_DELTA_PURGE_ENABLE
to false
if cleanup is not needed. The cleanup interval, specified in hours, is controlled by the RANGER_ADMIN_POLICY_DELTA_PURGE_INTERVAL_HOURS
property. The RANGER_ADMIN_POLICY_DELTA_RETENTION_DAYS
property specifies the minimum number of days to retain the policy change log entries, with default value of 7 days.
Configure Ranger Policy Delta¶
The Ranger Policy Delta feature is disabled by default. To enable it, set the ENABLE_RANGER_ADMIN_SUPPORTS_POLICY_DELTAS
property to true
in the vars.ranger.admin.yml
file.
Follow these steps to configure the Policy delta feature for Ranger Admin service:
- SSH into the instance where Privacera Manager is installed.
- Navigate to the
privacera-manager
directory using the following command:Bash - Run the following command to copy the sample vars. The -n flag ensures that the file is not overwritten if it already exists:
Bash -
Run the following command to open the
.yml
file for editing.Bash - Add or update the following properties:
Variable Definition Default ENABLE_RANGER_ADMIN_SUPPORTS_POLICY_DELTAS The value 'true' enables policy delta feature. false RANGER_ADMIN_POLICY_CACHE_REFRESH_INTERVAL_MINUTES (Optional) Configures the interval (in minutes) for refreshing the internal policy cache. Only needed if you want to change the default 60-minute interval. 60 RANGER_ADMIN_POLICY_DELTA_PURGE_ENABLE (Optional) Enables the purging of the policy change log table. true RANGER_ADMIN_POLICY_DELTA_PURGE_INTERVAL_HOURS (Optional) Specifies the interval (in hours) at which the policy change log table is cleaned up when policy delta purge is enabled. 24 RANGER_ADMIN_POLICY_DELTA_RETENTION_DAYS (Optional) Specifies the minimum number of days to retain the policy change log entries 7 -
Once the property is configured, update your Privacera Manager platform instance by following the
- Prev Advanced Configurations
- Next Ranger Audit Filters