Overview¶

Note

You should follow the instructions on this page if you are installing PrivaceraCloud Data-plane. You should have successfully done the Self Managed before proceeding with the instructions on this page.

As part of setting up PrivaceraCloud Data-plane, after you have done the Self Managed, continue with the instructions on this page. At a high level this involves configuring the PrivaceraCloud Portal and the Privacera Manager as follows,

Configuration on PrivaceraCloud Portal and download an artifact.
Configuration in Privacera Manager using the artifact downloaded from the PrivaceraCloud Portal.
Run Privacera Manager to generate an artifact and upload it to the PrivaceraCloud Portal.

Prerequisites¶

You need the following information to configure PrivaceraCloud Data-plane:

Administration access to the PrivaceraCloud Portal.
Access to the Privacera Manager installation host.
Ensure that you have worked with your Privacera sales representative to enable the Data Plane feature in your PrivaceraCloud account.

Configuration on PrivaceraCloud Portal¶

Here are the different configurations you need to do on the PrivaceraCloud Portal, click on the links to get more details on each configuration step.

#	Required for	Configuration Step	Description
1	Access, Discovery	Create Access service user, Ranger Admin URL and API key	Create a an Access service user in your PrivaceraCloud account which will be used by the Privacera Access connectors in the Data-plane to connect to your PrivaceraCloud account. Note these as RANGER_ADMIN_URL, RANGER_SERVICE_USERNAME, RANGER_SERVICE_PASSWORD and API_KEY which will be used in Privacera Manager configuration.
2	Access	Enable the Ranger Service Definitions for Access Connectors	If you know which Privacera Access connectors you are going to use, then do this step or wait till Connector on-boarding.
3	Encryption	Enable Privacera Encryption module	Required for Privacera Encryption else skip. Download the `vars.data-plane.config.yml` from PrivaceraCloud portal which is used in Privacera Manager configuration.
4	Discovery	Create Ranger Service user for Discovery Compliance policies	Required for Privacera Discovery Compliance policies, else skip. Also, requires Privacera Encryption to be enabled. Note the credentials which will be used in Privacera Manager configuration.

Create Ranger service user, Admin URL and API key¶

Create Ranger service user, Admin URL and API key

Perform following steps in the PrivaceraCloud control plane portal:

Log in to PrivaceraCloud Portal.
Perform following steps to create Ranger Admin Username and Password:
1. Navigate to Access Management > Users/Groups/Roles.
2. Click ADD to create a new user.
3. Under Add User , provide values in the following fields:
  - User Name : Provide value for the user name. Privacera suggests to use ranger_dataplane_user as a user name value.
  - First Name : Provide value for the first name. Privacera suggests to use ranger_dataplane_user as a first name value.
  - Role : Select Admin from the drop-down list.
  - New Password : Provide a strong password
  - Confirm Password : Provide the same value as provided in the preceding step.
  Note
  
  Make a note of values provided in the User Name and New Password fields. These values are needed as a RANGER_SERVICE_USERNAME and RANGER_SERVICE_PASSWORD in the Privacera Manager configuration.
4. Click SAVE.
Generate API Key and Note down the Ranger Admin URL:
1. Navigate to Settings > API Keys.
2. Click GENERATE API KEY to create a new API key.
3. Enter the purpose, and choose whether the key should never expire or set a specific expiry date and time.
4. Click GENERATE API KEY.
5. Once generated, copy the API key.
6. Hover over the ⓘ icon next to the key and select API Key Info.
7. This will display detailed information about the API key.
8. Click COPY URL to copy the Ranger Admin URL.
9. Close the dialog to complete the process.
Info

Make a note of the RANGER_ADMIN_URL example: https://pcloud-XXXX-apiserver.nextgen.privacera.us/api/3dXXXXXXXXXX498cd5433795c9c5c0dd16. In this RANGER_ADMIN_URL:
- https://pcloud-XXXX-apiserver.nextgen.privacera.us consider as a BASE_URL
- 3dXXXXXXXXXX498cd5433795c9c5c0dd16 consider as a API_KEY value. Make a note of the RANGER_ADMIN_URL and API_KEY values.
These values are needed in the Privacera Manager configuration.

Enable the Ranger Service Definitions for Access Connectors¶

Enable the Ranger Service Definitions for Access Connectors

Activate the Access data-source applications by enabling and disabling them for the first time as follows:

This step is needed to activate the third-party application such as, Vertica, Databricks in PrivaceraCloud portal.

You can skip this step if the third-party application is already activated in the PrivaceraCloud portal. Go to Settings > Application. If the third- party application is visible in the Connected Applications list that means the application is already activated.

Go to Settings > Applications.
1. In the Applications section, select the application you wish to connect. If you don’t see the application you wish to connect, contact Privacera Support. For example, If you are planning to use Vertica application, then select Vertica.
2. Enter the application name and description in the Name and Description fields respectively.
3. Click the toggle button to enable Access Management for the application.
4. Since the application will be disabled in the subsequent steps, therefore temporarily input dummy placeholder values into the mandatory fields and then click SAVE to activate the application.
5. Select the same application that you enabled in the preceding step. Click the edit icon.
6. Click the toggle button to disable Access Management for the application.
Note

Do not disable application if it is one of the following applications for which access is managed by DataServer: Databricks (OLAC), EMR (OLAC), S3, Athena, DynamoDB, Glue, Kinesis, Lambda or Textract
1. Click SAVE to disable the application.
Click Access Management > Resource Policies.
1. Click the edit icon of newly added Application.
2. Click the Active Status to enable Access Management for the application.
3. Click SAVE.

Enable Privacera Encryption module¶

Enable Privacera Encryption module

Go to Settings > Account > Encryption Settings. Click ENABLE.
Under BASIC tab, enter the value for the Secret field. Click SAVE.

Note

Make a note of the Secret value, as it will be necessary to use the same value when enabling PEG in the data plane for the SCHEME_SERVER_SHARED_SECRET property.
Download Distributed Data Plane configuration from PrivaceraCloud:
1. Go to Settings > Account.
2. Under Distributed Data Plane , click DOWNLOAD.
  
  Note
  
  If you do not see the Distributed Data Plane option under Account , contact [Privacera Support]((../../../../resources/support/support_how_to.md) to enable Distributed Data Plane.
3. Download the vars.data-plane.config.yml from PrivaceraCloud portal which is used in Privacera Manager configuration.
Create System Generated Schemes:

Note

This step is optional and required only if the user wants to configure Encryption on Discovery Compliance policies.
1. Go to Encryption & Masking > ENCRYPTION.
2. Click GENERATE SYSTEM SCHEME.
3. Confirm generation by clicking Yes in the Confirm Create pop up.
You can see the System schemes generated on the user interface.

Create Ranger Service user for Discovery Compliance policies¶

Create Ranger Service user for Discovery Compliance policies

Note

This step is optional and required only if the user wants to configure Encryption on Discovery Compliance policies.

Go to Access Management > User/Groups/Roles.
Click Add.
Under Add User , provide values in the following fields:
1. User Name : Provide value for the user name. Privacera suggests to use privacera_service_discovery as a user name value.
2. First Name : Provide value for the first name. Privacera suggests to use privacera_service_discovery as a first name value.
3. Role : Select USER from the drop-down list.
4. New Password : Provide value for the password.
  
  Note
  
  Remember the password value provided, as it will be used in the Discovery configuration later.
5. Confirm Password : Provide the same value as provided in the preceding step.
Click SAVE. A new user has been created.
Go to Access Management > Scheme Policies.
Click on the privacera_peg service.
Locate the all - encryption-scheme, presentation-scheme policy and Click the edit icon to edit it.
Under Allow Conditions , add privacera_service_discovery user in the Select User field which has user permissions: Protect, Unprotect, Get Scheme, Impersonate
Click Save.

Configuration in Privacera Manager¶

Make sure you have done the configuration on the PrivaceraCloud Portal as given above, and have these handy,

RANGER_ADMIN_URL
RANGER_SERVICE_USERNAME
RANGER_SERVICE_PASSWORD
API_KEY
vars.data-plane.config.yml

vars.data-plane.config.yml file¶

Run the following commands,

Bash
# Download the vars.data-plane.config.yml from PrivaceraCloud Portal 
# in 'Configuration on PrivaceraCloud Portal - step 3' above

# Upload the vars.data-plane.config.yml to Privacera Manager host and copy 
# to `~/privacera-manager/config/custom-vars/vars.data-plane.config.yml`

Bash
# Confirm it's presence by running `
ls -l ~/privacera-manager/config/custom-vars/vars.data-plane.config.yml

vars.privacera-cloud.yml file¶

Bash
# Copy the sample vars.privacera-cloud.yml file from sample-vars folder
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.privacera-cloud.yml config/custom-vars/

Bash
# Edit the file
cd ~/privacera/privacera-manager
vi config/custom-vars/vars.privacera-cloud.yml

Bash
# Edit the file as follows,

# Obtain the Ranger Admin URL, API Key, Ranger service 
# username, password from 
# 'Configuration on PrivaceraCloud Portal -step #1' above. 
# Set the base URL, that is the host name, to this variable as follows

# Example - if the Ranger Admin URL is of this format - 
# https://api.privaceracloud.com/api/XYZ then 
# set the variable to https://api.privaceracloud.com
PRIVACERA_CLOUD_BASE_URL: "<BASE_URL of RANGER_ADMIN_URL>"
PRIVACERA_CLOUD_API_KEY: "<API_KEY>"

CONNECTOR_RANGER_USER_NAME: "<RANGER_SERVICE_USERNAME>"
CONNECTOR_RANGER_USER_PASSWORD: "<RANGER_SERVICE_PASSWORD>"

PRIVACERA_USERSYNC_RANGER_USERNAME: "<RANGER_SERVICE_USERNAME>"
PRIVACERA_USERSYNC_RANGER_PASSWORD: "<RANGER_SERVICE_PASSWORD>"

# Set these variables to false as these are running in PrivaceraCloud
RANGER_ENABLE: "false"
AUDITSERVER_ENABLE: "false"
MARIADB_ENABLE: "false"
DB_INSTALL_MARIADB: "false"

# Set these variables to true, if you plan to use 
# Privacera Discovery in Data Plane
#PORTAL_ENABLE: "true"
#PORTAL_INSTALL: "true"
#SOLR_ENABLE: "true"
#ZOOKEEPER_ENABLE: "true"
# Else set them to false, if you are not going to use 
# Privacera Discovery in Data Plane
PORTAL_ENABLE: "false"
PORTAL_INSTALL: "false"
SOLR_ENABLE: "false"
ZOOKEEPER_ENABLE: "false"

vars.ssl.yml file¶

Bash
1 2	`# Edit the vars.ssl.yml file vi config/custom-vars/vars.ssl.yml`

Bash
# Add or edit the following variable
RANGER_SSL_ENABLE: "false"

Upload artifact to PrivaceraCloud Portal¶

Now that you have done all the configuration, you can run Privacera Manager by using the steps given in the Using Privacera Manager section.

At this point, since no connectors or optional modules are configured, you can skip the pm_with_helm.sh step.

After the Privacera Manager is successfully run, you will have to copy the generated artifact to the PrivaceraCloud Portal, using following steps.

Bash
cd ~/privacera/privacera-manager/config/ssl
cat d2p_rsa_public_key.pem

Copy the contents of the d2p_rsa_public_key.pem file and paste it in the PrivaceraCloud Portal as follows.

Log into your PrivaceraCloud account as an administrator.
Go to Settings > Account
In the Distributed Data Plane section, under the Public Key, click ADD button.
Paste the contents of the d2p_rsa_public_key.pem file in the text box, and click on SAVE.

Next steps¶

Depending upon your deployment type and choice of Privacera modules , you can proceed to the next steps.

Prev Prerequisites
Next