Skip to content

Discovery Configuration - Self Managed and Data Plane

Enable Discovery features

Run the following commands on the Privacera Manager host to enable Discovery features in Self Managed and PrivaceraCloud Data Plane deployments.

Copy the vars.discovery.aws.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.discovery.aws.yml config/custom-vars/
vi config/custom-vars/vars.discovery.aws.yml

Add or edit the following variables:

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Discovery bucket name. Should be without 's3://' prefix 
# and can contain optional folder path
#
# Example 1: DISCOVERY_BUCKET_NAME: "my-discovery-bucket"
# Example 2: DISCOVERY_BUCKET_NAME: "my-discovery-bucket/my-path"
# This bucket will be created by Privacera Manager using terraform.
DISCOVERY_BUCKET_NAME: “<PLEASE_CHANGE>”

# If you do not want Privacera Manager to create the S3bucket, 
# uncomment the following,
# DISCOVERY_CREATE_BUCKET: "false"

# If you do not want Privacera Managerto create the DynamoDB tables, uncomment 
# the following,
#DISCOVERY_CREATE_NOSQL_TABLES: "false"

# If you have created DynamoDB tables with different names, then uncomment the following,
# and set the values to the table names.
#
# NOTE: Privacera Manager will not create tables with these names, you have to create
# them manually and set DISCOVERY_CREATE_NOSQL_TABLES: "false"
#
# SCAN_REQUEST_TABLE: "<PLEASE_CHANGE>"
# RESOURCE_TABLE: "<PLEASE_CHANGE>"
# ALERT_TABLE: "<PLEASE_CHANGE>"
# AUDIT_SUMMARY_TABLE: "<PLEASE_CHANGE>"
# ACTIVE_SCANS_TABLE: "<PLEASE_CHANGE>"
# STATE_TABLE: "<PLEASE_CHANGE>"

# If you do not want Privacera Manager to create the SQS queue, uncomment 
# the following
#DISCOVERY_CREATE_SQS: "false"

# If you want to use a different name for the SQS queue, uncomment the following
# DISCOVERY_BUCKET_SQS_NAME: "<PLEASE_CHANGE>"

# IAM Role for Service Account used by Discovery Driver and Executor Pods
DISCOVERY_USE_POD_IAM_ROLE: "true"
DISCOVERY_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

DISCOVERY_CONSUMER_ENABLE: "true"
DISCOVERY_CONSUMER_USE_POD_IAM_ROLE: "true"
DISCOVERY_CONSUMER_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

PORTAL_USE_POD_IAM_ROLE: "true"
PORTAL_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

DISCOVERY_K8S_SPARK_DYNAMIC_ALLOCATION_ENABLED: "true"

Replace the following placeholders

These were created as part of the Prerequisites -> AWS steps.

DISCOVERY_BUCKET_NAME: Discovery configuration bucket name.

DISCOVERY_IAM_ROLE_ARN: ARN of the IAM role created for Discovery driver, executor and Portal pods

DISCOVERY_CONSUMER_IAM_ROLE_ARN: ARN of the IAM role created for Discovery consumer pods

PORTAL_IAM_ROLE_ARN: ARN of the IAM role created for Discovery driver, executor and Portal pods

Copy the vars.discovery.azure.yml from from config/sample-vars to config/custom-vars.

Bash
1
2
3
cd ~/privacera/privacera-manager  
cp -n config/sample-vars/vars.discovery.azure.yml config/custom-vars
vi config/custom-vars/vars.discovery.azure.yml

Add or edit the following variables:

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
DISCOVERY_FS_PREFIX: "<PLEASE_CHANGE>"
DISCOVERY_AZURE_STORAGE_ACCOUNT_NAME: <PLEASE_CHANGE>"
DISCOVERY_AZURE_STORAGE_ACCOUNT_KEY: "<PLEASE_CHANGE>"

DISCOVERY_AZURE_LOCATION: "<PLEASE_CHANGE>"

CREATE_AZURE_RESOURCES: "false"

DISCOVERY_AZURE_RESOURCE_GROUP: "<PLEASE_CHANGE>"

DISCOVERY_AZURE_COSMOS_DB_ACCOUNT: "<PLEASE_CHANGE>"
DISCOVERY_COSMOSDB_URL: <PLEASE_CHANGE>"
DISCOVERY_COSMOSDB_KEY: "<PLEASE_CHANGE>"

DISCOVERY_CONSUMER_ENABLE: "true"

Copy the vars.discovery.gcp.yml from from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.discovery.gcp.yml config/custom-vars/
vi config/custom-vars/vars.discovery.gcp.yml

Add or edit the following variables:

Bash
1
2
BIGTABLE_INSTANCE_ID: "<PLEASE_CHANGE>"
DISCOVERY_BUCKET_NAME: "<PLEASE_CHANGE>"

Enable Kafka for Discovery

Copy the vars.kafka.yml from from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.kafka.yml config/custom-vars/
vi config/custom-vars/vars.kafka.yml

Add or edit the following variables:

Bash
1
2
# Add or edit the following variables in the file
USE_KAFKA_SPECIFIC_STORAGE_CLASS: "true"

Enable real-time discovery features

Run the following commands on the Privacera Manager host to enable real-time discovery features for Self Managed and PrivaceraCloud Data Plane deployments.

Copy the vars.pkafka.aws.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.pkafka.aws.yml config/custom-vars/
vi config/custom-vars/vars.pkafka.aws.yml

Add or edit the following variables:

Bash
1
2
3
4
PKAFKA_SQS_ENDPOINT: "<PLEASE_CHANGE>"

PKAFKA_USE_POD_IAM_ROLE: "true"
PKAFKA_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

Replace the following placeholders

These were created as part of the Prerequisites -> AWS steps.

PKAFKA_SQS_ENDPOINT: Amazon SQS Queue name URL. To know more, see Amazon SQS queue name URL. It would have this format,

https://sqs.<AWS_REGION>.amazonaws.com/<ACCOUNT_ID>/privacera_bucket_sqs_DEPLOYMENT_ENV_NAME

PKAFKA_IAM_ROLE_ARN: ARN of the IAM role created for Privacera Kafka

Copy the vars.pkafka.azure.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.pkafka.azure.yml config/custom-vars/
vi config/custom-vars/vars.pkafka.azure.yml

Add or edit the following variables:

Bash
1
2
3
4
PKAFKA_EVENT_HUB: "<PLEASE_CHANGE>"
PKAFKA_EVENT_HUB_NAMESPACE: "<PLEASE_CHANGE>"
PKAFKA_EVENT_HUB_CONSUMER_GROUP: "<PLEASE_CHANGE>"
PKAFKA_EVENT_HUB_CONNECTION_STRING: "<PLEASE_CHANGE>"

Copy the vars.pkafka.gcp.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.pkafka.gcp.yml config/custom-vars/
vi config/custom-vars/vars.pkafka.gcp.yml

Add or edit the following variables:

Bash
1
PKAFKA_GCP_SINK_DESTINATION_PUBSUB_SUBSCRIPTION_NAME: "<PLEASE_CHANGE>"

Enable Discovery Classification push to Ranger Tags

Run the following commands on the Privacera Manager host to enable Discovery tags push to Ranger

Bash
1
2
cd ~/privacera/privacera-manager
vi config/custom-vars/vars.discovery.agent.yml
Bash
1
2
3
DISCOVERY_RANGER_TAGSYNC_USERNAME: "<PLEASE_CHANGE>"
RANGER_TAGSYNC_PASSWORD: "<PLEASE_CHANGE>"
DISCOVERY_RANGER_REST_ENABLED: "true"

Replace the following placeholders

DISCOVERY_RANGER_TAGSYNC_USERNAME: Ranger TagSync username

RANGER_TAGSYNC_PASSWORD: Ranger TagSync password

The Ranger TagSync username and password are used to push the tags to Ranger. These are the credentials of the ranger admin user created as per Create Ranger Service user for Discovery Compliance policies The same steps have to be followed in the Self Managed deployment using Privacera Portal in the VPC and for PrivaceraCloud Data Plane deployment using the PrivaceraCloud Portal.

Apply the configuration

To apply the configuration you should run Privacera Manager as per Privacera Manager QuickStart steps.

The same steps apply for Self Managed and PrivaceraCloud Data Plane deployments.

Comments