Azure ADLS Data Server#
This topic covers integration of Azure Data Lake Storage (ADLS) with the Privacera Platform using Privacera Dataserver.
Ensure that the following prerequisites are met:
You have access to an Azure Storage account along with required credentials.
For more information on how to set up an Azure storage account, refer to Azure Storage Account Creation.
Get the values for the following Azure properties: Application (client) ID, Client secrets
Launch PM UI. For more information on how to start PM UI, click here.
In the left navigation of the PM UI, navigate to Setup Access Manager > Configure Data Access Server.
Click Configure Data Access Server to modify the properties. For property details and description, refer to the Configuration Properties below.
To install/update, go to Install in the left navigation, and click Install & Start Services.
Go to the privacera-manager folder in your virtual machine. Open the config folder, copy the sample vars.dataserver.azure.yml file to the custom-vars/ folder, and edit it.
cd ~/privacera/privacera-manager cp config/sample-vars/vars.dataserver.azure.yml config/custom-vars/ vi custom-vars/vars.dataserver.azure.yml
Enter the following Azure-related information. For property details and description, click here.
AZURE_TENANTID : "<PLEASE_CHANGE>" AZURE_APP_CLIENT_ID : "<PLEASE_CHANGE>" AZURE_SUBSCRIPTION_ID: "<PLEASE_CHANGE>" AZURE_RESOURCE_GROUP: "<PLEASE_CHANGE>" BASE64_APP_CLIENT_SECRET: "<PLEASE_CHANGE>" DATASERVER_AZURE_GEN2_SHARED_KEY_AUTH: "<PLEASE_CHANGE>" AZURE_ACCT_SHARED_KEY_PAIRS: "<PLEASE_CHANGE>"
You can also add custom properties that are not included by default. See Dataserver.
Run the following command.
cd ~/privacera/privacera-manager ./privacera-manager.sh update
To get the value for this property, Go to Azure portal > Storage accounts > Select the storage account you want to configure > Access keys > Copy Key.
If there are multiple storage accounts, then separate them by a comma.
Uncomment to use Azure CLI.
The `AZURE_ACCT_SHARED_KEY_PAIRS` property wouldn't work with this property. So, you have set the `AZURE_ACCOUNT_NAME` and `AZURE_SHARED_KEY` properties.
|AZURE_TENANTID||To get the value for this property, Go to Azure portal > Azure Active Directory > Properties > Tenant ID||5a5cxxx-xxxx-xxxx-xxxx-c3172b33xxxx|
|AZURE_APP_CLIENT_ID||Get the value by following the Pre-requisites section above.||8c08xxxx-xxxx-xxxx-xxxx-6w0c95v0xxxx|
|AZURE_SUBSCRIPTION_ID||To get the value for this property, Go to Azure portal > Select Subscriptions in the left sidebar > Select whichever subscription is needed > Click on overview > Copy the Subscription ID||27e8xxxx-xxxx-xxxx-xxxx-c716258wxxxx|
|AZURE_RESOURCE_GROUP||To get the value for this property, Go to Azure portal > Storage accounts > Select the storage account you want to configure > Click on Overview > Resource Group||privacera-dev|
Get the value by following the Pre-requisites section above.
Note: Add the following property with BASE64 format in the YAML file:
$ echo "CLIENT_SECRET" | base64
These validate steps require the use of the Privacera Portal Access Management: Resource Policies and Data Inventory: Data Explorer functions. See Privacera Portal Users' Guide for more information.
All-access or attempted access (Allowed and Denied) for Azure ADLS resources will now be recorded to the audit stream. This Audit stream can be reviewed in the Audit page of the Privacera Access Manager. Default access for a data repository is 'Denied' so all data access will be denied.
To verify Privacera Data Management control, perform the following steps:
Login to Privacera Portal, as a portal administrator, open Data Inventory: Data Explorer, and attempt to view the targeted ADLS files or folders. The data will be hidden and a Denied status will be registered in the Audit page.
In Privacera Portal, open Access Management: Resource Policies. Open System 'ADLS' and 'application' (data repository) 'privacera_adls'. Create or modify an access policy to allow access to some or all of your ADLS storage.
Return to Data Inventory: Data Explorer and re-attempt to view the data as allowed by your new policy or policy change. Repeat step 1.
You should be able to view files or folders in the account, and an Allowed status will be registered in the Audit page.
To check the log in the Audit page in Privacera Portal, perform the following steps:
On the Privacera Portal page, expand Access Management and click the Auditfrom the left menu.
The Audit page will be displayed with Ranger Audit details.