Skip to content

Starburst Enterprise with Privacera

Using Privacera in Starburst Enterprise LTS, you can enforce system-wide access control. The following information can help provide an expedient way of configuring Starburst Enterprise with port 8443 for TLS/HTTPS so that usernames/passwords are possible. Self-signed certificates work well for testing purposes, but not to be used for production deployments.

Prerequisites

The following items need to be enabled/shared prior to deploying a Starburst Docker image:

  • A licensed version of Starburst
  • Docker-ce 18+ must be installed
  • JDK 11 (to generate the Java keystore)
  • Privacera Manager version 4.7 or higher
  • JDBC URL to connect to the Starburst Enterprise instance to access the catalogs and schemas
  • CA-signed SSL certificate for production deployment.

Configuring Privacera Plugin with Starburst Enterprise

Summary of steps:

  1. Generate an access-control file for Starburst.
  2. Generate an access-control file for Hive catalogs [optional].
  3. Generate a Ranger Audit XML file.
  4. Generate a Ranger SSL XML file required for TLS secure Privacera installations.

To configure Privacera plugin:

  1. To enable Privacera for authorization, you need to update the etc/config.properties with one of the following entries:

    # privacera auth for hive and system access control
    access-control.config-files=/etc/starburst/access-control-privacera.properties,/etc/starburst/access-control-priv-hive.properties
    

    Or

    # privacera auth for only system access control
    access-control.config-files=/etc/starburst/access-control-privacera.properties
    
  2. Edit etc/access-control-privacera.properties. The following is an example of the properties. You need to configure the properties in the file, so that it points to the instance where Privacera is installed. Replace <PRIVACERA_HOST_INSTANCE_IP> with the IP address of Privacera host.

    access-control.name=privacera-starburst
    ranger.policy-rest-url=http://<PRIVACERA_HOST_INSTANCE_IP>:6080
    ranger.service-name=privacera_starburstenterprise
    ranger.username=admin
    ranger.password=welcome1
    ranger.policy-refresh-interval=3s
    ranger.config-resources=/etc/starburst/ranger-hive-audit.xml
    ranger.policy-cache-dir=/etc/starburst/tmp/ranger
    

    To install this file into the Docker container, you can add option to your container creation script:

    -v $DOCKER_HOME/$STARBURST_VERSION/etc/access-control-privacera.properties:$STARBURST_TGT/access-control-privacera.properties \
    
  3. Edit etc/access-control-priv-hive.properties. The following is an example of the properties. You need to configure the properties in the file, so that it points to the instance where Privacera is installed. Replace <PRIVACERA_HOST_INSTANCE_IP> with the IP address of Privacera host. Similarly, you need to configure the properties of the comma-separated files such as Hive, Glue, Delta, and so on.

    This file is optional if you are not configuring Hive catalogs with privacera_hive policies.

    access-control.name=privacera
    ranger.policy-rest-url=http://<PRIVACERA_HOST_INSTANCE_IP>:6080
    ranger.service-name=privacera_hive
    privacera.catalogs=hive,glue
    ranger.username=admin
    ranger.password=welcome1
    ranger.policy-refresh-interval=3s
    ranger.config-resources=/etc/starburst/ranger-hive-audit.xml
    ranger.policy-cache-dir=/etc/starburst/tmp/ranger
    privacera.fallback-access-control=allow-all
    
  4. To install this file into the Docker container, you can add option to your container creation script:

    -v $DOCKER_HOME/$STARBURST_VERSION/etc/access-control-priv-hive.properties:$STARBURST_TGT/access-control-priv-hive.properties \
    
  5. Edit etc/ranger-hive-audit.xml. This file describes the method of auditing the access from Starburst to Privacera Ranger and Solr. The example below is for unsecured Privacera Ranger deployments only. Replace <PRIVACERA_HOST_INSTANCE_IP> with the IP address of Privacera host.

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
    <property>
    <name>ranger.plugin.hive.service.name</name>
    <value>privacera_hive</value>
    </property>
    <property>
    <name>ranger.plugin.hive.policy.pollIntervalMs</name>
    <value>5000</value>
    </property>
    <property>
    <name>ranger.service.store.rest.url</name>
    <value>http://<PRIVACERA_HOST_INSTANCE_IP>:6080</value>
    </property>
    <property>
    <name>ranger.plugin.hive.policy.rest.url</name>
    <value>http://<PRIVACERA_HOST_INSTANCE_IP>:6080</value>
    </property>
    <property>
    <name>xasecure.audit.destination.solr</name>
    <value>true</value>
    </property>
    <property>
    <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
    <value>/opt/presto/logs/audits/solr/</value>
    </property>
    <property>
    <name>xasecure.audit.destination.solr.urls</name>
    <value>http://<PRIVACERA_HOST_INSTANCE_IP>:8983/solr/ranger_audits</value>
    </property>
    <property>
    <name>xasecure.audit.is.enabled</name>
    <value>true</value>
    </property>
    </configuration>
    
  6. To install this file into the Docker container, you can add option to your container creation script:

    -v $DOCKER_HOME/$STARBURST_VERSION/etc/ranger-hive-audit.xml:$STARBURST_TGT/ranger-hive-audit.xml \