Starburst System Plugin Configuration
Manual Installation#
Expand
Install and configure on Starburst Enterprise Presto (Enterprise PrestoSQL/Trino)
There are several possible configurations for Privacera integration with Starburst. The most commonly used are:
- System-level Plugin Only: With this option, Starburst uses the
starburst-enterprise-prestoService Definition in Privacera for all policies, including the Hive catalog. Policies underprivacera_hiveorprivacera_sqlHive-style (or SQL) policies are ignored and must be replicated inprivacera_starburstto be effective. - Hive-style and System-level Plugins: With this option, Starburst uses both the
starburst-enterprise-prestoService definition and theHiveService definition. Policies underprivacera_hiveorprivacera_sqlHive-style (or SQL) policies will be evaluated for queries in the Hive catalog, andprivacera_starburstpolicies will be effective for all other catalogs.
For System-level Plugin Only
hive.properties:
- Usually located in etc/catalog
- Points to configuration file/s for plugins
- Comment out all settings beginning with
ranger.
Ensure that below line is present in the file:
hive.security=allow-all
config.properties
- Usually located in etc directory
- Points to configuration file/s for plugins
Ensure that below line is present in the file:
access-control.config-files=etc/access-control-privacera.properties
access-control-privacera.properties
- Usually located in etc directory
- Defines settings for one plugin per file
File contents:
access-control.name=privacera-starburst
# Example: ranger.policy-rest-url=http://starburst.tryprivacera.com:6080
ranger.policy-rest-url=http://${Privacera Ranger API URL}:${Ranger port}
ranger.service-name=privacera_starburst
ranger.presto-plugin-username=${Ranger API username}
ranger.presto-plugin-password=${Ranger API user password}
ranger.policy-refresh-interval=3s
# Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml
ranger.config-resources=${presto configuration path}/etc/ranger-hive-audit.xml
# Example: ranger.policy-cache-dir=/tmp/ranger
ranger.policy-cache-dir=${presto temp file location}
ranger-hive-audit.xml
- Usually located in etc directory
- Defines settings for one plugin per file
File contents:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<property>
<name>ranger.plugin.hive.service.name</name>
<value>privacera_hive</value>
</property>
<property>
<name>ranger.plugin.hive.policy.pollIntervalMs</name>
<value>5000</value>
</property>
<property>
<name>ranger.service.store.rest.url</name>
<value>
http://
<Privacera Ranger API URL>
:<Ranger port - e.g., 6080>
</value>
</property>
<property>
<name>ranger.plugin.hive.policy.rest.url</name>
<value>
http://
<Privacera Ranger API URL>
:<Ranger port - e.g., 6080>
</value>
</property>
<property>
<name>xasecure.audit.destination.solr</name>
<value>true</value>
</property>
<property>
<name>xasecure.audit.destination.solr.batch.filespool.dir</name>
<value>
<presto temp file location>
</value>
</property>
<property>
<name>xasecure.audit.destination.solr.urls</name>
<value>
http://
<Privacera Ranger API URL>
:8983/solr/ranger_audits
</value>
</property>
<property>
<name>xasecure.audit.is.enabled</name>
<value>true</value>
</property>
</configuration>
For Hive-style and System-level Plugins
hive.properties
- This is same as above section "For System-level Plugin Only".
access-control-privacera.properties
- This is same as above section "For System-level Plugin Only".
ranger-hive-audit.xml
- This is same as above section "For System-level Plugin Only".
access-control-priv-hive.properties
- Usually located in etc directory
- Defines settings for one plugin per file
File contents:
access-control.name=privacera
# Example: ranger.policy-rest-url=http://starburst.tryprivacera.com:6080
ranger.policy-rest-url=http://<Privacera Ranger API URL>:<Ranger port - e.g., 6080>
ranger.service-name=privacera_hive
privacera.catalogs=hive
ranger.presto-plugin-username=<Ranger API username>
ranger.presto-plugin-password=<Ranger API user password>
ranger.policy-refresh-interval=3s
# Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml
ranger.config-resources=<presto configuration path>/etc/ranger-hive-audit.xml
# Example: ranger.policy-cache-dir=/tmp/ranger
ranger.policy-cache-dir=<presto temp file location>
# Fallback allow-all allows privacera_starburst catalog-level permissions as fallback
privacera.fallback-access-control=allow-all
config.properties
- Usually located in etc/ directory
- Points to configuration file/s for plugins
Ensure that below line is present in the file (note multiple comma-separated config files):
access-control.config-files=etc/access-control-ranger.privacera,etc/access-control-priv-hive.properties
- After updating the files above, restart Starburst. The STARBURST-ENTERPRISE-PRESTO Service definition should appear in Ranger and Privacera Portal.
- Add a new service repository to the STARBURST-ENTERPRISE-PRESTO service (e.g., "privacera_starburst") for new policies.
- Import or create policies.
Sample JSON Templates
-
Starburst_Tags_sample.json
{ "op": "add_or_update", "serviceName": "privacera_starburst", "tagVersion": 0, "tagDefinitions": { "0": { "name": "MEDICAL_RECORD", "source": "privacera", "attributeDefs": [], "id": 0, "isEnabled": true } }, "tags": { "0": { "type": "MEDICAL_RECORD", "owner": 0, "attributes": {}, "id": 0, "isEnabled": true } }, "serviceResources": [ { "serviceName": "privacera_starburst", "resourceElements": { "schema": { "values": [ "claims" ], "isExcludes": false, "isRecursive": false }, "catalog": { "values": [ "oracle" ], "isExcludes": false, "isRecursive": false }, "column": { "values": [ "desynpuf_id" ], "isExcludes": false, "isRecursive": false }, "table": { "values": [ "claim_outpat" ], "isExcludes": false, "isRecursive": false } }, "id": 0, "isEnabled": true } ], "resourceToTagIds": { "0": [ 0 ] } } -
Starburst_Tag_Policy_sample.json
{ "service": "privacera_tag", "name": "Medical Record Number Access", "policyType": 0, "policyPriority": 1, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "MEDICAL_RECORD" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [], "denyPolicyItems": [ { "accesses": [ { "type": "starburst-enterprise-presto:select", "isAllowed": true }, { "type": "starburst-enterprise-presto:insert", "isAllowed": true }, { "type": "starburst-enterprise-presto:delete", "isAllowed": true }, { "type": "starburst-enterprise-presto:update", "isAllowed": true }, { "type": "starburst-enterprise-presto:ownership", "isAllowed": true }, { "type": "starburst-enterprise-presto:execute", "isAllowed": true }, { "type": "starburst-enterprise-presto:kill", "isAllowed": true } ], "users": [], "groups": [ "public" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "allowExceptions": [], "denyExceptions": [ { "accesses": [ { "type": "starburst-enterprise-presto:select", "isAllowed": true }, { "type": "starburst-enterprise-presto:execute", "isAllowed": true } ], "users": [], "groups": [ "clinical" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false, "id": 278, "guid": "ea05eba4-8f94-4d3a-a9b9-1dc18d0aa86e", "isEnabled": true, "version": 2 } -
Starburst_Policies_sample.json
{ "serviceName": "privacera_starburst", "serviceId": 30, "policyVersion": 100, "policyUpdateTime": 1610650802000, "policies": [ { "id": 236, "guid": "9b72a680-11ab-4952-8eca-a056bb55fa6d", "isEnabled": true, "version": 6, "service": "privacera_starburst", "name": "all - query", "policyType": 0, "policyPriority": 0, "description": "Policy for all - query", "isAuditEnabled": true, "resources": { "query": { "values": [ "*" ], "isExcludes": false, "isRecursive": false } }, "policyItems": [ { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "execute", "isAllowed": true }, { "type": "kill", "isAllowed": true } ], "users": [ "fiona_emily" ], "groups": [], "roles": [ "fiona_sales_role" ], "conditions": [], "delegateAdmin": true } ], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "starburst-enterprise-presto", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 240, "guid": "1e0dae00-1aef-4631-843b-1af97e3e451d", "isEnabled": true, "version": 5, "service": "privacera_starburst", "name": "all - function", "policyType": 0, "policyPriority": 0, "description": "Policy for all - function", "isAuditEnabled": true, "resources": { "function": { "values": [ "*" ], "isExcludes": false, "isRecursive": false } }, "policyItems": [ { "accesses": [ { "type": "execute", "isAllowed": true } ], "users": [ "fiona_emily" ], "groups": [], "roles": [ "fiona_sales_role" ], "conditions": [], "delegateAdmin": true } ], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "starburst-enterprise-presto", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 264, "guid": "ff07c7ca-c619-4da8-b4ac-6e6489d2d35d", "isEnabled": true, "version": 16, "service": "privacera_starburst", "name": "Oracle schema access", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "schema": { "values": [ "claims" ], "isExcludes": false, "isRecursive": false }, "catalog": { "values": [ "oracle" ], "isExcludes": false, "isRecursive": false }, "column": { "values": [ "desynpuf_id" ], "isExcludes": true, "isRecursive": false }, "table": { "values": [ "claim_outpat", "foo" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [ { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "insert", "isAllowed": true }, { "type": "delete", "isAllowed": true }, { "type": "update", "isAllowed": true }, { "type": "ownership", "isAllowed": true }, { "type": "execute", "isAllowed": true }, { "type": "kill", "isAllowed": true } ], "users": [ "admin" ], "groups": [ "us_users" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "starburst-enterprise-presto", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 279, "guid": "42527a18-7230-491f-b435-c356ccd5e3e6", "isEnabled": true, "version": 1, "service": "privacera_starburst", "name": "Medical Record Number Mask", "policyType": 1, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "schema": { "values": [ "claims" ], "isExcludes": false, "isRecursive": false }, "catalog": { "values": [ "oracle" ], "isExcludes": false, "isRecursive": false }, "column": { "values": [ "desynpuf_id" ], "isExcludes": false, "isRecursive": false }, "table": { "values": [ "claim_outpat" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [ { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [], "groups": [ "clinical" ], "roles": [], "conditions": [], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "MASK_HASH" } } ], "rowFilterPolicyItems": [], "serviceType": "starburst-enterprise-presto", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 280, "guid": "e28cdb6d-2c12-4eb4-b9d3-6d00d1bea2bd", "isEnabled": true, "version": 4, "service": "privacera_starburst", "name": "Oracle catalog access", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "session-property": { "values": [ "*" ], "isExcludes": false, "isRecursive": false }, "catalog": { "values": [ "oracle" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [ { "accesses": [ { "type": "select", "isAllowed": true }, { "type": "execute", "isAllowed": true } ], "users": [ "admin" ], "groups": [ "public" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "starburst-enterprise-presto", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 281, "guid": "1a7db411-a786-4ab1-ba6c-bb98f48f33ca", "isEnabled": true, "version": 2, "service": "privacera_starburst", "name": "Medical Record Number Access", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "schema": { "values": [ "claims" ], "isExcludes": false, "isRecursive": false }, "catalog": { "values": [ "oracle" ], "isExcludes": false, "isRecursive": false }, "column": { "values": [ "desynpuf_id" ], "isExcludes": false, "isRecursive": false }, "table": { "values": [ "claim_outpat" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [ { "accesses": [ { "type": "select", "isAllowed": true } ], "users": [ "admin" ], "groups": [ "clinical" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "starburst-enterprise-presto", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false } ], "serviceDef": { "id": 119, "guid": "d90c596b-e2c0-4f44-aa12-303f3d98c819", "isEnabled": true, "createdBy": "Admin", "updatedBy": "Admin", "createTime": 1602619696000, "updateTime": 1602619696000, "version": 1, "name": "starburst-enterprise-presto", "displayName": "starburst-enterprise-presto", "implClass": "com.starburstdata.ranger.services.presto.RangerServiceStarburstPresto", "label": "Starburst Enterprise Presto", "description": "Starburst Enterprise Presto", "options": { "enableDenyAndExceptionsInPolicies": "true" }, "configs": [ { "itemId": 1, "name": "username", "type": "string", "mandatory": true, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Username" }, { "itemId": 2, "name": "password", "type": "password", "mandatory": false, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Password" }, { "itemId": 3, "name": "jdbc.driverClassName", "type": "string", "mandatory": true, "defaultValue": "io.prestosql.jdbc.PrestoDriver", "validationRegEx": "", "validationMessage": "", "uiHint": "" }, { "itemId": 4, "name": "jdbc.url", "type": "string", "mandatory": true, "defaultValue": "", "validationRegEx": "", "validationMessage": "", "uiHint": "" }, { "itemId": 5, "name": "resource-lookup", "type": "enum", "subType": "check", "mandatory": false, "defaultValue": "true", "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Resource look-up" }, { "itemId": 6, "name": "commonNameForCertificate", "type": "string", "mandatory": false, "label": "Common Name for Certificate" } ], "resources": [ { "itemId": 1, "name": "catalog", "type": "string", "level": 10, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Catalog", "description": "Catalog", "accessTypeRestrictions": [], "isValidLeaf": false }, { "itemId": 5, "name": "function", "type": "string", "level": 10, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Function", "description": "Function", "accessTypeRestrictions": [ "execute" ], "isValidLeaf": true }, { "itemId": 8, "name": "system-session-property", "type": "string", "level": 10, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "System session property", "description": "System session property", "accessTypeRestrictions": [ "update" ], "isValidLeaf": true }, { "itemId": 9, "name": "query", "type": "string", "level": 10, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Query", "description": "Query", "accessTypeRestrictions": [ "select", "kill", "execute" ], "isValidLeaf": true }, { "itemId": 2, "name": "schema", "type": "string", "level": 20, "parent": "catalog", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Schema", "description": "Schema", "accessTypeRestrictions": [], "isValidLeaf": false }, { "itemId": 7, "name": "session-property", "type": "string", "level": 20, "parent": "catalog", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Session property", "description": "Session property", "accessTypeRestrictions": [ "update" ], "isValidLeaf": true }, { "itemId": 3, "name": "table", "type": "string", "level": 30, "parent": "schema", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Table", "description": "Table", "accessTypeRestrictions": [], "isValidLeaf": false }, { "itemId": 6, "name": "procedure", "type": "string", "level": 30, "parent": "schema", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Procedure", "description": "Procedure", "accessTypeRestrictions": [ "execute" ], "isValidLeaf": true }, { "itemId": 4, "name": "column", "type": "string", "level": 40, "parent": "table", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "true", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "", "label": "Column", "description": "Column", "accessTypeRestrictions": [ "select", "ownership", "insert", "update", "delete" ], "isValidLeaf": true } ], "accessTypes": [ { "itemId": 1, "name": "select", "label": "Select", "impliedGrants": [] }, { "itemId": 2, "name": "insert", "label": "Insert", "impliedGrants": [] }, { "itemId": 3, "name": "delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 4, "name": "update", "label": "Update", "impliedGrants": [] }, { "itemId": 5, "name": "ownership", "label": "Ownership", "impliedGrants": [ "select", "insert", "delete", "update" ] }, { "itemId": 6, "name": "execute", "label": "Execute", "impliedGrants": [] }, { "itemId": 7, "name": "kill", "label": "Kill", "impliedGrants": [] } ], "policyConditions": [], "contextEnrichers": [], "enums": [ { "itemId": 1, "name": "check", "elements": [ { "itemId": 1, "name": "true", "label": "Enabled" }, { "itemId": 2, "name": "false", "label": "Disabled" } ], "defaultIndex": 0 } ], "dataMaskDef": { "maskTypes": [ { "itemId": 1, "name": "MASK", "label": "Mask", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'", "transformer": "mask({col})", "dataMaskOptions": {} }, { "itemId": 2, "name": "MASK_SHOW_LAST_4", "label": "Partial mask: show last 4", "description": "Show last 4 characters; replace rest with 'x'", "transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')", "dataMaskOptions": {} }, { "itemId": 3, "name": "MASK_SHOW_FIRST_4", "label": "Partial mask: show first 4", "description": "Show first 4 characters; replace rest with 'x'", "transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')", "dataMaskOptions": {} }, { "itemId": 4, "name": "MASK_HASH", "label": "Hash", "description": "Hash the value", "transformer": "mask_hash({col})", "dataMaskOptions": {} }, { "itemId": 5, "name": "MASK_NULL", "label": "Nullify", "description": "Replace with NULL", "dataMaskOptions": {} } ], "accessTypes": [ { "itemId": 1, "name": "select", "label": "Select", "impliedGrants": [] } ], "resources": [ { "itemId": 1, "name": "catalog", "type": "string", "level": 10, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "false", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":true }", "label": "Catalog", "description": "Catalog", "accessTypeRestrictions": [], "isValidLeaf": false }, { "itemId": 2, "name": "schema", "type": "string", "level": 20, "parent": "catalog", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "false", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":true }", "label": "Schema", "description": "Schema", "accessTypeRestrictions": [], "isValidLeaf": false }, { "itemId": 3, "name": "table", "type": "string", "level": 30, "parent": "schema", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "false", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":true }", "label": "Table", "description": "Table", "accessTypeRestrictions": [], "isValidLeaf": false }, { "itemId": 4, "name": "column", "type": "string", "level": 40, "parent": "table", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "false", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":true }", "label": "Column", "description": "Column", "accessTypeRestrictions": [ "select", "ownership", "insert", "update", "delete" ], "isValidLeaf": true } ] }, "rowFilterDef": { "accessTypes": [ { "itemId": 1, "name": "select", "label": "Select", "impliedGrants": [] } ], "resources": [ { "itemId": 1, "name": "catalog", "type": "string", "level": 10, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "false", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":true }", "label": "Catalog", "description": "Catalog", "accessTypeRestrictions": [], "isValidLeaf": false }, { "itemId": 2, "name": "schema", "type": "string", "level": 20, "parent": "catalog", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "false", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":true }", "label": "Schema", "description": "Schema", "accessTypeRestrictions": [], "isValidLeaf": false }, { "itemId": 3, "name": "table", "type": "string", "level": 30, "parent": "schema", "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "false", "ignoreCase": "true" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":true }", "label": "Table", "description": "Table", "accessTypeRestrictions": [], "isValidLeaf": true } ] } }, "auditMode": "audit-default", "tagPolicies": { "serviceName": "privacera_tag", "serviceId": 2, "policyVersion": 145, "policyUpdateTime": 1610588253000, "policies": [ { "id": 8, "guid": "0192c692-c3c7-4374-bdda-5ad225bb3da9", "isEnabled": true, "version": 3, "service": "privacera_tag", "name": "EXPIRES_ON", "policyType": 0, "policyPriority": 0, "description": "Policy for data with EXPIRES_ON tag", "isAuditEnabled": true, "resources": { "tag": { "values": [ "EXPIRES_ON" ], "isExcludes": false, "isRecursive": false } }, "policyItems": [], "denyPolicyItems": [ { "accesses": [ { "type": "hive:select", "isAllowed": true }, { "type": "hive:update", "isAllowed": true }, { "type": "hive:create", "isAllowed": true }, { "type": "hive:drop", "isAllowed": true }, { "type": "hive:alter", "isAllowed": true }, { "type": "hive:index", "isAllowed": true }, { "type": "hive:lock", "isAllowed": true }, { "type": "hive:all", "isAllowed": true }, { "type": "hive:read", "isAllowed": true }, { "type": "hive:write", "isAllowed": true }, { "type": "kms:create", "isAllowed": true }, { "type": "kms:delete", "isAllowed": true }, { "type": "kms:rollover", "isAllowed": true }, { "type": "kms:setkeymaterial", "isAllowed": true }, { "type": "kms:get", "isAllowed": true }, { "type": "kms:getkeys", "isAllowed": true }, { "type": "kms:getmetadata", "isAllowed": true }, { "type": "kms:generateeek", "isAllowed": true }, { "type": "kms:decrypteek", "isAllowed": true } ], "users": [], "groups": [ "public" ], "roles": [], "conditions": [ { "type": "accessed-after-expiry", "values": [ "yes" ] } ], "delegateAdmin": false } ], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 93, "guid": "a9f9f5ba-33fe-48a5-9b7e-e10a938a66bd", "isEnabled": true, "version": 2, "service": "privacera_tag", "name": "UNPROTECT_CC", "policyType": 1, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "PROTECTED_CC" ], "isExcludes": false, "isRecursive": false } }, "policyItems": [], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [ { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [ "kate" ], "groups": [], "roles": [ "fiona_sales_role" ], "conditions": [], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "hive:CUSTOM", "valueExpr": "privacera.unprotect({col},'CREDITCARD')" } } ], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 117, "guid": "4e1dfe80-b1e8-4870-96bf-178f62ec82a7", "isEnabled": true, "version": 1, "service": "privacera_tag", "name": "Decrypt SSN", "policyType": 1, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "SSN" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [ { "accesses": [ { "type": "hive:select", "isAllowed": true } ], "users": [], "groups": [ "public" ], "roles": [], "conditions": [], "delegateAdmin": false, "dataMaskInfo": { "dataMaskType": "hive:CUSTOM", "valueExpr": "privacera.unprotect({col}, 'TEST')" } } ], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 173, "guid": "3c07813a-53a9-4af5-82fe-6c93cdb95b49", "isEnabled": true, "version": 13, "service": "privacera_tag", "name": "COE Access", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "REQ_COE_CERT" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [], "denyPolicyItems": [ { "accesses": [ { "type": "s3:read", "isAllowed": true }, { "type": "s3:write", "isAllowed": true }, { "type": "s3:delete", "isAllowed": true }, { "type": "s3:mread", "isAllowed": true }, { "type": "s3:mwrite", "isAllowed": true }, { "type": "s3:admin", "isAllowed": true }, { "type": "athena:Alter", "isAllowed": true }, { "type": "athena:BatchGetNamedQuery", "isAllowed": true }, { "type": "athena:BatchGetQueryExecution", "isAllowed": true }, { "type": "athena:Create", "isAllowed": true }, { "type": "athena:CreateNamedQuery", "isAllowed": true }, { "type": "athena:CreateWorkGroup", "isAllowed": true }, { "type": "athena:DeleteNamedQuery", "isAllowed": true }, { "type": "athena:DeleteWorkGroup", "isAllowed": true }, { "type": "athena:Drop", "isAllowed": true }, { "type": "athena:GetNamedQuery", "isAllowed": true }, { "type": "athena:GetWorkGroup", "isAllowed": true }, { "type": "athena:ListNamedQueries", "isAllowed": true }, { "type": "athena:ListQueryExecutions", "isAllowed": true }, { "type": "athena:ListTagsForResource", "isAllowed": true }, { "type": "athena:ListWorkGroups", "isAllowed": true }, { "type": "athena:Select", "isAllowed": true }, { "type": "athena:StopQueryExecution", "isAllowed": true }, { "type": "athena:TagResource", "isAllowed": true }, { "type": "athena:UntagResource", "isAllowed": true }, { "type": "athena:UpdateWorkGroup", "isAllowed": true }, { "type": "adls:read", "isAllowed": true }, { "type": "adls:write", "isAllowed": true }, { "type": "adls:delete", "isAllowed": true }, { "type": "adls:mread", "isAllowed": true }, { "type": "adls:mwrite", "isAllowed": true }, { "type": "adls:admin", "isAllowed": true } ], "users": [], "groups": [ "public" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "allowExceptions": [], "denyExceptions": [ { "accesses": [ { "type": "s3:read", "isAllowed": true }, { "type": "s3:write", "isAllowed": true }, { "type": "s3:delete", "isAllowed": true }, { "type": "s3:mread", "isAllowed": true }, { "type": "s3:mwrite", "isAllowed": true }, { "type": "athena:Alter", "isAllowed": true }, { "type": "athena:BatchGetNamedQuery", "isAllowed": true }, { "type": "athena:BatchGetQueryExecution", "isAllowed": true }, { "type": "athena:Create", "isAllowed": true }, { "type": "athena:CreateNamedQuery", "isAllowed": true }, { "type": "athena:CreateWorkGroup", "isAllowed": true }, { "type": "athena:DeleteNamedQuery", "isAllowed": true }, { "type": "athena:DeleteWorkGroup", "isAllowed": true }, { "type": "athena:Drop", "isAllowed": true }, { "type": "athena:GetNamedQuery", "isAllowed": true }, { "type": "athena:GetWorkGroup", "isAllowed": true }, { "type": "athena:ListNamedQueries", "isAllowed": true }, { "type": "athena:ListQueryExecutions", "isAllowed": true }, { "type": "athena:ListTagsForResource", "isAllowed": true }, { "type": "athena:ListWorkGroups", "isAllowed": true }, { "type": "athena:Select", "isAllowed": true }, { "type": "athena:StopQueryExecution", "isAllowed": true }, { "type": "athena:TagResource", "isAllowed": true }, { "type": "athena:UntagResource", "isAllowed": true }, { "type": "athena:UpdateWorkGroup", "isAllowed": true }, { "type": "adls:read", "isAllowed": true }, { "type": "adls:write", "isAllowed": true }, { "type": "adls:delete", "isAllowed": true }, { "type": "adls:mread", "isAllowed": true }, { "type": "adls:mwrite", "isAllowed": true } ], "users": [], "groups": [], "roles": [ "coe_certified_role" ], "conditions": [], "delegateAdmin": false } ], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "Sales Zone", "isDenyAllElse": false }, { "id": 175, "guid": "56cd874e-c0c0-4166-b0de-e0fd262bb5ad", "isEnabled": true, "version": 6, "service": "privacera_tag", "name": "SPI Phone Access", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "SSN", "PERSON_NAME" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [], "denyPolicyItems": [ { "accesses": [ { "type": "s3:read", "isAllowed": true }, { "type": "s3:write", "isAllowed": true }, { "type": "s3:delete", "isAllowed": true }, { "type": "s3:mread", "isAllowed": true }, { "type": "s3:mwrite", "isAllowed": true }, { "type": "s3:admin", "isAllowed": true }, { "type": "adls:read", "isAllowed": true }, { "type": "adls:write", "isAllowed": true }, { "type": "adls:delete", "isAllowed": true }, { "type": "adls:mread", "isAllowed": true }, { "type": "adls:mwrite", "isAllowed": true }, { "type": "adls:admin", "isAllowed": true }, { "type": "gcs:read", "isAllowed": true }, { "type": "gcs:write", "isAllowed": true }, { "type": "gcs:delete", "isAllowed": true }, { "type": "gcs:mread", "isAllowed": true }, { "type": "gcs:mwrite", "isAllowed": true }, { "type": "gcs:admin", "isAllowed": true } ], "users": [], "groups": [ "public" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 259, "guid": "e29b71e0-bb3a-48aa-a5b5-c40357206bf5", "isEnabled": true, "version": 1, "service": "privacera_tag", "name": "abc", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "PLAYER" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [ { "accesses": [ { "type": "hive:select", "isAllowed": true }, { "type": "hive:update", "isAllowed": true }, { "type": "hive:create", "isAllowed": true }, { "type": "hive:drop", "isAllowed": true }, { "type": "hive:alter", "isAllowed": true }, { "type": "hive:index", "isAllowed": true }, { "type": "hive:lock", "isAllowed": true }, { "type": "hive:all", "isAllowed": true }, { "type": "hive:read", "isAllowed": true }, { "type": "hive:write", "isAllowed": true }, { "type": "redshift:CreateDatabase", "isAllowed": true }, { "type": "redshift:CreateSchema", "isAllowed": true }, { "type": "redshift:UsageSchema", "isAllowed": true }, { "type": "redshift:CreateTable", "isAllowed": true }, { "type": "redshift:Select", "isAllowed": true }, { "type": "redshift:Insert", "isAllowed": true }, { "type": "redshift:Update", "isAllowed": true }, { "type": "redshift:Delete", "isAllowed": true }, { "type": "redshift:ListClusters", "isAllowed": true }, { "type": "redshift:CreateCluster", "isAllowed": true }, { "type": "redshift:UpdateCluster", "isAllowed": true }, { "type": "redshift:DeleteCluster", "isAllowed": true }, { "type": "redshift:ResizeCluster", "isAllowed": true }, { "type": "redshift:PauseCluster", "isAllowed": true }, { "type": "redshift:RebootCluster", "isAllowed": true }, { "type": "redshift:CreateSnapshot", "isAllowed": true }, { "type": "redshift:RestoreSnapshot", "isAllowed": true } ], "users": [ "emily" ], "groups": [], "roles": [], "conditions": [], "delegateAdmin": false } ], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false }, { "id": 261, "guid": "dabb75b3-0c4a-49bc-8e89-2050b7ef52a2", "isEnabled": true, "version": 1, "service": "privacera_tag", "name": "PATIENT data access", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "PATIENT" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [ { "accesses": [ { "type": "hive:select", "isAllowed": true }, { "type": "snowflake:Select", "isAllowed": true }, { "type": "redshift:UsageSchema", "isAllowed": true }, { "type": "redshift:Select", "isAllowed": true } ], "users": [ "emily", "imad.qureshi" ], "groups": [], "roles": [], "conditions": [], "delegateAdmin": false } ], "denyPolicyItems": [], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "Sales Zone", "isDenyAllElse": false }, { "id": 262, "guid": "9a687ae8-124e-47e4-a7cd-a6280fab8306", "isEnabled": true, "version": 21, "service": "privacera_tag", "name": "Deny SSN to offshore", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "SSN" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [], "denyPolicyItems": [ { "accesses": [ { "type": "hive:select", "isAllowed": true }, { "type": "hive:read", "isAllowed": true }, { "type": "s3:read", "isAllowed": true }, { "type": "adls:read", "isAllowed": true }, { "type": "adls:write", "isAllowed": true }, { "type": "adls:delete", "isAllowed": true }, { "type": "adls:mread", "isAllowed": true }, { "type": "adls:mwrite", "isAllowed": true }, { "type": "adls:admin", "isAllowed": true }, { "type": "gcs:read", "isAllowed": true }, { "type": "gcs:write", "isAllowed": true }, { "type": "gcs:delete", "isAllowed": true }, { "type": "gcs:mread", "isAllowed": true }, { "type": "gcs:mwrite", "isAllowed": true }, { "type": "gcs:admin", "isAllowed": true } ], "users": [], "groups": [], "roles": [ "offshore" ], "conditions": [], "delegateAdmin": false } ], "allowExceptions": [], "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "Sales Zone", "isDenyAllElse": false }, { "id": 278, "guid": "ea05eba4-8f94-4d3a-a9b9-1dc18d0aa86e", "isEnabled": true, "version": 2, "service": "privacera_tag", "name": "Medical Record Number Access", "policyType": 0, "policyPriority": 1, "description": "", "isAuditEnabled": true, "resources": { "tag": { "values": [ "MEDICAL_RECORD" ], "isExcludes": false, "isRecursive": false } }, "conditions": [], "policyItems": [], "denyPolicyItems": [ { "accesses": [ { "type": "starburst-enterprise-presto:select", "isAllowed": true }, { "type": "starburst-enterprise-presto:insert", "isAllowed": true }, { "type": "starburst-enterprise-presto:delete", "isAllowed": true }, { "type": "starburst-enterprise-presto:update", "isAllowed": true }, { "type": "starburst-enterprise-presto:ownership", "isAllowed": true }, { "type": "starburst-enterprise-presto:execute", "isAllowed": true }, { "type": "starburst-enterprise-presto:kill", "isAllowed": true } ], "users": [], "groups": [ "public" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "allowExceptions": [], "denyExceptions": [ { "accesses": [ { "type": "starburst-enterprise-presto:select", "isAllowed": true }, { "type": "starburst-enterprise-presto:execute", "isAllowed": true } ], "users": [], "groups": [ "clinical" ], "roles": [], "conditions": [], "delegateAdmin": false } ], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], "serviceType": "tag", "options": {}, "validitySchedules": [], "policyLabels": [], "zoneName": "", "isDenyAllElse": false } ], "serviceDef": { "id": 100, "guid": "0d047248-baff-4cf9-8e9e-d5d377284b2e", "isEnabled": true, "createdBy": "Admin", "updatedBy": "Admin", "createTime": 1588366042000, "updateTime": 1602619697000, "version": 26, "name": "tag", "displayName": "tag", "implClass": "org.apache.ranger.services.tag.RangerServiceTag", "label": "TAG", "description": "TAG Service Definition", "options": { "enableDenyAndExceptionsInPolicies": "true", "ui.pages": "tag-based-policies" }, "configs": [], "resources": [ { "itemId": 1, "name": "tag", "type": "string", "level": 1, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "wildCard": "false", "ignoreCase": "false" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":false }", "label": "TAG", "description": "TAG", "accessTypeRestrictions": [], "isValidLeaf": true } ], "accessTypes": [ { "itemId": 3004, "name": "hive:select", "label": "select", "impliedGrants": [] }, { "itemId": 3005, "name": "hive:update", "label": "update", "impliedGrants": [] }, { "itemId": 3006, "name": "hive:create", "label": "Create", "impliedGrants": [] }, { "itemId": 3007, "name": "hive:drop", "label": "Drop", "impliedGrants": [] }, { "itemId": 3008, "name": "hive:alter", "label": "Alter", "impliedGrants": [] }, { "itemId": 3009, "name": "hive:index", "label": "Index", "impliedGrants": [] }, { "itemId": 3010, "name": "hive:lock", "label": "Lock", "impliedGrants": [] }, { "itemId": 3011, "name": "hive:all", "label": "All", "impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock", "hive:read", "hive:write" ] }, { "itemId": 3012, "name": "hive:read", "label": "Read", "impliedGrants": [] }, { "itemId": 3013, "name": "hive:write", "label": "Write", "impliedGrants": [] }, { "itemId": 7008, "name": "kms:create", "label": "Create", "impliedGrants": [] }, { "itemId": 7009, "name": "kms:delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 7010, "name": "kms:rollover", "label": "Rollover", "impliedGrants": [] }, { "itemId": 7011, "name": "kms:setkeymaterial", "label": "Set Key Material", "impliedGrants": [] }, { "itemId": 7012, "name": "kms:get", "label": "Get", "impliedGrants": [] }, { "itemId": 7013, "name": "kms:getkeys", "label": "Get Keys", "impliedGrants": [] }, { "itemId": 7014, "name": "kms:getmetadata", "label": "Get Metadata", "impliedGrants": [] }, { "itemId": 7015, "name": "kms:generateeek", "label": "Generate EEK", "impliedGrants": [] }, { "itemId": 7016, "name": "kms:decrypteek", "label": "Decrypt EEK", "impliedGrants": [] }, { "itemId": 101102, "name": "s3:read", "label": "read", "impliedGrants": [] }, { "itemId": 101103, "name": "s3:write", "label": "write", "impliedGrants": [] }, { "itemId": 101104, "name": "s3:delete", "label": "delete", "impliedGrants": [] }, { "itemId": 101105, "name": "s3:mread", "label": "metadata read", "impliedGrants": [] }, { "itemId": 101106, "name": "s3:mwrite", "label": "metadata write", "impliedGrants": [] }, { "itemId": 101107, "name": "s3:admin", "label": "admin", "impliedGrants": [] }, { "itemId": 102103, "name": "dynamodb:read", "label": "Read", "impliedGrants": [] }, { "itemId": 102104, "name": "dynamodb:write", "label": "Write", "impliedGrants": [] }, { "itemId": 102105, "name": "dynamodb:create", "label": "Create", "impliedGrants": [] }, { "itemId": 102106, "name": "dynamodb:delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 102107, "name": "dynamodb:listtables", "label": "ListTables", "impliedGrants": [] }, { "itemId": 102108, "name": "dynamodb:admin", "label": "Admin", "impliedGrants": [ "dynamodb:read", "dynamodb:write", "dynamodb:create", "dynamodb:delete", "dynamodb:listtables" ] }, { "itemId": 103104, "name": "athena:Alter", "label": "Alter", "impliedGrants": [] }, { "itemId": 103105, "name": "athena:BatchGetNamedQuery", "label": "BatchGetNamedQuery", "impliedGrants": [] }, { "itemId": 103106, "name": "athena:BatchGetQueryExecution", "label": "BatchGetQueryExecution", "impliedGrants": [] }, { "itemId": 103107, "name": "athena:Create", "label": "Create", "impliedGrants": [] }, { "itemId": 103108, "name": "athena:CreateNamedQuery", "label": "CreateNamedQuery", "impliedGrants": [] }, { "itemId": 103109, "name": "athena:CreateWorkGroup", "label": "CreateWorkGroup", "impliedGrants": [] }, { "itemId": 103110, "name": "athena:DeleteNamedQuery", "label": "DeleteNamedQuery", "impliedGrants": [] }, { "itemId": 103111, "name": "athena:DeleteWorkGroup", "label": "DeleteWorkGroup", "impliedGrants": [] }, { "itemId": 103112, "name": "athena:Drop", "label": "Drop", "impliedGrants": [] }, { "itemId": 103113, "name": "athena:GetNamedQuery", "label": "GetNamedQuery", "impliedGrants": [] }, { "itemId": 103114, "name": "athena:GetWorkGroup", "label": "GetWorkGroup", "impliedGrants": [] }, { "itemId": 103115, "name": "athena:ListNamedQueries", "label": "ListNamedQueries", "impliedGrants": [] }, { "itemId": 103116, "name": "athena:ListQueryExecutions", "label": "ListQueryExecutions", "impliedGrants": [] }, { "itemId": 103117, "name": "athena:ListTagsForResource", "label": "ListTagsForResource", "impliedGrants": [] }, { "itemId": 103118, "name": "athena:ListWorkGroups", "label": "ListWorkGroups", "impliedGrants": [] }, { "itemId": 103119, "name": "athena:Select", "label": "Select", "impliedGrants": [] }, { "itemId": 103120, "name": "athena:StopQueryExecution", "label": "StopQueryExecution", "impliedGrants": [] }, { "itemId": 103121, "name": "athena:TagResource", "label": "TagResource", "impliedGrants": [] }, { "itemId": 103122, "name": "athena:UntagResource", "label": "UntagResource", "impliedGrants": [] }, { "itemId": 103123, "name": "athena:UpdateWorkGroup", "label": "UpdateWorkGroup", "impliedGrants": [] }, { "itemId": 104105, "name": "glue:GetCatalogImportStatus", "label": "GetCatalogImportStatus", "impliedGrants": [] }, { "itemId": 104106, "name": "glue:GetDatabases", "label": "GetDatabases", "impliedGrants": [] }, { "itemId": 104107, "name": "glue:GetDatabase", "label": "GetDatabase", "impliedGrants": [] }, { "itemId": 104108, "name": "glue:GetTables", "label": "GetTables", "impliedGrants": [] }, { "itemId": 104109, "name": "glue:GetTable", "label": "GetTable", "impliedGrants": [] }, { "itemId": 104110, "name": "glue:CreateTable", "label": "CreateTable", "impliedGrants": [] }, { "itemId": 104111, "name": "glue:CreateDatabase", "label": "CreateDatabase", "impliedGrants": [] }, { "itemId": 104112, "name": "glue:DeleteDatabase", "label": "DeleteDatabase", "impliedGrants": [] }, { "itemId": 104113, "name": "glue:DeleteTable", "label": "DeleteTable", "impliedGrants": [] }, { "itemId": 106107, "name": "kinesis:AddTagsToStream", "label": "AddTagsToStream", "impliedGrants": [] }, { "itemId": 106108, "name": "kinesis:CreateStream", "label": "CreateStream", "impliedGrants": [] }, { "itemId": 106109, "name": "kinesis:DecreaseStreamRetentionPeriod", "label": "DecreaseStreamRetentionPeriod", "impliedGrants": [] }, { "itemId": 106110, "name": "kinesis:DeleteStream", "label": "DeleteStream", "impliedGrants": [] }, { "itemId": 106111, "name": "kinesis:DeregisterStreamConsumer", "label": "DeregisterStreamConsumer", "impliedGrants": [] }, { "itemId": 106112, "name": "kinesis:DescribeLimits", "label": "DescribeLimits", "impliedGrants": [] }, { "itemId": 106113, "name": "kinesis:DescribeStream", "label": "DescribeStream", "impliedGrants": [] }, { "itemId": 106114, "name": "kinesis:DescribeStreamConsumer", "label": "DescribeStreamConsumer", "impliedGrants": [] }, { "itemId": 106115, "name": "kinesis:DescribeStreamSummary", "label": "DescribeStreamSummary", "impliedGrants": [] }, { "itemId": 106116, "name": "kinesis:DisableEnhancedMonitoring", "label": "DisableEnhancedMonitoring", "impliedGrants": [] }, { "itemId": 106117, "name": "kinesis:EnableEnhancedMonitoring", "label": "EnableEnhancedMonitoring", "impliedGrants": [] }, { "itemId": 106118, "name": "kinesis:GetRecords", "label": "GetRecords", "impliedGrants": [] }, { "itemId": 106119, "name": "kinesis:GetShardIterator", "label": "GetShardIterator", "impliedGrants": [] }, { "itemId": 106120, "name": "kinesis:IncreaseStreamRetentionPeriod", "label": "IncreaseStreamRetentionPeriod", "impliedGrants": [] }, { "itemId": 106121, "name": "kinesis:ListShards", "label": "ListShards", "impliedGrants": [] }, { "itemId": 106122, "name": "kinesis:ListStreamConsumers", "label": "ListStreamConsumers", "impliedGrants": [] }, { "itemId": 106123, "name": "kinesis:ListStreams", "label": "ListStreams", "impliedGrants": [] }, { "itemId": 106124, "name": "kinesis:ListTagsForStream", "label": "ListTagsForStream", "impliedGrants": [] }, { "itemId": 106125, "name": "kinesis:MergeShards", "label": "MergeShards", "impliedGrants": [] }, { "itemId": 106126, "name": "kinesis:PutRecord", "label": "PutRecord", "impliedGrants": [] }, { "itemId": 106127, "name": "kinesis:PutRecords", "label": "PutRecords", "impliedGrants": [] }, { "itemId": 106128, "name": "kinesis:RegisterStreamConsumer", "label": "RegisterStreamConsumer", "impliedGrants": [] }, { "itemId": 106129, "name": "kinesis:RemoveTagsFromStream", "label": "RemoveTagsFromStream", "impliedGrants": [] }, { "itemId": 106130, "name": "kinesis:SplitShard", "label": "SplitShard", "impliedGrants": [] }, { "itemId": 106131, "name": "kinesis:StartStreamEncryption", "label": "StartStreamEncryption", "impliedGrants": [] }, { "itemId": 106132, "name": "kinesis:StopStreamEncryption", "label": "StopStreamEncryption", "impliedGrants": [] }, { "itemId": 106133, "name": "kinesis:SubscribeToShard", "label": "SubscribeToShard", "impliedGrants": [] }, { "itemId": 106134, "name": "kinesis:UpdateShardCount", "label": "UpdateShardCount", "impliedGrants": [] }, { "itemId": 106135, "name": "kinesis:CreateDeliveryStream", "label": "CreateDeliveryStream", "impliedGrants": [] }, { "itemId": 106136, "name": "kinesis:DeleteDeliveryStream", "label": "DeleteDeliveryStream", "impliedGrants": [] }, { "itemId": 106137, "name": "kinesis:DescribeDeliveryStream", "label": "DescribeDeliveryStream", "impliedGrants": [] }, { "itemId": 106138, "name": "kinesis:ListDeliveryStreams", "label": "ListDeliveryStreams", "impliedGrants": [] }, { "itemId": 106139, "name": "kinesis:UpdateDestination", "label": "UpdateDestination", "impliedGrants": [] }, { "itemId": 107108, "name": "lambda:Create", "label": "Create", "impliedGrants": [] }, { "itemId": 107109, "name": "lambda:Delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 107110, "name": "lambda:Execute", "label": "Execute", "impliedGrants": [] }, { "itemId": 107111, "name": "lambda:List", "label": "List", "impliedGrants": [] }, { "itemId": 107112, "name": "lambda:Read", "label": "Read", "impliedGrants": [] }, { "itemId": 107113, "name": "lambda:Write", "label": "Write", "impliedGrants": [] }, { "itemId": 108109, "name": "mssql:CreateDatabase", "label": "Create Database", "impliedGrants": [] }, { "itemId": 108110, "name": "mssql:CreateSchema", "label": "Create Schema", "impliedGrants": [] }, { "itemId": 108111, "name": "mssql:CreateTable", "label": "Create Table", "impliedGrants": [] }, { "itemId": 108112, "name": "mssql:Select", "label": "Select", "impliedGrants": [] }, { "itemId": 108113, "name": "mssql:Insert", "label": "Insert", "impliedGrants": [] }, { "itemId": 108114, "name": "mssql:Update", "label": "Update", "impliedGrants": [] }, { "itemId": 108115, "name": "mssql:Delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 109110, "name": "adls:read", "label": "read", "impliedGrants": [] }, { "itemId": 109111, "name": "adls:write", "label": "write", "impliedGrants": [] }, { "itemId": 109112, "name": "adls:delete", "label": "delete", "impliedGrants": [] }, { "itemId": 109113, "name": "adls:mread", "label": "metadata read", "impliedGrants": [] }, { "itemId": 109114, "name": "adls:mwrite", "label": "metadata write", "impliedGrants": [] }, { "itemId": 109115, "name": "adls:admin", "label": "admin", "impliedGrants": [] }, { "itemId": 111112, "name": "kafka:publish", "label": "Publish", "impliedGrants": [ "kafka:describe" ] }, { "itemId": 111113, "name": "kafka:consume", "label": "Consume", "impliedGrants": [ "kafka:describe" ] }, { "itemId": 111116, "name": "kafka:configure", "label": "Configure", "impliedGrants": [ "kafka:describe" ] }, { "itemId": 111117, "name": "kafka:describe", "label": "Describe", "impliedGrants": [] }, { "itemId": 111118, "name": "kafka:kafka_admin", "label": "Kafka Admin", "impliedGrants": [ "kafka:publish", "kafka:consume", "kafka:configure", "kafka:describe", "kafka:create", "kafka:delete", "kafka:describe_configs", "kafka:alter_configs", "kafka:idempotent_write", "kafka:cluster_action" ] }, { "itemId": 111119, "name": "kafka:create", "label": "Create", "impliedGrants": [] }, { "itemId": 111120, "name": "kafka:delete", "label": "Delete", "impliedGrants": [ "kafka:describe" ] }, { "itemId": 111121, "name": "kafka:idempotent_write", "label": "Idempotent Write", "impliedGrants": [] }, { "itemId": 111122, "name": "kafka:describe_configs", "label": "Describe Configs", "impliedGrants": [] }, { "itemId": 111123, "name": "kafka:alter_configs", "label": "Alter Configs", "impliedGrants": [ "kafka:describe_configs" ] }, { "itemId": 111124, "name": "kafka:cluster_action", "label": "Cluster Action", "impliedGrants": [] }, { "itemId": 113114, "name": "powerbi:Contributor", "label": "Contributor", "impliedGrants": [] }, { "itemId": 113115, "name": "powerbi:Member", "label": "Member", "impliedGrants": [] }, { "itemId": 113116, "name": "powerbi:Admin", "label": "Admin", "impliedGrants": [] }, { "itemId": 113117, "name": "powerbi:None", "label": "None", "impliedGrants": [] }, { "itemId": 114115, "name": "gcs:read", "label": "read", "impliedGrants": [] }, { "itemId": 114116, "name": "gcs:write", "label": "write", "impliedGrants": [] }, { "itemId": 114117, "name": "gcs:delete", "label": "delete", "impliedGrants": [] }, { "itemId": 114118, "name": "gcs:mread", "label": "metadata read", "impliedGrants": [] }, { "itemId": 114119, "name": "gcs:mwrite", "label": "metadata write", "impliedGrants": [] }, { "itemId": 114120, "name": "gcs:admin", "label": "admin", "impliedGrants": [] }, { "itemId": 115116, "name": "gbq:CreateTable", "label": "CreateTable", "impliedGrants": [] }, { "itemId": 115117, "name": "gbq:CreateTableAsSelect", "label": "CreateTableAsSelect", "impliedGrants": [] }, { "itemId": 115118, "name": "gbq:CreateView", "label": "CreateView", "impliedGrants": [] }, { "itemId": 115119, "name": "gbq:Delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 115120, "name": "gbq:DropTable", "label": "DropTable", "impliedGrants": [] }, { "itemId": 115121, "name": "gbq:DropView", "label": "DropView", "impliedGrants": [] }, { "itemId": 115122, "name": "gbq:Insert", "label": "Insert", "impliedGrants": [] }, { "itemId": 115123, "name": "gbq:Query", "label": "Query", "impliedGrants": [] }, { "itemId": 115124, "name": "gbq:Update", "label": "Update", "impliedGrants": [] }, { "itemId": 116117, "name": "snowflake:CreateSchema", "label": "CreateSchema", "impliedGrants": [] }, { "itemId": 116118, "name": "snowflake:CreateTmpTable", "label": "CreateTmpTable", "impliedGrants": [] }, { "itemId": 116119, "name": "snowflake:CreateTable", "label": "CreateTable", "impliedGrants": [] }, { "itemId": 116120, "name": "snowflake:UseSchema", "label": "UseSchema", "impliedGrants": [] }, { "itemId": 116121, "name": "snowflake:Select", "label": "Select", "impliedGrants": [] }, { "itemId": 116122, "name": "snowflake:Insert", "label": "Insert", "impliedGrants": [] }, { "itemId": 116123, "name": "snowflake:Update", "label": "Update", "impliedGrants": [] }, { "itemId": 116124, "name": "snowflake:Delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 116125, "name": "snowflake:UseDB", "label": "UseDB", "impliedGrants": [] }, { "itemId": 116126, "name": "snowflake:Operate", "label": "Operate", "impliedGrants": [] }, { "itemId": 116127, "name": "snowflake:UseWarehouse", "label": "UseWarehouse", "impliedGrants": [] }, { "itemId": 116128, "name": "snowflake:SelectOnView", "label": "SelectOnView", "impliedGrants": [] }, { "itemId": 116129, "name": "snowflake:CreateWarehouse", "label": "CreateWarehouse", "impliedGrants": [] }, { "itemId": 116130, "name": "snowflake:CreateDatabase", "label": "CreateDatabase", "impliedGrants": [] }, { "itemId": 117118, "name": "postgres:CreateDatabase", "label": "Create Database", "impliedGrants": [] }, { "itemId": 117119, "name": "postgres:ConnectDatabase", "label": "Connect Database", "impliedGrants": [] }, { "itemId": 117120, "name": "postgres:CreateSchema", "label": "Create Schema", "impliedGrants": [] }, { "itemId": 117121, "name": "postgres:UsageSchema", "label": "Usage Schema", "impliedGrants": [] }, { "itemId": 117122, "name": "postgres:CreateTable", "label": "Create Table", "impliedGrants": [] }, { "itemId": 117123, "name": "postgres:Select", "label": "Select", "impliedGrants": [] }, { "itemId": 117124, "name": "postgres:Insert", "label": "Insert", "impliedGrants": [] }, { "itemId": 117125, "name": "postgres:Update", "label": "Update", "impliedGrants": [] }, { "itemId": 117126, "name": "postgres:Delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 117127, "name": "postgres:Truncate", "label": "Truncate", "impliedGrants": [] }, { "itemId": 118119, "name": "redshift:CreateDatabase", "label": "Create Database", "impliedGrants": [] }, { "itemId": 118120, "name": "redshift:CreateSchema", "label": "Create Schema", "impliedGrants": [] }, { "itemId": 118121, "name": "redshift:UsageSchema", "label": "Usage Schema", "impliedGrants": [] }, { "itemId": 118122, "name": "redshift:CreateTable", "label": "Create Table", "impliedGrants": [] }, { "itemId": 118123, "name": "redshift:Select", "label": "Select", "impliedGrants": [] }, { "itemId": 118124, "name": "redshift:Insert", "label": "Insert", "impliedGrants": [] }, { "itemId": 118125, "name": "redshift:Update", "label": "Update", "impliedGrants": [] }, { "itemId": 118126, "name": "redshift:Delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 118127, "name": "redshift:ListClusters", "label": "ListClusters", "impliedGrants": [] }, { "itemId": 118128, "name": "redshift:CreateCluster", "label": "CreateCluster", "impliedGrants": [] }, { "itemId": 118129, "name": "redshift:UpdateCluster", "label": "UpdateCluster", "impliedGrants": [] }, { "itemId": 118130, "name": "redshift:DeleteCluster", "label": "DeleteCluster", "impliedGrants": [] }, { "itemId": 118131, "name": "redshift:ResizeCluster", "label": "ResizeCluster", "impliedGrants": [] }, { "itemId": 118132, "name": "redshift:PauseCluster", "label": "PauseCluster", "impliedGrants": [] }, { "itemId": 118133, "name": "redshift:RebootCluster", "label": "RebootCluster", "impliedGrants": [] }, { "itemId": 118134, "name": "redshift:CreateSnapshot", "label": "CreateSnapshot", "impliedGrants": [] }, { "itemId": 118135, "name": "redshift:RestoreSnapshot", "label": "RestoreSnapshot", "impliedGrants": [] }, { "itemId": 119120, "name": "starburst-enterprise-presto:select", "label": "Select", "impliedGrants": [] }, { "itemId": 119121, "name": "starburst-enterprise-presto:insert", "label": "Insert", "impliedGrants": [] }, { "itemId": 119122, "name": "starburst-enterprise-presto:delete", "label": "Delete", "impliedGrants": [] }, { "itemId": 119123, "name": "starburst-enterprise-presto:update", "label": "Update", "impliedGrants": [] }, { "itemId": 119124, "name": "starburst-enterprise-presto:ownership", "label": "Ownership", "impliedGrants": [ "starburst-enterprise-presto:select", "starburst-enterprise-presto:insert", "starburst-enterprise-presto:delete", "starburst-enterprise-presto:update" ] }, { "itemId": 119125, "name": "starburst-enterprise-presto:execute", "label": "Execute", "impliedGrants": [] }, { "itemId": 119126, "name": "starburst-enterprise-presto:kill", "label": "Kill", "impliedGrants": [] } ], "policyConditions": [ { "itemId": 1, "name": "accessed-after-expiry", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator", "evaluatorOptions": { "scriptTemplate": "ctx.isAccessedAfter('expiry_date');" }, "uiHint": "{ \"singleValue\":true }", "label": "Accessed after expiry_date (yes/no)?", "description": "Accessed after expiry_date? (yes/no)" }, { "itemId": 2, "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator", "evaluatorOptions": { "ui.isMultiline": "true", "engineName": "JavaScript" }, "label": "Enter boolean expression", "description": "Boolean expression" } ], "contextEnrichers": [ { "itemId": 1, "name": "TagEnricher", "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher", "enricherOptions": { "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever", "tagRefresherPollingInterval": "60000" } } ], "enums": [], "dataMaskDef": { "maskTypes": [ { "itemId": 3004, "name": "hive:MASK", "label": "Redact", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'", "transformer": "mask({col})", "dataMaskOptions": {} }, { "itemId": 3005, "name": "hive:MASK_SHOW_LAST_4", "label": "Partial mask: show last 4", "description": "Show last 4 characters; replace rest with 'x'", "transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')", "dataMaskOptions": {} }, { "itemId": 3006, "name": "hive:MASK_SHOW_FIRST_4", "label": "Partial mask: show first 4", "description": "Show first 4 characters; replace rest with 'x'", "transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')", "dataMaskOptions": {} }, { "itemId": 3007, "name": "hive:MASK_HASH", "label": "Hash", "description": "Hash the value", "transformer": "mask_hash({col})", "dataMaskOptions": {} }, { "itemId": 3008, "name": "hive:MASK_NULL", "label": "Nullify", "description": "Replace with NULL", "dataMaskOptions": {} }, { "itemId": 3009, "name": "hive:MASK_NONE", "label": "Unmasked (retain original value)", "description": "No masking", "dataMaskOptions": {} }, { "itemId": 3015, "name": "hive:MASK_DATE_SHOW_YEAR", "label": "Date: show only year", "description": "Date: show only year", "transformer": "mask({col}, 'x', 'x', 'x', -1, '1', 1, 0, -1)", "dataMaskOptions": {} }, { "itemId": 3016, "name": "hive:CUSTOM", "label": "Custom", "description": "Custom", "dataMaskOptions": {} }, { "itemId": 108109, "name": "mssql:MASK", "label": "Default", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'", "transformer": "default()", "dataMaskOptions": {} }, { "itemId": 108121, "name": "mssql:CUSTOM", "label": "Custom", "description": "Custom", "dataMaskOptions": {} }, { "itemId": 116117, "name": "snowflake:MASK", "label": "Default", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'", "transformer": "default()", "dataMaskOptions": {} }, { "itemId": 116118, "name": "snowflake:MASK_HASH", "label": "Hash", "description": "Hash the value", "dataMaskOptions": {} }, { "itemId": 116119, "name": "snowflake:MASK_NULL", "label": "Nullify", "description": "Replace with NULL", "dataMaskOptions": {} }, { "itemId": 116120, "name": "snowflake:MASK_NONE", "label": "Unmasked (retain original value)", "description": "No masking", "dataMaskOptions": {} }, { "itemId": 116121, "name": "snowflake:REGEX_EXPR", "label": "Regular expression", "description": "regular expression", "dataMaskOptions": { "inputField": "true", "inputFieldInfo": "[{\"placeHolder\": \"Enter regular expression\",\"targetKey\": \"valueExpr\"},{\"placeHolder\": \"Enter replace value\",\"targetKey\": \"replaceValue\"}]" } }, { "itemId": 116122, "name": "snowflake:MASK_VALUE", "label": "Literal mask", "description": "maskValue", "dataMaskOptions": { "inputField": "true", "inputFieldInfo": "[{\"placeHolder\": \"Enter masked value\",\"targetKey\": \"valueExpr\"}]" } }, { "itemId": 116123, "name": "snowflake:MASK_SHOW_LAST_4", "label": "Partial mask: show last 4", "description": "Show last 4 characters; replace rest with 'x'", "dataMaskOptions": {} }, { "itemId": 116124, "name": "snowflake:MASK_SHOW_FIRST_4", "label": "Partial mask: show first 4", "description": "Show first 4 characters; replace rest with 'x'", "dataMaskOptions": {} }, { "itemId": 116125, "name": "snowflake:PROTECT", "label": "Protect", "description": "Protect Data with PEG Scheme", "dataMaskOptions": { "inputField": "true", "inputFieldInfo": "[{\"placeHolder\": \"Enter scheme name\",\"targetKey\": \"valueExpr\"}]" } }, { "itemId": 116126, "name": "snowflake:UNPROTECT", "label": "Unprotect", "description": "Unprotect Data with PEG Scheme", "dataMaskOptions": { "inputField": "true", "inputFieldInfo": "[{\"placeHolder\": \"Enter scheme name\",\"targetKey\": \"valueExpr\"}]" } }, { "itemId": 116127, "name": "snowflake:CUSTOM", "label": "Custom", "description": "Custom", "dataMaskOptions": {} }, { "itemId": 117118, "name": "postgres:MASK", "label": "Default", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'", "transformer": "default()", "dataMaskOptions": {} }, { "itemId": 117119, "name": "postgres:NULLIFY", "label": "Nullify", "description": "Displays null values", "dataMaskOptions": {} }, { "itemId": 117120, "name": "postgres:UNMASKED", "label": "Unmasked", "description": "Unmasked (retain original value)", "dataMaskOptions": {} }, { "itemId": 117121, "name": "postgres:CUSTOM", "label": "Custom", "description": "Custom", "dataMaskOptions": {} }, { "itemId": 119120, "name": "starburst-enterprise-presto:MASK", "label": "Mask", "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'", "transformer": "mask({col})", "dataMaskOptions": {} }, { "itemId": 119121, "name": "starburst-enterprise-presto:MASK_SHOW_LAST_4", "label": "Partial mask: show last 4", "description": "Show last 4 characters; replace rest with 'x'", "transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')", "dataMaskOptions": {} }, { "itemId": 119122, "name": "starburst-enterprise-presto:MASK_SHOW_FIRST_4", "label": "Partial mask: show first 4", "description": "Show first 4 characters; replace rest with 'x'", "transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')", "dataMaskOptions": {} }, { "itemId": 119123, "name": "starburst-enterprise-presto:MASK_HASH", "label": "Hash", "description": "Hash the value", "transformer": "mask_hash({col})", "dataMaskOptions": {} }, { "itemId": 119124, "name": "starburst-enterprise-presto:MASK_NULL", "label": "Nullify", "description": "Replace with NULL", "dataMaskOptions": {} } ], "accessTypes": [ { "itemId": 3004, "name": "hive:select", "label": "select", "impliedGrants": [] }, { "itemId": 108112, "name": "mssql:Select", "label": "Select", "impliedGrants": [] }, { "itemId": 116121, "name": "snowflake:Select", "label": "Select", "impliedGrants": [] }, { "itemId": 117123, "name": "postgres:Select", "label": "Select", "impliedGrants": [] }, { "itemId": 119120, "name": "starburst-enterprise-presto:select", "label": "Select", "impliedGrants": [] } ], "resources": [ { "itemId": 1, "name": "tag", "type": "string", "level": 1, "mandatory": true, "lookupSupported": true, "recursiveSupported": false, "excludesSupported": false, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", "matcherOptions": { "__isValidLeaf": "true", "wildCard": "false", "__accessTypeRestrictions": "[]", "ignoreCase": "false" }, "validationRegEx": "", "validationMessage": "", "uiHint": "{ \"singleValue\":false }", "label": "TAG", "description": "TAG", "accessTypeRestrictions": [], "isValidLeaf": true } ] }, "rowFilterDef": { "accessTypes": [], "resources": [] } }, "auditMode": "audit-default" }, "serviceConfig": {} }
Starburst Enterprise Platform#
Starburst Enterprise platform (SEP) is a commercial distribution of PrestoSQL. It includes additional security features, more connectors, and a cost-based query optimizer. As with standard PrestoSQL, SEP is designed to support an external Apache Ranger plug-in control. This can be configured in following two ways:
-
System-Level: Resource policies defined in PrivaceraCloud under the 'privacera_starburst' resource service control access to Starburst resources;
-
System-Plus-Hive: Resource policies defined in PrivaceraCloud under both the 'privacera_starburst' AND 'privacera_hive' resource services control access to Starburst resources;
Configuration for System-Plus-Hive approach requires two additional files to be configured. Let's configure Starburst Enterprise (SEP) to use your PrivaceraCloud Ranger account.
Configuration#
Configure the following six files as per below table.
| File | Standard Location | Usage |
|---|---|---|
| hive.properties | etc/catalog | Global Hive properties |
| config.properties | etc | Points to plug-in configuration files |
| access-control-privacera.properties | etc | Values for Privacera access control |
| ranger-policymgr-ssl.xml | etc | Values for Ranger Policy Manager |
| ranger-hive-audit.xml | etc | Values for Ranger Hive and Audit |
| access-control-priv-hive.properties | etc | Values for Hive Policies (used only for "System-Plus-Hive" configuration) |
Steps#
-
Edit the file - hive.properties
- Comment out all lines beginning with the "ranger" keyword.
-
Add (if missing) the following properties and save the file.
hive.metastore=glue hive.security=allow-all
-
Edit the file - access-control-privacera.properties
-
Add the following properties and update the below variables as per your environment.
${RANGER_URL}, ${RANGER_API_USERNAME}, ${RANGER_API_PASSWORD}, ${PRESTO_CONFIG_PATH} and ${PRESTO_TEMP_DIRECTORY}.
access-control.name=privacera-starburst ranger.policy-rest-url=https://${RANGER_URL} ranger.service-name=privacera_starburstenterprisepresto ranger.presto-plugin-username=${RANGER_API_USERNAME} ranger.presto-plugin-password=${RANGER_API_PASSWORD} ranger.policy-refresh-interval=3s #Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml ranger.config-resources=${PRESTO_CONFIG_PATH}/etc/ranger-hive-audit.xml #Example: ranger.policy-cache-dir=/tmp/ranger ranger.policy-cache-dir=${PRESTO_TEMP_DIRECTORY} ranger.plugin-policy-ssl-config-file=${PRESTO_CONFIG_PATH}/etc/ranger-policymgr-ssl.xml -
Save the file.
-
-
Create/edit ranger-policymgr-ssl.xml file in folder ${PRESTO_CONFIG_PATH}/etc/ with the following content:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <property> <name>xasecure.policymgr.clientssl.truststore</name> <value>/usr/lib/jvm/java-11-amazon-corretto.x86_64/lib/security/cacerts</value> </property> <property> <name>xasecure.policymgr.clientssl.truststore.password</name> <value>crypted</value> </property> <property> <name>xasecure.policymgr.clientssl.truststore.credential.file</name> <value>jceks://file/home/hadoop/downloads/presto-server/etc/ranger.jceks</value> </property> </configuration> -
Create/edit ranger-hive-audit.xml file in folder ${PRESTO_CONFIG_PATH}/etc/ with the following content and update the ${RANGER_URL} variable as per your environment.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <property> <name>ranger.plugin.hive.service.name</name> <value>privacera_hive</value> </property> <property> <name>ranger.plugin.hive.policy.pollIntervalMs</name> <value>5000</value> </property> <property> <name>ranger.service.store.rest.url</name> <value> https://${RANGER_URL} </value> </property> <property> <name>ranger.plugin.hive.policy.rest.url</name> <value> https://${RANGER_URL} </value> </property> <property> <name>ranger.plugin.hive.policy.source.impl</name> <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> <description> Class to retrieve policies from the source </description> </property> <property> <name>ranger.plugin.hive.policy.rest.ssl.config.file</name> <value>/home/hadoop/downloads/presto-server/etc/ranger-policymgr-ssl.xml</value> <description> Path to the file containing SSL details to contact Ranger Admin </description> </property> <property> <name>ranger.service.store.rest.ssl.config.file</name> <value>/home/hadoop/downloads/presto-server/etc/ranger-policymgr-ssl.xml</value> </property> <property> <name>ranger.plugin.hive.policy.cache.dir</name> <value>/tmp/ranger</value> <description> Directory where Ranger policies are cached after successful retrieval from the source </description> </property> <property> <name>ranger.plugin.starburst-enterprise-presto.policy.cache.dir</name> <value>/tmp/ranger</value> <description> Directory where Ranger policies are cached after successful retrieval from the source </description> </property> <property> <name>xasecure.audit.destination.solr</name> <value>true</value> </property> <property> <name>xasecure.audit.destination.solr.batch.filespool.dir</name> <value> <presto temp file location> </value> </property> <property> <name>xasecure.audit.destination.solr.urls</name> <value> https://${RANGER_AUDIT_URL} </value> </property> <property> <name>xasecure.audit.is.enabled</name> <value>true</value> </property> <property> <name>xasecure.audit.solr.is.enabled</name> <value>true</value> </property> <property> <name>xasecure.audit.solr.async.max.queue.size</name> <value>1</value> </property> <property> <name>xasecure.audit.solr.async.max.flush.interval.ms</name> <value>1000</value> </property> </configuration> -
Modify the file - access-control-priv-hive.properties
If you are configuring for "System-Plus-Hive" then edit this file as follows substituting values for ${RANGER_URL}, ${RANGER_API_USERNAME}, ${RANGER_API_PSWD}, and {PRESTO_CONFIG_PATH} as they are referenced.
Do not modify this file if you are configuring for "System-Level" only.
access-control.name=privacera ranger.policy-rest-url=https://${RANGER_URL} ranger.service-name=privacera_hive privacera.catalogs=hive ranger.presto-plugin-username=${RANGER_API_USERNAME} ranger.presto-plugin-password=${RANGER_API_PSWD} ranger.policy-refresh-interval=3s #Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml ranger.config-resources={PRESTO_CONFIG_PATH}/etc/ranger-hive-audit.xml #Example: ranger.policy-cache-dir=/tmp/ranger ranger.policy-cache-dir=${PRESTO_TEMP_DIRECTORY} #Fallback allow-all allows privacera_starburst catalog-level permissions as fallback privacera.fallback-access-control=allow-all ranger.plugin-policy-ssl-config-file={PRESTO_CONFIG_PATH}/etc/ranger-policymgr-ssl.xml ranger.enable-row-filtering=true -
Edit the file - config.properties
-
If you are configuring for System-Level then add the following property:
access-control.config-files=etc/access-control-privacera.properties -
If you are configuring for System-Plus-Hive then add the following property.
Note: This is a single line property and need to be added as it is below.
access-control.config-files=etc/access-control-privacera.properties,etc/access-control-priv-hive.properties
-
-
Restart the Starburst.