Skip to main content

Privacera Platform

Table of Contents

Additional Privacera Manager configurations

:

CLI actions

Privacera Manager CLI

Privacera Manager (privacera-manager.sh) is a Linux shell script. It functions as a:

  1. Configuration controller: Handing installations and updates.

  2. Vault: Handling encryption-storage and decryption-retrieval of secure configuration properties.

  3. Service module controller: Starting, stopping, and reporting status for Privacera service modules.

Privacera Manager is normally installed to, and runs from, ~/privacera/privacera-manager/.

cd ~/privacera/privacera-manager/
./privacera-manager.sh update
Configuration Manager
./privacera-manager.sh update

As a configuration controller,

  • Parses the custom property files

  • Deploys the software components

  • Starts Privacera services

You should have passwordless SSH to run the update command. If you do not have passwordless SSH, then configure the password in a file to establish a SSH connection, as in the following procedure:

  1. Create privacera.inventory file.

    cd ~/privacera/privacera-manager
vi config/privacera.inventory

  2. Add the following at the end of the line:

    ansible_sudo_pass=YOURPASSWORD

    Example:

    [servers]
privacera ansible_connection=localOS_USER=privacera ansible_sudo_pass=$YOURPASSWORD
Privacera Manager Vault

As a secure property vault, it can be used to securely encrypt, store, decrypt, and retrieve properties, such as passwords, or secure access tokens that are otherwise entered, insecurely, into individual configuration files. Privacera Vault usage is optional.

Property value defined in the vault will override property values stored defined in other custom-vars/vars.*.yml files. Best practice is to delete sensitive variables from other custom-vars/vars.*.yml files as they are added to the Privacera Manager vault.

./privacera-manager.sh vault

Configuration

  1. Optional: After Privacera Manager is installed, run ./privacera-manager.sh vault

  2. It will prompt for a password. Provide strong password using both alphanumeric and special characters such as 'Str0ngP@ssw0rd'

  3. The vault will open to display sample variables. Uncomment and set variables or add new variables. e.g SSL_DEFAULT_PASSWORD: “S0mOtherStr0ngP@ssw0rd”.

  4. Save and exit.

Re-run ./privacera-manager.sh vault to reopen, and reset or add additional sensitive property values at any point.

Note: File ~/privacera/privacera-manager/config/custom-vars/vars.privacera-secrets.yml stores this encrypted data. Do not delete this file.

Note

File ~/privacera/privacera-manager/config/custom-vars/vars.privacera-secrets.yml stores this encrypted data. Do not delete this file.

Services Controller

As a Services controller, Privacera Manager is used to start, stop, and report status for the following Privacera modules:

  • portal

  • dataserver

  • discovery

  • ranger

  • ranger-usersync

  • kms

  • solr

  • zookeeper

  • kafka

  • pkafka

  • peg

  • grafana

  • graphite

  • mariadb

Service Commands

Purpose

Description

Usage

stop

Stops all Privacera services. In the Kubernetes environment, once all the privacera services are stopped, run the Update action to start all the services.

./privacera-manager.sh stop

stop <service>

Stops service associated Docker containers or Kubernetes pods. In Kubernetes environment, once a service is stopped, run the update action to start the required service.

./privacera-manager.sh stop <service>

restart

Restarts all Privacera services.

./privacera-manager.sh restart

restart <service>

Restarts service associated Docker containers or Kubernetes pods.

./privacera-manager.sh restart <service>

status

Reports status of all Privacera services.

./privacera-manager.sh status

status <service>

Reports status of service associated Docker containers or Kubernetes pods.

./privacera-manager.sh status <service>

setup

Generates all the installation configurations files and scripts in the docker/output folder before the pods/containers are initialized.

./privacera-manager.sh setup

delete

Deletes the Maria DB container/pod. You can use this command when you want to move to an external database such as PostgreSQL or MySQL, instead of using the internal Maria DB.

./privacera-manager.sh delete mariadb

Verify YAML configuration files

When working with YAML configuration files in the custom-vars folder, you can verify if they are syntactically correct. Before running the install/update, you can choose to run the check command to analyze the YAML files for any formatting/syntax errors.

The following is the command to run the check command. It will analyze the file config/vars.privacera.yml, and all the files under the custom-vars folder.

./privacera-manager.sh yaml_check
yaml_check.jpg

Note

The yaml_check command does not show all the errors existing in the YAML files, but a few common errors such as any extra white line, missing single/double quotes and so on. To troubleshoot the errors, see Common Errors/Warnings in YAML Config Files.

Remove Privacera from an instance or virtual machine

Run the following commands to stop the Privacera services and remove Privacera configuration files and folders completely from an instance or virtual machine. This is applicable only to Docker-based environments.

cd ~/privacera/docker
./privacera_services down
cd ~/
sudo rm -rf privacera

Debugging and logging

Debugging and logging
Generate verbose logs

When you start install Privacera, only the Ansible task names get displayed on the terminal. If you want to view the underlying details of a task, do the following;

  1. Open ansible.cfg.

    vi ~/privacera/privacera-manager/config/ansible.cfg

  2. Change verbosity to 1. You can change the verbosity value from 1 to 5.

    verbosity=1

  3. Uncomment stdout_callback to display the output on the terminal.

    stdout_callback=minimal
View installation logs

After the installation is completed, the logs get stored at the location, logs/pm/ with the filename as pm_run_<date_and_time>.log. Also, logs are generated when an installation is aborted.

To list all the generated logs, run the following command:

ls logs/pm/

To view a generated log, run the following command:

vi logs/pm/pm_run_<date_and_time>.log

Advanced service configuration

Increase Privacera portal timeout for large requests

If you have a large number of users, groups, roles, or another defined in Privacera, the portal may timeout while retrieving the data. You can increase the request timeout to ensure that these requests do not timeout.

Prerequisites

  • You are logged in to the machine where you have Privacera Manager installed

Procedure

  1. In a terminal, enter the ~/privacera/privacera-manager directory.

  2. Add the following variables to the config/custom-properties/portal-custom.properties file:

    • hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds: Specifies the length of time in milliseconds that a thread may run.

    • ribbon.ConnectTimeout: Specifies the TCP connection timeout in milliseconds.

    • ribbon.ReadTimeout: Specifies the HTTP response timeout in milliseconds.

    • zuul.host.connect-timeout-millis: Specifies the TCP connection timeout in milliseconds.

    • zuul.host.socket-timeout-millis: Specifies the TCP socket timeout in milliseconds.

    For example:

    hystrix.command.default.execution.isolation.thread.timeoutInMilliseconds=300000
ribbon.ConnectTimeout=60000
ribbon.ReadTimeout=300000
zuul.host.connect-timeout-millis=60000
zuul.host.socket-timeout-millis=300000

  3. Invoke Privacera Manager to apply the update:

    ./privacera-manager.sh update
Order of precedence in PolicySync filter

If Filter by Group is set to true, then the value of Filter By Role is ignored. Filter By Role is considered only if Filter by Group is false.

For example, with PostgreSQL:

  • When POSTGRES_MANAGE_USER_FILTERBY_GROUP is set to "true", Privacera checks if the user belongs to the groups in POSTGRES_MANAGE_GROUP_LIST.

  • When POSTGRES_MANAGE_USER_FILTERBY_ROLE is set to "true" and POSTGRES_MANAGE_USER_FILTERBY_GROUP is set to "false", Privacera checks if the user is assigned to a role in POSTGRES_MANAGE_ROLE_LIST.

This order of precedence applies to the following connectors:

  • Databricks SQL

  • Google BigQuery

  • Microsoft SQL Server

  • PostgreSQL

  • Redshift

  • Snowflake

Configure system properties
Configure system properties

When you download the Privacera package, system properties for each Privacera service are pre-configured and bundled in it. Privacera allows you to append additional system properties that were not pre-configured. To know which Privacera services can be configured, click here.

Configuration

To configure additional system properties, perform the following steps:

  1. Refer the table given in the link above and get the custom file name to be configured for service.

  2. Replace $ADD_FILE_NAME with the file name in the following command and run it.

     vi ~/privacera/privacera-manager/config/custom-properties/$ADD_FILE_NAME

  3. Add the required system properties.

  4. Run the update.

    cd ~/privacera/privacera-manager
./privacera-manager.sh update

Example

Let's illustrate the steps described above with an example. Suppose you are unable to access Privacera Portal due to a Whitelabel Error Page message. To address this problem, you need to add the following properties:

  • privacera.portal.saml.max.authentication.age.sec

  • privacera.portal.saml.response.skew.sec

  • privacera.portal.saml.force.authn

These properties are not configured in the default system properties of the Portal service and have to be added separately.

To add these properties, perform the following steps:

  1. From the table, refer to the Portal service in the Service column and gets its custom file name. In this case, it is portal-custom.properties.

  2. Add the file name in the following command and run it.

    vi ~/privacera/privacera-manager/config/custom-properties/portal-custom.properties

  3. Add the following properties with their values.

    privacera.portal.saml.max.authentication.age.sec=31556952 
privacera.portal.saml.response.skew.sec=600 
privacera.portal.saml.force.authn=true

  4. Run the update.

    cd ~/privacera/privacera-manager
./privacera-manager.sh update
PolicySync
PolicySync properties

This topic covers how to configure additional system properties for multiple connectors for Privacera PolicySync.

You can add properties for the following connectors in the configuration file rangersync-custom-v2.properties, which is described below for the following datasources:

  • PostgreSQL

  • Microsoft SQL Server

  • Snowflake

  • Redshift

PolicySync and scalability

Each configured connector consumes memory and processing resources based on factors like the number of data objects, policies, and users. You may need to increase the memory or processing available to PolicySync as your usage grows.

The preferred strategy for scaling to large numbers of datasources for PolicySync is to add PolicySync repositories. Use of multiple PolicySync repositories is supported only in Kubernetes. Privacera Manager only supports deployment of a single PolicySync repository, so you may need to modify Helm charts directly.

In Docker, the only option is to use a larger node and add multiple connectors as described above.

PostgreSQL

  1. Create rangersync-custom-v2.properties file and add the base properties.

    vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom-v2.properties

  2. Example to add another PostgreSQL connection with connector ID 5. For information about each property, click here.

    ranger.policysync.connector.5=Postgres-dev
ranger.policysync.connector.5.enabled=true
ranger.policysync.connector.5.servicetype=postgres
ranger.policysync.connector.5.jdbc.url=jdbc:postgresql://<connection_url>:5432
ranger.policysync.connector.5.jdbc.username=postgres
ranger.policysync.connector.5.jdbc.password=
ranger.policysync.connector.5.jdbc.db=
ranger.policysync.connector.5.master.database=
ranger.policysync.connector.5.manage.database.list=
ranger.policysync.connector.5.manage.schema.list=
ranger.policysync.connector.5.manage.table.list=
ranger.policysync.connector.5.manage.view.list=

#Ignore Resource Lists
ranger.policysync.connector.5.ignore.schema.list=
ranger.policysync.connector.5.ignore.table.list=
ranger.policysync.connector.5.new.user.password=
ranger.policysync.connector.5.switch.ownership.role=
ranger.policysync.connector.5.manage.service.user=true
ranger.policysync.connector.5.manage.service.group=true
ranger.policysync.connector.5.manage.service.role=true
ranger.policysync.connector.5.perform.grant.updates=true

#Filter User/Group
ranger.policysync.connector.5.manage.user.filterby.group=false
ranger.policysync.connector.5.manage.user.filterby.role=false
ranger.policysync.connector.5.User.role.prefix=priv_user_
ranger.policysync.connector.5.Group.role.prefix=priv_group_
ranger.policysync.connector.5.Role.role.prefix=priv_role_

#Enable Row Filter
ranger.policysync.connector.5.enable.row.filter=true

#Masked Value for Masking
ranger.policysync.connector.5.masked.number.value=0
ranger.policysync.connector.5.masked.double.value=0
ranger.policysync.connector.5.masked.text.value='<MASKED>'
ranger.policysync.connector.5.masked.varchar.value='<MASKED>'

ranger.policysync.connector.5.manage.user.list=
ranger.policysync.connector.5.manage.group.list=
ranger.policysync.connector.5.manage.role.list=

#View Based Masking and Row Filter
ranger.policysync.connector.5.enable.view.based.row.filter=false
ranger.policysync.connector.5.enable.view.based.masking=true
ranger.policysync.connector.5.secure.view.schema.name=
ranger.policysync.connector.5.secure.view.schema.name.prefix=
ranger.policysync.connector.5.secure.view.schema.name.postfix=
ranger.policysync.connector.5.secure.view.name.prefix=
ranger.policysync.connector.5.secure.view.name.postfix=_secure
ranger.policysync.connector.5.secure.view.schema.name.remove.suffix.list=
ranger.policysync.connector.5.secure.view.name.remove.suffix.list=
ranger.policysync.connector.5.secure.view.create.for.all=false

#Audit Properties

#Make this property true for audits
ranger.policysync.connector.5.enable.audit=true
ranger.policysync.connector.5.audit.sqs.queue.name=
ranger.policysync.connector.5.region=

  3. Run the following command.

    cd ~/privacera/privacera-manager/
./privacera-manager.sh update
Microsoft SQL Server

  1. Create rangersync-custom-v2.properties file and add the base properties.

    vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom-v2.properties

  2. Example to add another Microsoft SQL Server connection with connector ID 7. For information about each property, click here.

    ranger.policysync.connector.7=Mssql

# Enable below property to enable the mssql connector
ranger.policysync.connector.7.enabled=false
ranger.policysync.connector.7.servicetype=mssql
ranger.policysync.connector.7.class=com.privacera.policysync.connector.PSMSSQLConnector
ranger.policysync.connector.7.jdbc.driver=com.microsoft.sqlserver.jdbc.SQLServerDriver

# DB Connection Properties
ranger.policysync.connector.7.jdbc.url={{MSSQL_JDBC_URL}}
ranger.policysync.connector.7.jdbc.db={{MSSQL_DEFAULT_DB}}
ranger.policysync.connector.7.jdbc.username={{MSSQL_SYNC_USER_NAME}}
ranger.policysync.connector.7.jdbc.password={{MSSQL_SYNC_USER_PASSWORD}}

# ranger.policysync.connector.7.jdbc.authentication= (SqlPassword/ActiveDirectoryPassword)
# Use ActiveDirectoryPassword in case of your jdbc admin is Azure AD User
ranger.policysync.connector.7.jdbc.authentication=SqlPassword
ranger.policysync.connector.7.master.database=master

ranger.policysync.connector.7.database.list.format=database
ranger.policysync.connector.7.schema.list.format=database.schema
ranger.policysync.connector.7.table.list.format=database.schema.table
ranger.policysync.connector.7.view.list.format=database.schema.view

# Manage Lists
#Database name which needs to be managed, Accepts : single name or multiple database names with comma separation.
#Regex can be used i.e *_database (This will manage all the database named as company_database, products_database .etc).
#Set the value as blank, to manage all the database.
#Set the value as : none, to skip all the database.
ranger.policysync.connector.7.manage.database.list={{MSSQL_DATABASES_LIST}}

#schema name which needs to be managed, Accepts : single name or multiple schema names with comma separation.
#Regex can be used i.e *_schema (This will manage all the schema named as company_schema, products_schema .etc).
#Set the value as blank, to manage all the schema.
#Set the value as : none, to skip all the schema.
ranger.policysync.connector.7.manage.schema.list=

# Ignore Lists
##Set list of database to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_database (This will manage all the database named as admin_database, testing_database .etc).
##Set the value as blank, to manage all the database.
##Set the value as : none, to skip all the database.
ranger.policysync.connector.7.ignore.database.list=

##Set list of schema to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_schema (This will manage all the schema named as admin_schema, testing_schema .etc).
##Set the value as blank, to manage all the schema.
##Set the value as : none, to skip all the schema.
ranger.policysync.connector.7.ignore.schema.list=*.sys,*.privacera_security,*.guest,*.db_denydatareader,*.db_denydatawriter,*.db_datareader,*.db_datawriter,*.db_ddladmin,*.db_backupoperator,*.db_accessadmin,*.db_securityadmin,*.db_owner

##Set list of user to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_user (This will manage all the role named as admin_user, testing_user .etc).
##Set the value as blank, to manage all the user.
##Set the value as : none, to skip all the user.
ranger.policysync.connector.7.ignore.user.list={{MSSQL_IGNORE_USERS}}

# New User Password
#ranger.policysync.connector.7.new.user.password=

# New Resource Ownership
ranger.policysync.connector.7.switch.ownership.role=dbo

# Ranger Plugin Properties
ranger.policysync.connector.7.ranger.service.type=mssql
ranger.policysync.connector.7.ranger.service.appid=privacera_mssql

##Set prefix to create internal role for policy-sync
ranger.policysync.connector.7.User.role.prefix=priv_user_
ranger.policysync.connector.7.Group.role.prefix=priv_group_
ranger.policysync.connector.7.Role.role.prefix=priv_role_

##To perform dry run when value is set as false, Default value : false
ranger.policysync.connector.7.perform.grant.updates=false
ranger.policysync.connector.7.ranger.resource.matching.scope=SELF

#set value as true to perform grant update in a separate thread / Default Value : true
ranger.policysync.connector.7.apply.perms.with.separate.thread=true
ranger.policysync.connector.7.ranger.resource.zone.matching.scope=SELF_OR_ANCESTOR

# Masking
#The masking will not be applied to mentioned entities (User, Group, Role).  Accepts : single name or multiple names with comma separation.
ranger.policysync.connector.7.masking.unmasked.users=
ranger.policysync.connector.7.masking.unmasked.groups=
ranger.policysync.connector.7.masking.unmasked.roles=
ranger.policysync.connector.7.load.resources=load
ranger.policysync.connector.7.load.users=load
ranger.policysync.connector.7.load.policies=load
ranger.policysync.connector.7.sync.interval.sec=60
ranger.policysync.connector.7.manage.service.user=true
ranger.policysync.connector.7.manage.service.group=true
ranger.policysync.connector.7.manage.service.role=true

# Audits
ranger.policysync.connector.7.enable.audit=false
ranger.policysync.connector.7.audit.storage.url=
ranger.policysync.connector.7.audit.initial.pull.min=30

# set 'load_synapse' in case of synapse.
# eg.ranger.policysync.connector.7.load.audits=load_synapse
ranger.policysync.connector.7.load.audits=load

  3. Run the following command.

    cd ~/privacera/privacera-manager/
./privacera-manager.sh update
Snowflake

  1. Create rangersync-custom-v2.properties file and add the base properties.

    vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom-v2.properties

  2. Example to add another Snowflake connection with connector ID 6. For information about each property, click here.

    ranger.policysync.connector.6=Snowflake
ranger.policysync.connector.6.enabled=false

#ranger.policysync.connector.6.jdbc.url=jdbc:snowflake://${YOURHOST}
ranger.policysync.connector.6.jdbc.url={{SNOWFLAKE_JDBC_URL}}
ranger.policysync.connector.6.switch.ownership.role={{SNOWFLAKE_OWNER_ROLE}}
ranger.policysync.connector.6.jdbc.username={{SNOWFLAKE_SYNC_USER_NAME}}
ranger.policysync.connector.6.jdbc.password={{SNOWFLAKE_SYNC_USER_PASSWORD}}

#Database name which needs to be managed, Accepts : single name or multiple database names with comma separation.
#Regex can be used i.e *_database (This will manage all the database named as company_database, products_database .etc).
#Set the value as blank, to manage all the database.
#Set the value as : none, to skip all the database.
ranger.policysync.connector.6.manage.database.list={{SNOWFLAKE_DATABASES_LIST}}

#Warehouse which need to be used, Accepts : single value  i.e COMPUTE_WH
ranger.policysync.connector.6.warehouse={{SNOWFLAKE_WAREHOUSE_TO_USE}}

#Role which need to be used by policy-sync, Accepts : single value  i.e PRIVACERA_SYNC_ROLE
ranger.policysync.connector.6.role={{SNOWFLAKE_ROLE_TO_USE}}
#need to set simple OR advance property as true for audit
ranger.policysync.connector.6.audit.source.simple=false
ranger.policysync.connector.6.audit.source.advance=false
ranger.policysync.connector.6.advance.audit.db.name=PRIVACERA_ACCESS_LOGS_DB
ranger.policysync.connector.6.audit.initial.pull.min=30

##Set value true to create managed users at end service , Default value : False
ranger.policysync.connector.6.manage.service.user=false

##Set list of users to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_user (This will manage all the user named as admin_user, clerk_user .etc).
##Set the value as blank, to manage all the users.
##Set the value as : none, to skip all the users.
#ranger.policysync.connector.6.manage.user.list=

##Set value true to create managed groups at end service , Default value : False
ranger.policysync.connector.6.manage.service.group=false

##Set list of groups to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_groups (This will manage all the groups named as admin_groups, clerk_groups .etc).
##Set the value as blank, to manage all the groups.
##Set the value as : none, to skip all the groups.
#ranger.policysync.connector.6.manage.group.list=

##Set value true to create managed roles at end service , Default value : False
ranger.policysync.connector.6.manage.service.role=false

##Set list of roles to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_role (This will manage all the role named as admin_role, testing_role .etc).
##Set the value as blank, to manage all the roles.
##Set the value as : none, to skip all the roles.
#ranger.policysync.connector.6.manage.role.list=

##To perform dry run when value is set as false, Default value : false
ranger.policysync.connector.6.perform.grant.updates=false

##Set list of roles to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_role (This will manage all the role named as admin_role, testing_role .etc).
##Set the value as blank, to manage all the roles.
##Set the value as : none, to skip all the roles.
ranger.policysync.connector.6.ignore.role.list=SYSADMIN,ACCOUNTADMIN,SECURITYADMIN

##Set list of schema to be ignored by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_schema (This will manage all the schema named as finance_schema, dev_schema .etc).
##Set the value as blank, to manage all the schema.
##Set the value as : none, to skip all the schema.
ranger.policysync.connector.6.ignore.schema.list=*.information_schema
ranger.policysync.connector.6.ranger.service.appid=privacera_snowflake
ranger.policysync.connector.6.servicetype=snowflake
ranger.policysync.connector.6.class=com.privacera.policysync.connector.PSSnowflakeConnector
ranger.policysync.connector.6.jdbc.driver=net.snowflake.client.jdbc.SnowflakeDriver
ranger.policysync.connector.6.jdbc.db=snowflake

##Set list of database to be ignored by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_database (This will manage all the database named as finance_database, dev_database .etc).
##Set the value as blank, to manage all the database.
##Set the value as : none, to skip all the database.
ranger.policysync.connector.6.ignore.database.list=demo_db,snowflake,util_db,SNOWFLAKE_SAMPLE_DATA
ranger.policysync.connector.6.database.list.format=database
ranger.policysync.connector.6.schema.list.format=database.schema
ranger.policysync.connector.6.table.list.format=database.schema.table
ranger.policysync.connector.6.view.list.format=database.schema.view
#ranger.policysync.connector.6.systemconfig=customSnowflakeConfig.json
ranger.policysync.connector.6.load.resources=load
#ranger.policysync.connector.6.load.resources=load_md
ranger.policysync.connector.6.load.users=load_md
ranger.policysync.connector.6.load.policies=load

##Set list of roles to be user and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
##Regex can be used i.e *_user (This will manage all the user named as admin_user, testing_user .etc).
##Set the value as blank, to manage all the user.
##Set the value as : none, to skip all the user.
ranger.policysync.connector.6.ignore.user.list=snowflake,privacera
ranger.policysync.connector.6.sync.interval.sec=60

#ranger.policysync.connector.6.new.user.password=
##Set prefix to create internal role for policy-sync
ranger.policysync.connector.6.User.role.prefix=priv_user_
ranger.policysync.connector.6.Group.role.prefix=priv_group_
ranger.policysync.connector.6.Role.role.prefix=priv_role_

# Set below property to true to enable column level access control
ranger.policysync.connector.6.enable.column.level.access.control=false
##Database and schema to store masking policies, Accepts : single name
ranger.policysync.connector.6.masking.policy.db.name=privacera_db
ranger.policysync.connector.6.masking.policy.schema.name=privacera_db.public

# For Masking
##Set true to enable masking, Default value : false
ranger.policysync.connector.6.enable.masking=false

# Masked Value for Column Access Control
#ranger.policysync.connector.6.access.control.text.value='{{REDACTED}}'

  3. Run the following command.

    cd ~/privacera/privacera-manager/
./privacera-manager.sh update
Redshift

  1. Create rangersync-custom-v2.properties file and add the base properties.

    vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom-v2.properties

  2. Example to add another Redshift connection with connector ID 3. For information about each property, click here.

    ranger.policysync.connector.3=Redshift
ranger.policysync.connector.3.enabled=true
ranger.policysync.connector.3.servicetype=redshift-db
ranger.policysync.connector.3.jdbc.url=jdbc:postgresql://c8nwggihrpkl.us-east-1.redshift.amazonaws.com:5439
ranger.policysync.connector.3.jdbc.db=customer
ranger.policysync.connector.3.jdbc.username=xxyyzz
ranger.policysync.connector.3.jdbc.password=xxxxxxxx
ranger.policysync.connector.3.master.database=customer
ranger.policysync.connector.3.manage.database.list=customer
ranger.policysync.connector.3.manage.schema.list=
ranger.policysync.connector.3.manage.table.list=
ranger.policysync.connector.3.manage.view.list=
# Ignore Resource Lists
ranger.policysync.connector.3.new.user.password=xxxxxxxxx
ranger.policysync.connector.3.switch.ownership.role=
ranger.policysync.connector.3.manage.service.user=true
ranger.policysync.connector.3.manage.service.group=true
ranger.policysync.connector.3.manage.service.role=true
ranger.policysync.connector.3.perform.grant.updates=true
ranger.policysync.connector.3.User.role.prefix=priv_user_
ranger.policysync.connector.3.Group.role.prefix=priv_group_
ranger.policysync.connector.3.Role.role.prefix=priv_role_
# Masked Value for Masking
ranger.policysync.connector.3.masked.number.value=0
ranger.policysync.connector.3.masked.double.value=0
ranger.policysync.connector.3.masked.text.value='<MASKED>'
ranger.policysync.connector.3.masked.varchar.value='<MASKED>'
ranger.policysync.connector.3.manage.user.list=
ranger.policysync.connector.3.manage.group.list=
ranger.policysync.connector.3.manage.role.list=
# Filter User/Group
ranger.policysync.connector.3.manage.user.filterby.group=false
ranger.policysync.connector.3.manage.user.filterby.role=false
ranger.policysync.connector.3.user.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
ranger.policysync.connector.3.user.name.replace.to.string=_
ranger.policysync.connector.3.group.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
ranger.policysync.connector.3.group.name.replace.to.string=_
ranger.policysync.connector.3.role.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
ranger.policysync.connector.3.role.name.replace.to.string=_
# Ignore User/Group/Role Lists
# View Based Masking and Row Filter
ranger.policysync.connector.3.enable.view.based.row.filter=true
ranger.policysync.connector.3.enable.view.based.masking=true
ranger.policysync.connector.3.secure.view.schema.name=
ranger.policysync.connector.3.secure.view.schema.name.prefix=
ranger.policysync.connector.3.secure.view.schema.name.postfix=
ranger.policysync.connector.3.secure.view.name.prefix=
ranger.policysync.connector.3.secure.view.name.postfix=_secure
ranger.policysync.connector.3.secure.view.schema.name.remove.suffix.list=
ranger.policysync.connector.3.secure.view.name.remove.suffix.list=
ranger.policysync.connector.3.secure.view.create.for.all=false
ranger.policysync.connector.3.secure.view.access.by.table.policy=false
# Audit Properties
# Make this property true for audits
ranger.policysync.connector.3.enable.audit=false

  3. Run the following command.

    cd ~/privacera/privacera-manager/
./privacera-manager.sh update
Configuring multiple connectors for a single PolicySync repository

A single PolicySync repository can be configured to serve more than one datasource. Add a section in rangersync-custom-v2.properties for each connector. Be sure to assign each connector its own unique integer connector ID.

For example:

# First, a PostgreSQL source with connector ID 5 named Postgres-dev
ranger.policysync.connector.5=Postgres-dev
ranger.policysync.connector.5.enabled=true
ranger.policysync.connector.5.servicetype=postgres

# additional properties for connector 5 as needed...

# Next, an MSSQL source with connector ID 7 named MSSql-Dev
ranger.policysync.connector.7=MSSql-Dev
# Enable below property to enable the mssql connector
ranger.policysync.connector.7.enabled=false
ranger.policysync.connector.7.servicetype=mssql

# additional properties for connector 7 as needed...
Configuring multiple connectors for multiple PolicySync repositories

By default, when you configure multiple connectors (datasources), they connect to the default PolicySync repository in Privacera Portal. All the policies defined in the default PolicySync repository get applied on the connectors.

However, it is recommended to configure a different PolicySync repository for each connector. Add the following two connectors properties and enter the name of the PolicySync repository. Where <CONNECTOR_ID> is the unique number assigned to the connector and <POLICYSYNC_INSTANCE> is the PolicySync repository name you have configured in Privacera Portal.

ranger.policysync.connector.<CONNECTOR_ID>.ranger.service.name=<POLICYSYNC_INSTANCE>
ranger.policysync.connector.<CONNECTOR_ID>.ranger.service.appid=<POLICYSYNC_INSTANCE>

Example 1: The following configuration shows two Microsoft SQL Server connectors connected to the default PolicySync repository named privacera_mssql in Privacera Portal.

# MSSQL with connector ID 5 connected to default PolicySync
ranger.policysync.connector.5=mssql-dev
ranger.policysync.connector.5.enabled=true
ranger.policysync.connector.5.servicetype=mssql



# MSSQL with connector ID 7 connected to default PolicySync
ranger.policysync.connector.7=mssql-prod
ranger.policysync.connector.7.enabled=true
ranger.policysync.connector.7.servicetype=mssql

Example 2: The following configuration shows one Microsoft SQL Server connector with ID 5 is connected to the default PolicySync repository named privacera_mssql in Privacera Portal, and the second connector with ID 7 is connected to the PolicySync repository named privacera_mssqltwo. Where privacera_mssqltwo is the newly created PolicySync repository in Privacera Portal.

# MSSQL with connector ID 5 connected to default PolicySync privacera_mssql
ranger.policysync.connector.5=mssql-dev
ranger.policysync.connector.5.enabled=true
ranger.policysync.connector.5.servicetype=mssql



# MSSQL with connector ID 7 connected to PolicySync privacera_mssqltwo
ranger.policysync.connector.7=mssql-prod
ranger.policysync.connector.7.enabled=true
ranger.policysync.connector.7.servicetype=mssql
ranger.policysync.connector.7.ranger.service.name=privacera_mssqltwo
ranger.policysync.connector.7.ranger.service.appid=privacera_mssqltwo
Configure a PolicySync connector to run in a dedicated Kubernetes pod

If your Privacera installation is deployed to a Kubernetes cluster, you can configure each PolicySync connector to run in a dedicated Kubernetes pod. A dedicated pod runs an instance of PolicySync for a connector that you specify.

You might want to use a dedicated pod to optimize resource allocation in your cluster by scheduling the pod in a particular region or on a specific node type.

Privacera supports the following scenarios:

  • Deploying dedicated pods for different connector types

  • Deploying dedicated pods for multiple instances of the same connector type

If you enable this feature, you must configure a dedicated pod for every PolicySync connector in your current configuration.

Databricks
Spark plugin

  1. Create privacera_spark_custom.properties file.

    vi ~/privacera/privacera-manager/config/custom-properties/privacera_spark_custom.properties

  2. Add the following properties as per your preferences.

    Property

    Description

    Example

    privacera.jwt.dbx.login.user.fallback.enable

    Set this property to fallback to the logged-in user when JWT is enabled.

    privacera.jwt.dbx.login.user.fallback.enable=true

    privacera.dbx.system.mounts

    Set this property to pass comma-separated system mount points for Databricks which you want to ignore in the OLAC cluster.

    privacera.dbx.system.mounts=/,/databricks-results,/databricks/mlflow-tracking,/databricks-datasets,/databricks/mlflow-registry

  3. Run the following command.

    cd ~/privacera/privacera-manager/ ./privacera-manager.sh update
Access private DNS from Databricks cluster

Create another DNS entry and map it to the private DNS, so that you can access the secondary DNS directly from Databricks. Follow below steps and then upload the modified init script back to DBFS.

OLAC Cluster

  1. Edit ranger_enable_scala.sh file.

    vi ranger_enable_scala.sh

  2. Add the following property.

    export DS_HOST=<alias_host

FGAC Cluster

  1. Edit ranger_enable.sh file.

    vi ranger_enable.sh

  2. Add the following properties.

    export BASE_RANGER_URL=https://<alias_host>:6182
export BASE_SOLR_URL=https://<alias_host>:6084
Table properties
PolicySync
Common Properties

Property

Description

Default Value

ranger.policysync.connector.<id>

To Set the Unique Connection name for the policysync connector

ranger.policysync.connector.<id>.enabled

Toggle to Enable/Disable the Connector

ranger.policysync.connector.<id>.jdbc.url

JDBC Connection URL

ranger.policysync.connector.<id>.jdbc.username

Database Username to be used with jdbc connection

ranger.policysync.connector.<id>.jdbc.password

Database Password to be used with jdbc connection

ranger.policysync.connector.<id>.jdbc.db

Database Name to be used with jdbc connection

ranger.policysync.connector.<id>.master.database

Master Database

ranger.policysync.connector.<id>.new.user.password

password that will be set for all the new users after sync

ranger.policysync.connector.<id>.switch.ownership.role

role name which policysync can switch to

ranger.policysync.connector.<id>.manage.service.user

Enable/Disable Toggle for creating ranger user

TRUE

ranger.policysync.connector.<id>.manage.service.group

Enable/Disable Toggle for creating ranger group

TRUE

ranger.policysync.connector.<id>.manage.service.role

Enable/Disable Toggle for creating ranger role

TRUE

ranger.policysync.connector.<id>.User.role.prefix

Prefix will be appended while creating user

priv_user_

ranger.policysync.connector.<id>.Group.role.prefix

Prefix will be appended while creating group

priv_group_

ranger.policysync.connector.<id>.Role.role.prefix

Prefix will be appended while creating role

priv_role_

ranger.policysync.connector.<id>.manage.table.list

Table name/s which needs to be managed

Notes:

  • Provide Multiple Table names separated by comma.

  • Blank Value will manage all the databases.

  • "none" Value will skip all the databases.

  • Regex can be used (ex: *_dev)

ranger.policysync.connector.<id>.manage.view.list

View name/s which needs to be managed

Notes:

  • Provide Multiple Views separated by comma.

  • Blank Value will manage all the databases.

  • "none" Value will skip all the databases.

  • Regex can be used (ex: *_dev)

ranger.policysync.connector.<id>.ignore.schema.list

Schema name/s where policies should not be enforced or ignored.

Notes:

  • Provide Multiple Schema names separated by comma.

  • Blank Value will manage all the databases.

  • "none" Value will skip all the databases.

  • Regex can be used (ex: *_dev)

ranger.policysync.connector.<id>.ignore.table.list

Table name/s where policies should not be enforced or ignored

Notes:

  • Provide Multiple Table names separated by comma

  • Blank Value will manage all the databases.

  • "none" Value will skip all the databases.

  • Regex can be used (ex: *_dev)

ranger.policysync.connector.<id>.manage.user.list

User names to be manged by Policysync

Notes:

  • Provide Multiple usernames separated by comma

  • Blank Value will manage all the users.

  • "none" Value will skip all the users.

  • Regex can be used (ex: *_user)

ranger.policysync.connector.<id>.manage.group.list

Group names to be manged by Policysync

Notes:

  • Provide Multiple groupnames separated by comma

  • Blank Value will manage all the groups.

  • "none" Value will skip all the groups.

  • Regex can be used (ex: *_group)

ranger.policysync.connector.<id>.manage.role.list

Role names to be manged by Policysync

Notes:

  • Provide Multiple usernames separated by comma

  • Blank Value will manage all the roles.

  • "none" Value will skip all the roles.

  • Regex can be used (ex: *_role)

ranger.policysync.connector.<id>.perform.grant.updates

Policy-sync will manage users specified in “manage.user.list” prop only if they are associated with any group specified in “manage.group.list”

TRUE

ranger.policysync.connector.<id>.manage.user.filterby.group

If: True

Policy-sync will manage users specified in “manage.user.list” prop only if they are associated with any group specified in “manage.group.list”

FALSE

ranger.policysync.connector.<id>.manage.user.filterby.role

If: True

Policy-sync will manage users specified in “manage.user.list” prop only if they are associated with any group specified in “manage.role.list”

FALSE

ranger.policysync.connector.<id>.masked.number.value

Masking Value for Numbers in policies

0

ranger.policysync.connector.<id>.masked.double.value

Masking Value for Numbers in policies

0

ranger.policysync.connector.<id>.masked.text.value

Masking Value for Texts in policies

<MASKED>'

ranger.policysync.connector.<id>.masked.varchar.value

Masking Value for Characters in policies

<MASKED>'

ranger.policysync.connector.<id>.enable.row.filter

Toggle to Enable/Disable Row Filter

TRUE

ranger.policysync.connector.<id>.enable.view.based.row.filter

Toggle to Enable/Disable Row Filter on Views

FALSE

ranger.policysync.connector.<id>.enable.view.based.masking

Toggle to Enable/Disable Masking on Views

TRUE

ranger.policysync.connector.<id>.secure.view.schema.name

Schema name where secure view/s needs to be created

Note:

By default view based row filter and masking related secure views are created in the same schema as the original table schema.

ranger.policysync.connector.<id>.secure.view.schema.name.prefix

Add Prefix to the secured view/s in the schema

Note:

By default view based row filter and masking related secure views have the same schema name as the table schema name.

ranger.policysync.connector.<id>.secure.view.schema.name.postfix

Add Postfix to the secured view/s in the schema

Note:

By default view based row filter and masking related secure views have the same schema name as the table schema name.

ranger.policysync.connector.<id>.secure.view.name.prefix

Add Prefix to the secured view/s

Note:

By default view based row filter and masking related secure views have the same schema name as the table schema name.

ranger.policysync.connector.<id>.secure.view.name.postfix

Add Postfix to the secured view/s

Note:

By default view based row filter and masking related secure views have the same schema name as the table schema name.

_secure

ranger.policysync.connector.<id>.secure.view.schema.name.remove.suffix.list

To Remove any suffix from the secured view/s in the schema

Note:

By default view based row filter and masking related secure views have the same schema name as the table schema name.

ranger.policysync.connector.<id>.secure.view.name.remove.suffix.list

To Remove any Suffix from the secured view/s

Note:

By default view based row filter and masking related secure views have the same schema name as the table schema name.

ranger.policysync.connector.<id>.secure.view.create.for.all

Toggle to create secure views regardless of masking/row filter policies

FALSE

ranger.policysync.connector.<id>.enable.audit

Toggle to Enable/Disable Audits

TRUE

ranger.policysync.connector.<id>.audit.sqs.queue.name

AWS SQS Queue name to send the audit logs

ranger.policysync.connector.<id>.region

AWS Region name

MSSQL

Property

Description

Default Value

ranger.policysync.connector.<id>.class

Implementation class for mssql connector

com.privacera.policysync.connector.PSMSSQLConnector

ranger.policysync.connector.<id>.jdbc.driver

Jdbc driver

com.microsoft.sqlserver.jdbc.SQLServerDriver

ranger.policysync.connector.<id>.servicetype

Ranger service type

mssql

ranger.policysync.connector.<id>.service.appid

Ranger service appId

privacera_mssql

Snowflake

Property

Description

Default Value

ranger.policysync.connector.<id>.class

Implementation class for snowflake connector

com.privacera.policysync.connector.PSSnowflakeConnector

ranger.policysync.connector.<id>.jdbc.driver

Jdbc driver

net.snowflake.client.jdbc.SnowflakeDriver

ranger.policysync.connector.<id>.servicetype

Ranger service type

snowflake

ranger.policysync.connector.<id>.service.appid

Ranger service appId

privacera_snowflake

ranger.policysync.connector.<id>.audit.source.timezone

Audit source timezone

US/Pacific

ranger.policysync.connector.<id>.enable.column.access.masking

Toggle to enable/disable masking based column level access control in snowflake

Policysync will be configured to return '<REDACTED>' for text columns and 0 for numeric columns on which a user does not have access to.

TRUE

ranger.policysync.connector.<id>.enable.column.access.exception

Toggle to throw an exception if no column level access. This will cause the query to fail.

If set to True, then also set enable.column.access.masking to false

FALSE

ranger.policysync.connector.<id>.enable.column.access.exception.function

This property decides what function to call to throw an exception if no column level access is there in snowflake.

{database}.PUBLIC.ThrowColumnAccessException('{col}')

ranger.policysync.connector.<id>.enable.row.filter

Toggle to Enable Native Row Filter Functionality

FALSE

ranger.policysync.connector.<id>.user.login.name.use.email

When Set to True, Policysync will create Users Account with their email address as login in Snowflake

FALSE

ranger.policysync.connector.<id>.create.service.user

Toggle To Create User account in Snowflake

TRUE

ranger.policysync.connector.<id>.create.service.user.role

Toggle to allow policysync to create user roles in the snowflake

TRUE

ranger.policysync.connector.<id>.user.name.replace.from.regex

Takes the regular expression as input and finds the matching characters in user name and replaces them with the characters specified in user.name.replace.to.string variable.

#Note

#If set to blank, no find and replace operation is performed.

ranger.policysync.connector.<id>.user.name.replace.to.string

To replace the characters found by regex specified in user.name.replace.from.regex variable.

#Note

#If set to blank, no find and replace operation is performed.

ranger.policysync.connector.<id>.group.name.replace.from.regex

This takes the regular expression as input and finds the matching characters in the group name and replaces them with the characters specified in group.name.replace.to.string variable.

#Note

#If set to blank, no find and replace operation is performed.

ranger.policysync.connector.<id>.group.name.replace.to.string

To replace the characters found by regex specified in group.name.replace.from.regex variable.

#Note:

#If set to blank, no find and replace operation is performed.

ranger.policysync.connector.<id>.role.name.replace.from.regex

This takes the regular expression as input and finds the matching characters in role name and replaces them with the characters specified in role.name.replace.to.string variable.

#Note

If set to blank, no find and replace operation is performed.

ranger.policysync.connector.<id>.role.name.replace.to.string

To replace the characters found by regex specified in role.name.replace.from.regex variable.

#Note

If set to blank, no find and replace operation is performed.

ranger.policysync.connector.<id>.secure.view.schema.name.remove.suffix.list

Set the list of comma separated strings, which will be checked if it matches as a suffix for the schema name and if a match is found, suffix will be removed from the schema name.

#Note

if set to blank, no replacement will happen

ranger.policysync.connector.<id>.secure.view.name.remove.suffix.list

Set the list of comma separated strings, which will be checked if it matches as a suffix for the schema name and if a match is found, suffix will be removed from the schema name.

#Note

if set to blank, no replacement will happen

Redshift

Property

Description

Default Value

ranger.policysync.connector.<id>.class

Implementation class for postgres connector

com.privacera.policysync.connector.PSRedshiftDBConnector

ranger.policysync.connector.<id>.jdbc.driver

Jdbc driver

org.postgresql.Driver

ranger.policysync.connector.<id>.servicetype

Ranger service type

redshift

ranger.policysync.connector.<id>.service.appid

Ranger service appId

privacera_redshift

PostgreSQL

Property

Description

Default Value

ranger.policysync.connector.<id>.class

Implementation class for postgres connector

com.privacera.policysync.connector.PSPostgresBaseConnector

ranger.policysync.connector.<id>.jdbc.driver

Jdbc driver

org.postgresql.Driver

ranger.policysync.connector.<id>.servicetype

Ranger service type

postgres

ranger.policysync.connector.<id>.service.appid

Ranger service appId

privacera_postgres