- Platform Release 6.5
- Privacera Platform Release 6.5
- Enhancements and updates in Privacera Access Management 6.5 release
- Enhancements and updates in Privacera Discovery 6.5 release
- Enhancements and updates in Privacera Encryption 6.5 release
- Deprecation of older version of PolicySync
- Upgrade Prerequisites
- Supported versions of third-party systems
- Documentation changelog
- Known Issues 6.5
- Platform - Supported Versions of Third-Party Systems
- Platform Support Policy and End-of-Support Dates
- Privacera Platform Release 6.5
- Privacera Platform Installation
- About Privacera Manager (PM)
- Install overview
- Prerequisites
- Installation
- Default services configuration
- Component services configurations
- Access Management
- Data Server
- UserSync
- Privacera Plugin
- Databricks
- Spark standalone
- Spark on EKS
- Portal SSO with PingFederate
- Trino Open Source
- Dremio
- AWS EMR
- AWS EMR with Native Apache Ranger
- GCP Dataproc
- Starburst Enterprise
- Privacera services (Data Assets)
- Audit Fluentd
- Grafana
- Ranger Tagsync
- Discovery
- Encryption & Masking
- Privacera Encryption Gateway (PEG) and Cryptography with Ranger KMS
- AWS S3 bucket encryption
- Ranger KMS
- AuthZ / AuthN
- Security
- Access Management
- Reference - Custom Properties
- Validation
- Additional Privacera Manager configurations
- Upgrade Privacera Manager
- Troubleshooting
- How to validate installation
- Possible Errors and Solutions in Privacera Manager
- Unable to Connect to Docker
- Terminate Installation
- 6.5 Platform Installation fails with invalid apiVersion
- Ansible Kubernetes Module does not load
- Unable to connect to Kubernetes Cluster
- Common Errors/Warnings in YAML Config Files
- Delete old unused Privacera Docker images
- Unable to debug error for an Ansible task
- Unable to upgrade from 4.x to 5.x or 6.x due to Zookeeper snapshot issue
- Storage issue in Privacera UserSync & PolicySync
- Permission Denied Errors in PM Docker Installation
- Unable to initialize the Discovery Kubernetes pod
- Portal service
- Grafana service
- Audit server
- Audit Fluentd
- Privacera Plugin
- How-to
- Appendix
- AWS topics
- AWS CLI
- AWS IAM
- Configure S3 for real-time scanning
- Install Docker and Docker compose (AWS-Linux-RHEL)
- AWS S3 MinIO quick setup
- Cross account IAM role for Databricks
- Integrate Privacera services in separate VPC
- Securely access S3 buckets ssing IAM roles
- Multiple AWS account support in Dataserver using Databricks
- Multiple AWS S3 IAM role support in Dataserver
- Azure topics
- GCP topics
- Kubernetes
- Microsoft SQL topics
- Snowflake configuration for PolicySync
- Create Azure resources
- Databricks
- Spark Plug-in
- Azure key vault
- Add custom properties
- Migrate Ranger KMS master key
- IAM policy for AWS controller
- Customize topic and table names
- Configure SSL for Privacera
- Configure Real-time scan across projects in GCP
- Upload custom SSL certificates
- Deployment size
- Service-level system properties
- PrestoSQL standalone installation
- AWS topics
- Privacera Platform User Guide
- Introduction to Privacera Platform
- Settings
- Data inventory
- Token generator
- System configuration
- Diagnostics
- Notifications
- How-to
- Privacera Discovery User Guide
- What is Discovery?
- Discovery Dashboard
- Scan Techniques
- Processing order of scan techniques
- Add and scan resources in a data source
- Start or cancel a scan
- Tags
- Dictionaries
- Patterns
- Scan status
- Data zone movement
- Models
- Disallowed Tags policy
- Rules
- Types of rules
- Example rules and classifications
- Create a structured rule
- Create an unstructured rule
- Create a rule mapping
- Export rules and mappings
- Import rules and mappings
- Post-processing in real-time and offline scans
- Enable post-processing
- Example of post-processing rules on tags
- List of structured rules
- Supported scan file formats
- Data Source Scanning
- Data Inventory
- TagSync using Apache Ranger
- Compliance Workflow
- Data zones and workflow policies
- Workflow Policies
- Alerts Dashboard
- Data Zone Dashboard
- Data zone movement
- Workflow policy use case example
- Discovery Health Check
- Reports
- How-to
- Privacera Encryption Guide
- Overview of Privacera Encryption
- Install Privacera Encryption
- Encryption Key Management
- Schemes
- Encryption with PEG REST API
- Privacera Encryption REST API
- PEG API endpoint
- PEG REST API encryption endpoints
- PEG REST API authentication methods on Privacera Platform
- Common PEG REST API fields
- Construct the datalist for the /protect endpoint
- Deconstruct the response from the /unprotect endpoint
- Example data transformation with the /unprotect endpoint and presentation scheme
- Example PEG API endpoints
- /authenticate
- /protect with encryption scheme
- /protect with masking scheme
- /protect with both encryption and masking schemes
- /unprotect without presentation scheme
- /unprotect with presentation scheme
- /unprotect with masking scheme
- REST API response partial success on bulk operations
- Audit details for PEG REST API accesses
- Make encryption API calls on behalf of another user
- Troubleshoot REST API Issues on Privacera Platform
- Privacera Encryption REST API
- Encryption with Databricks, Hive, Streamsets, Trino
- Databricks UDFs for encryption and masking on PrivaceraPlatform
- Hive UDFs for encryption on Privacera Platform
- StreamSets Data Collector (SDC) and Privacera Encryption on Privacera Platform
- Trino UDFs for encryption and masking on Privacera Platform
- Privacera Access Management User Guide
- Privacera Access Management
- How Polices are evaluated
- Resource policies
- Policies overview
- Creating Resource Based Policies
- Configure Policy with Attribute-Based Access Control
- Configuring Policy with Conditional Masking
- Tag Policies
- Entitlement
- Service Explorer
- Users, groups, and roles
- Permissions
- Reports
- Audit
- Security Zone
- Access Control using APIs
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
Privacera Manager installation steps
Installation using CLI
Before installing, make sure you have downloaded all the required Privacera installation packages. For more information, click here.
Environment setup
Copy the template configuration file
sample.vars.privacera.ymltovars.privacera.ymland modify it for your specific environment.cd ~/privacera/privacera-manager cp config/sample.vars.privacera.yml config/vars.privacera.yml vi config/vars.privacera.yml
Edit the properties in the file.
Property Name
Description
Example Values
DEPLOYMENT_ENV_NAMEThis is the environment name. Specify a value that includes only lowercase alphanumeric characters or dashes (-), starts and ends with an alphanumeric character, and is no longer than 63 characters.
privacera-env;privacera-prod;privacera-1app_hostnameIf the Privacera Platform has a fully qualified domain name (FQDN) assign that value, otherwise leave the property commented out.
privacera.mycompany.localprivacera_hub_userThe hub username access credential, set to the value provided for
<PRIVACERA_HUB_USER>.Note: For an air-gap install, enter the username of the internal repository URL.
privacera_hub_passwordThe hub password access credential, set to the value assigned for
<PRIVACERA_HUB_PASSWORD>.Note: For an air-gap install, enter the password of the internal repository URL.
PRIVACERA_IMAGE_TAGThe image tag, set to the value assigned for
<PRIVACERA_IMAGE_TAG>.PRIVACERA_BASE_DOWNLOAD_URLThe download URL, set to the value assigned for
<PRIVACERA_BASE_DOWNLOAD_URL>.DEPLOYMENT_SIZEThis is the deployment size. Valid values are
SMALL(default),MEDIUMandLARGE.For more information on CPU, memory, disk space, etc., for the deployment sizes, click here.
Note: This is applicable only for a Kubernetes environment.
SMALL
Configure the deployment mode
Docker
To deploy Privacera as Docker containers, simply copy the Docker properties template into custom-vars/ folder.
cd ~/privacera/privacera-manager cp config/sample-vars/vars.docker.yml config/custom-vars/
Kubernetes
To use and create a Kubernetes based deployment, first copy the Kubernetes properties template into the
custom-vars/folder.cd ~/privacera/privacera-manager cp config/sample-vars/vars.kubernetes.yml config/custom-vars/
Edit the '
vars.kubernetes.yml' file and set the value ofK8S_CLUSTER_NAMEto the name of the target Cluster.kubectl config get-contexts
The value is displayed under CLUSTER , the value contains the ARN of the EKS cluster along with the cluster name. Copy the cluster name, and set the value of
K8S_CLUSTER_NAME.Open the YML file.
vi config/custom-vars/vars.kubernetes.yml
Edit the following properties:
#This variables enable Kubernetes related properties #Note: Please update all mandatory fields. Search for <PLEASE_CHANGE> K8S_CLUSTER_NAME: "<PLEASE_CHANGE>" #Name of the deployment. You can use privacera-prod, privacera-stage, etc K8S_NAMESPACE: "{{DEPLOYMENT_ENV_NAME}}" #Zones for Storage. For now, only one zone should be given #K8S_STORAGE_ZONES: # - "us-east-1a" #Default as 1, Recommended value is 32Gi and 3 for CLUSTER SIZE ZOOKEEPER_K8S_PVC_STORAGE_SIZE: "5Gi" ZOOKEEPER_CLUSTER_SIZE: 1 #Default as 1, Recommended value is 32Gi and 3 for CLUSTER SIZE SOLR_K8S_PVC_STORAGE_SIZE: "5Gi" SOLR_K8S_CLUSTER_SIZE: 1 #If your storage is encrypted, then set the below property #K8S_PV_ENCRYPTED: "true" #For AWS, it is ARN with keyId. E.g. arn:aws:kms:us-east-1:<account>:key/<hash> #K8S_PV_KEY: "" PRIVACERA_INSTALL_MODE: "kubernetes" #Uncomment to obtain external loadbalancer. Default values are "false" #PORTAL_K8S_LOADBALANCER_EXTERNAL: "true" #SOLR_K8S_LOADBALANCER_EXTERNAL: "true" #RANGER_K8S_LOADBALANCER_EXTERNAL: "true" #KAFKA_K8S_LOADBALANCER_EXTERNAL: "true" #DISCOVERY_K8S_LOADBALANCER_EXTERNAL: "true"By default, Privacera creates a service account with the name,
privacera-sa. The account is bound to a namespace-level Role and RoleBinding, whose default values areprivacera-sa-roleandprivacera-sa-role-bindrespectively. If you want to change the default values of these three Kubernetes objects, click here.For more information about configuring the service account, click here.
Configure the cloud platform
For an AWS cloud environment, copy the sample AWS configuration file to
custom-vars/.cd ~/privacera/privacera-manager/config/ cp sample-vars/vars.aws.yml custom-vars/
Edit this configuration file:
vi custom-vars/vars.aws.yml
Set the property value for AWS_REGION based on where your instance will be running.
For an Azure environment, copy the sample configuration file to
custom-vars/.cd ~/privacera/privacera-manager/config/ cp sample-vars/vars.azure.yml custom-vars/
For a Google Cloud Platform environment, copy the sample GCP configuration file to
custom-vars/.cd ~/privacera/privacera-manager/config/ cp sample-vars/vars.gcp.yml custom-vars/
Edit this configuration file:
vi custom-vars/vars.gcp.yml
Set the Project ID of your GCP project, this value can be found in the Google Console.
Configure secrets in keystores
Privacera can encrypt secrets used in Privacera services, this allows passwords to be stored safely in keystores, instead of being exposed in plaintext. Note that this does not need to be configured initially to install Privacera Manager, but is necessary for security in a production environment.
Learn more on how to Enable Password Encryption for Privacera Services.
Configure SSL
To secure your connections with Privacera, you can use self-signed or CA signed certificates.
For self-signed, click here.
For CA signed, click here.
Note these configurations are not required initially to install Privacera Manager, but is necessary for security in a production environment.
Default Privacera services
The following are core services that are installed as part of Privacera Manager. Make configurations to these services as needed based on your environment, click the Configure links below to learn more.
Privacera Portal - This is your Privacera dashboard for data access control and policy management across multiple cloud services.
Apache Ranger - Apache Ranger is an open-source project for data access governance for Big Data environments.
MariaDB - MariaDB is an open source relational database. It is part of most cloud offerings and the default in most Linux distributions.
Apache Zookeeper - ZooKeeper is a centralized service for maintaining configuration information, naming, providing distributed synchronization, and providing group services. Configure access to a Zookeeper pod.
Apache Solr - Solr is an open source enterprise search platform built on Apache Lucene. Configure Solr Authentication.
AuditServer - You can set up an AuditServer to receive audits from Privacera Plugins and Ranger Admin and send those audits to Solr and Fluentd. Configure Solr Destination.
Validations
Before installing Privacera Manager, you can run pre-validation checks to test your service configurations. For more information, see Validations.
Run the Privacera Manager install script
Run the following script to install Privacera Manager. This will initiate the installation process and install all the services based on the defined configurations.
cd ~/privacera/privacera-manager ./privacera-manager.sh update
Privacera Service URLs
You can access the services either as Docker containers or Kubernetes pods. Privacera Manager records the URIs for each of the key services. These are written to standard output and will look similar to the following:
Docker
Kubernetes
Each service provides you with an internal and external URL. To access a Privacera service, use the external URL of the service. For example, to access Privacera Portal, copy its external URL in a browser, and log on with default username/password: 'padmin' / 'padmin'.
Note
Reset your administrator account ('padmin') password according to your enterprise policy. This password can be changed in the Privacera Portal under "Settings: User Management". See the Privacera Portal User Guide, Settings: User Management for more information.
Next Steps: Privacera component services
Once Privacera Manager is installed you can configure the component services listed below. Each of the services has a set of default and custom configurations. The default configurations are the minimum settings required for the service to run, whereas the custom configurations are the advanced/additional settings of the service to extend its functionality.
Access Manager
Configure PolicySync
Configure Plugin
Configure Usersync
Discovery
Encryption and Masking
Configure a service for encryption and masking: