Skip to main content

Privacera Documentation

Table of Contents

Dremio connector properties for PolicySync on Privacera Platform

These Dremio connector properties can be set for PolicySync in Privacera Platform.

The properties are grouped by general function, such as JDBC connection properties, properties for user, group, and role management, and other functions.

The properties are also categorized as BASIC or ADVANCED:

  • BASIC pertains to the most fundamental aspects of the connector, such as authentication.

  • ADVANCED indicates additional features beyond the BASICs, such as row-filtering or group member handling.

Start by setting the BASIC properties and then examine the ADVANCED properties to determine which of these features you might want to enable.

For a general process to migrate values from old YAML files to the new YAML files, see Migration to PolicySync v2 on Privacera Platform 7.2.

Category

Property name

Description

Default

JDBC configuration properties

BASIC

CONNECTOR_DREMIO_JDBC_URL

This property is used to set JDBC url which can be used to create a direct connection to a Dremio coordinator node. JDBC URL should follow below convention jdbc:dremio:direct=<DREMIO_COORDINATOR>:31010 Example :- jdbc:dremio:direct=example-12345fg.us-east-1.elb.amazonaws.com:31010

BASIC

CONNECTOR_DREMIO_JDBC_USERNAME

This property is used to set JDBC Username to be used to make connection to Dremio coordinator. This is just an username used to log in to Dremio to manage the Authorization. (ex. adminUser)

BASIC

CONNECTOR_DREMIO_JDBC_PASSWORD

This property is used to set JDBC user's password to be used to make connection to Dremio coordinator.

BASIC

CONNECTOR_DREMIO_OWNER_ROLE

This property is used to set ownership for all the resources managed by policysync. The specified user will become owner for all managed resources and will have full control on those resources. We support changing owners of source, space, source folders, space folders, physical datasets and virtual datasets. Note :- If owner role is kept as blank, then ownership will not change and users who creates resources or any other object will be the owner of those objects and policysync won't be able to do access control on that objects.

BASIC

CONNECTOR_DREMIO_URL

This property is used to make a call to Dremio API for catalogs/users/groups/audits. For example https://internal-dummy.us-east-1.elb.amazonaws.com:9047

BASIC

CONNECTOR_DREMIO_DEFAULT_USER_PASSWORD

This property is used to set password which will be used as default password for every new user created by policysync.

Resources management

BASIC

CONNECTOR_DREMIO_MANAGE_SPACE_LIST

This property is used to set comma separated space names for which access control should be managed by policysync. If you want to manage all spaces then you can skip specifying this property. This supports wildcards as well. The ignore space list has precedence over manage space list. Eg. testspace1,testspace2,space* Note :- values for this property are case-sensitive.

BASIC

CONNECTOR_DREMIO_MANAGE_SOURCE_LIST

This property is used to set comma separated source names which access control should be managed by policysync. If you want to manage all sources then you can skip specifying this property. This supports wildcards as well. The ignore source list has precedence over manage source list. Eg. testsource1,testsource2,source* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_MANAGE_SOURCE_FOLDER_LIST

This property is used to set comma separated source folder for which access control should be managed by policysync. If you want to manage all source folder then you can skip specifying this property. This supports wildcards as well. The ignore source folder list has precedence over manage source folder list. Eg. source.sourcefolder,source*.sales* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_MANAGE_SPACE_FOLDER_LIST

This property is used to set comma separated space folder for which access control should be managed by policysync. If you want to manage all space folders then you can skip specifying this property. This supports wildcards as well. The ignore space folder list has precedence over manage space folder list. Eg. space.spacefolder,space*.sales* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_MANAGE_PHYSICAL_DATASET_LIST

This property is used to set comma separated physical datasets for which access control should be managed by policysync. If you want to manage all physical datasets then you can skip specifying this property. This supports wildcards as well. The ignore physical dataset list has precedence over manage physical dataset list. Eg. source.folder1.physicaldataset,source*.sales*.* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_MANAGE_VIRTUAL_DATASET_LIST

This property is used to set comma separated virtual datasets for which access control should be managed by policysync. If you want to manage all virtual datasets then you can skip specifying this property. This supports wildcards as well. The ignore virtual dataset list has precedence over manage virtual dataset list. Eg. space.folder1.virtualdataset,space*.sales*.* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_IGNORE_SOURCE_LIST

This property is used to set comma separated source names for which you don't want access control to be managed by policysync. If you don't want to ignore any source then you can skip specifying this property. This supports wildcards as well. This has precedence over manage source list. Eg. testsource,sales* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_IGNORE_SPACE_LIST

This property is used to set comma separated space names for which you don't want access control to be managed by policysync. If you don't want to ignore any space then you can skip specifying this property. This supports wildcards as well. This has precedence over manage space list. Eg. testspace,sales* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_IGNORE_SOURCE_FOLDER_LIST

This property is used to set comma separated source folder names for which you don't want access control to be managed by policysync. If you don't want to ignore any source folder then you can skip specifying this property. This supports wildcards as well. This has precedence over manage source folder list. Eg. source.sourcefolder,source*.sales* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_IGNORE_SPACE_FOLDER_LIST

This property is used to set comma separated space folder names for which you don't want access control to be managed by policysync. If you don't want to ignore any space folder then you can skip specifying this property. This supports wildcards as well. This has precedence over manage space folder list. Eg. space.spacefolder,space*.sales* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_IGNORE_PHYSICAL_DATASET_LIST

This property is used to set comma separated physical dataset names for which you don't want access control to be managed by policysync. If you don't want to ignore any physical dataset then you can skip specifying this property. This supports wildcards as well. This has precedence over manage physical dataset list. Eg. source.folder1.physicaldataset,source*.sales*.* Note :- values for this property are case-sensitive.

ADVANCED

CONNECTOR_DREMIO_IGNORE_VIRTUAL_DATASET_LIST

This property is used to set comma separated virtual dataset names for which you don't want access control to be managed by policysync. If you don't want to ignore any virtual dataset then you can skip specifying this property. This supports wildcards as well. This has precedence over manage virtual dataset list. Eg. source.folder1.virtualdataset,source*.sales*.* Note :- values for this property are case-sensitive.

Users/Groups/Roles management

ADVANCED

CONNECTOR_DREMIO_USER_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a user name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.\\\\s^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

CONNECTOR_DREMIO_USER_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified user name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_DREMIO_GROUP_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a group name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.\\\\s^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

CONNECTOR_DREMIO_GROUP_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified group name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_DREMIO_ROLE_NAME_REPLACE_FROM_REGEX

This takes the regular expression as input and finds the matching characters in a role name and replaces them with the characters specified in property. If kept blank, no find and replace operation is performed.

[~`$&+:;=?@#|'<>.\\\\s^*()_%\\\\[\\\\]!\\\\-\\\\/\\\\\\\\{}]

ADVANCED

CONNECTOR_DREMIO_ROLE_NAME_REPLACE_TO_STRING

The value specified in this property is used to replace the characters found by the regex specified role name regex property. If kept blank, no find and replace operation is performed.

_

ADVANCED

CONNECTOR_DREMIO_USER_NAME_PERSIST_CASE_SENSITIVITY

After loading user from Ranger API's all users are converted into lowercase, but in some cases, you would need to have the users in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

ADVANCED

CONNECTOR_DREMIO_GROUP_NAME_PERSIST_CASE_SENSITIVITY

After loading group from Ranger API's all groups are converted into lowercase, but in some cases, you would need to have the groups in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

ADVANCED

CONNECTOR_DREMIO_ROLE_NAME_PERSIST_CASE_SENSITIVITY

After loading role from Ranger API's all roles are converted into lowercase, but in some cases, you would need to have the roles in the same case as they are in Ranger. When setting this value to true, it will maintain the case sensitivity of names as they are in Ranger.

false

CONNECTOR_DREMIO_USER_NAME_CASE_CONVERSION

This property only applicable if USER NAME PERSIST CASE SENSITIVITY is set to false. Managed users name would be treated as lowercase by default. If the value is set to "upper" then the user name would be treated as uppercase. If the value is set to "none" then the user name case is preserved as present in ranger.

lower

ADVANCED

CONNECTOR_DREMIO_CREATE_USER

This property controls whether we should create user in dremio for users fetched from ranger.

true

ADVANCED

CONNECTOR_DREMIO_CREATE_USER_ROLE

This property controls whether we should create role over the end user in dremio for users fetched from ranger.

true

ADVANCED

CONNECTOR_DREMIO_MANAGE_USERS

This property controls whether we should create role in dremio for users fetched from ranger.

true

ADVANCED

CONNECTOR_DREMIO_MANAGE_GROUPS

This property controls whether we should create role in dremio for groups fetched from ranger.

true

CUSTOM

CONNECTOR_DREMIO_MANAGE_GROUP_MEMBERS

true

ADVANCED

CONNECTOR_DREMIO_MANAGE_ROLES

This property controls whether we should create role in dremio for roles fetched from ranger.

true

CUSTOM

CONNECTOR_DREMIO_MANAGE_GROUP_MEMBERS

true

ADVANCED

CONNECTOR_DREMIO_MANAGE_USER_LIST

This property is used to set comma separated user names which access control should be managed by policysync. If you want to manage all users then you can skip specifying this property. This supports wildcards as well. The ignore users list has precedence over manage users list. Eg. user1,user2,dev_user*

ADVANCED

CONNECTOR_DREMIO_MANAGE_GROUP_LIST

This property is used to set comma separated group names which access control should be managed by policysync. If you want to manage all group then you can skip specifying this property. This supports wildcards as well. The ignore group list has precedence over manage group list. Eg. group1,group2,dev_group*

ADVANCED

CONNECTOR_DREMIO_MANAGE_ROLE_LIST

This property is used to set comma separated role names which access control should be managed by policysync. If you want to manage all role then you can skip specifying this property. This supports wildcards as well. The ignore role list has precedence over manage role list. Eg. role1,role2,dev_role*

ADVANCED

CONNECTOR_DREMIO_IGNORE_USER_LIST

This property is used to set comma separated user names which access control you don't want to be managed by policysync. If you don't want to ignore any users then you can skip specifying this property. This supports wildcards as well. This has precedence over manage users list. Eg. user1,user2,dev_user*

ADVANCED

CONNECTOR_DREMIO_IGNORE_GROUP_LIST

This property is used to set comma separated group names which access control you don't want to be managed by policysync. If you don't want to ignore any groups then you can skip specifying this property. This supports wildcards as well. This has precedence over manage groups list. Eg. group1,group2,dev_group*

ADVANCED

CONNECTOR_DREMIO_IGNORE_ROLE_LIST

This property is used to set comma separated role names which access control you don't want to be managed by policysync. If you don't want to ignore any roles then you can skip specifying this property. This supports wildcards as well. This has precedence over manage roles list. Eg. role1,role2,dev_role*

ADVANCED

CONNECTOR_DREMIO_USER_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in Dremio for user from ranger. For example if you have user named john in ranger and you have defined prefix as test_user_ then the role which we create for john in Dremio will have name test_user_john

priv_user_

ADVANCED

CONNECTOR_DREMIO_GROUP_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in Dremio for group from ranger. For example if you have group named dev in ranger and you have defined prefix as test_group_ then the role which we create for dev in Dremio will have name test_group_dev.

priv_group_

ADVANCED

CONNECTOR_DREMIO_ROLE_ROLE_PREFIX

This property is used to set a prefix for role which we will be creating in Dremio for role from ranger. For example if you have role named finance in ranger and you have defined prefix as test_role_ then the role which we create for finance in Dremio will have name test_role_finance.

priv_role_

ADVANCED

CONNECTOR_DREMIO_USE_NATIVE_PUBLIC_GROUP

Set this property to true, if you want policysync to use the "public" group from Dremio for access grants whenever there is policy created referring to public group inside it.

true

ADVANCED

CONNECTOR_DREMIO_MANAGE_USER_FILTERBY_GROUP

Set this property to true, if you want to manage only the users who belongs the the groups defined in manage groups list property.

false

ADVANCED

CONNECTOR_DREMIO_MANAGE_USER_FILTERBY_ROLE

Set this property to true, if you want to manage only the users who belongs the the roles defined in manage roles list property.

false

Access control management

ADVANCED

CONNECTOR_DREMIO_ENABLE_VIEW_BASED_MASKING

Set this property to true, if you want to enable secure view based masking in Dremio policysync.

false

ADVANCED

CONNECTOR_DREMIO_ENABLE_VIEW_BASED_ROW_FILTER

Set this property to true, if you want to enable secure view based tr filter in Dremio policysync.

false

ADVANCED

CONNECTOR_DREMIO_SECURE_VIEW_CREATE_FOR_ALL

Set this property to true, if you want to create secure view for all datasets which were created by end users. This will create secure view for datasets regardless whether there any masking/tr filter policy exists in ranger.

false

ADVANCED

CONNECTOR_DREMIO_ENABLE_ROW_FILTER

This property controls whether to enable native tr filter policy creation functionality in policysync.

true

ADVANCED

CONNECTOR_DREMIO_ENABLE_MASKING

This property controls whether to enable native masking policy creation functionality in policysync.

true

ADVANCED

CONNECTOR_DREMIO_MASKED_NUMBER_VALUE

This property is used to specify the default masking value for numeric columns

0

ADVANCED

CONNECTOR_DREMIO_MASKED_DOUBLE_VALUE

This property is used to specify the default masking value for double datatype columns

0

ADVANCED

CONNECTOR_DREMIO_MASKED_TEXT_VALUE

This property is used to specify the default masking value for text/string columns

<MASKED>'

ADVANCED

CONNECTOR_DREMIO_SECURE_SPACE_PREFIX

By default view-based tr filter and masking related secure views have the same space name as the table/view source/space name. If you want to change the secure view space name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view space name will be in this format : {prefix}{view_space_name}{postfix}

ADVANCED

CONNECTOR_DREMIO_SECURE_SPACE_POSTFIX

By default view-based tr filter and masking related secure views have the same space name as the table/view source/space name. If you want to change the secure view space name prefix and postfix, that can be done with these properties. After prefix and postfix is specified the view space name will be in this format : {prefix}{view_space_name}{postfix}

_secure

BASIC

CONNECTOR_DREMIO_GRANT_UPDATES

This property controls whether actual grant/revoke and create/update/delete queries for user/group/role should be run on Dremio.

true

ADVANCED

CONNECTOR_DREMIO_ENABLE_DATA_ADMIN

This property is used to enable data admin feature, with data admin feature enabled you can create all the policies on table/native view and by default perspective grants will be maid on secure view of table table or native view. And this secure view will have tr filter and masking capability as well. In case if you need permission on table then you can select the permission you want plus DataAdmin in the policy, In this case that permissions will be granted on both, the table/native view and its secure view as well.

false

Access audits management

BASIC

CONNECTOR_DREMIO_AUDIT_ENABLE

This property is used to enable access audit fetching from Dremio.

true

ADVANCED

CONNECTOR_DREMIO_AUDIT_EXCLUDED_USERS

This property is used to exclude the users while pushing the audits logs to ranger access audits. Recommended to set this as JDBC user name as there will be audits from policysync application.

{{DREMIO_JDBC_USERNAME}}