Skip to content

PolicySync Properties#

This topic covers how to configure additional system properties for multiple connectors for Privacera PolicySync.

You can add properties for the following connectors in the configuration file rangersync-custom.properties, which is described below for the following datasources:

  • PostgreSQL
  • MSSQL
  • Snowflake

Configuring Multiple Connectors for a Single PolicySync Instance#

A single PolicySync instance can be configured to serve more than one datasource. Add a section in rangersync-custom.properties for each connector. Be sure to assign each connector its own unique integer connector ID.

For example:

# First, a PostgreSQL source with connector ID 5 named Postgres-dev
ranger.policysync.connector.5=Postgres-dev
ranger.policysync.connector.5.enabled=true
ranger.policysync.connector.5.servicetype=postgres

# additional properties for connector 5 as needed...

# Next, an MSSQL source with connector ID 7 named MSSql-Dev
ranger.policysync.connector.7=MSSql-Dev
# Enable below property to enable the mssql connector
ranger.policysync.connector.7.enabled=false
ranger.policysync.connector.7.servicetype=mssql

# additional properties for connector 7 as needed...

PolicySync and Scalability#

Each configured connector consumes memory and processing resources based on factors like the number of data objects, policies, and users. You may need to increase the memory or processing available to PolicySync as your usage grows.

The preferred strategy for scaling to large numbers of datasources for PolicySync is to add PolicySync instances. Use of multiple PolicySync instances is supported only in Kubernetes. Privacera Manager only supports deployment of a single PolicySync instance, so you may need to modify Helm charts directly.

In Docker, the only option is to use a larger node and add multiple connectors as described above.

PostgreSQL#

  1. Create rangersync-custom.properties file and add the base properties.

    vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom.properties
    
  2. Example to add another PostgreSQL connection with connector ID 5. For information about each property, click here.

    ranger.policysync.connector.5=Postgres-dev
    ranger.policysync.connector.5.enabled=true
    ranger.policysync.connector.5.servicetype=postgres
    ranger.policysync.connector.5.jdbc.url=jdbc:postgresql://<connection_url>:5432
    ranger.policysync.connector.5.jdbc.username=postgres
    ranger.policysync.connector.5.jdbc.password=
    ranger.policysync.connector.5.jdbc.db=
    ranger.policysync.connector.5.master.database=
    ranger.policysync.connector.5.manage.database.list=
    ranger.policysync.connector.5.manage.schema.list=
    ranger.policysync.connector.5.manage.table.list=
    ranger.policysync.connector.5.manage.view.list=
    
    #Ignore Resource Lists
    ranger.policysync.connector.5.ignore.schema.list=
    ranger.policysync.connector.5.ignore.table.list=
    ranger.policysync.connector.5.new.user.password=
    ranger.policysync.connector.5.switch.ownership.role=
    ranger.policysync.connector.5.manage.service.user=true
    ranger.policysync.connector.5.manage.service.group=true
    ranger.policysync.connector.5.manage.service.role=true
    ranger.policysync.connector.5.perform.grant.updates=true
    
    #Filter User/Group
    ranger.policysync.connector.5.manage.user.filterby.group=false
    ranger.policysync.connector.5.manage.user.filterby.role=false
    ranger.policysync.connector.5.User.role.prefix=priv_user_
    ranger.policysync.connector.5.Group.role.prefix=priv_group_
    ranger.policysync.connector.5.Role.role.prefix=priv_role_
    
    #Enable Row Filter
    ranger.policysync.connector.5.enable.row.filter=true
    
    #Masked Value for Masking
    ranger.policysync.connector.5.masked.number.value=0
    ranger.policysync.connector.5.masked.double.value=0
    ranger.policysync.connector.5.masked.text.value='<MASKED>'
    ranger.policysync.connector.5.masked.varchar.value='<MASKED>'
    
    ranger.policysync.connector.5.manage.user.list=
    ranger.policysync.connector.5.manage.group.list=
    ranger.policysync.connector.5.manage.role.list=
    
    #View Based Masking and Row Filter
    ranger.policysync.connector.5.enable.view.based.row.filter=false
    ranger.policysync.connector.5.enable.view.based.masking=true
    ranger.policysync.connector.5.secure.view.schema.name=
    ranger.policysync.connector.5.secure.view.schema.name.prefix=
    ranger.policysync.connector.5.secure.view.schema.name.postfix=
    ranger.policysync.connector.5.secure.view.name.prefix=
    ranger.policysync.connector.5.secure.view.name.postfix=_secure
    ranger.policysync.connector.5.secure.view.schema.name.remove.suffix.list=
    ranger.policysync.connector.5.secure.view.name.remove.suffix.list=
    ranger.policysync.connector.5.secure.view.create.for.all=false
    
    #Audit Properties
    
    #Make this property true for audits
    ranger.policysync.connector.5.enable.audit=true
    ranger.policysync.connector.5.audit.sqs.queue.name=
    ranger.policysync.connector.5.region=
    
  3. Run the following command.

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
    

MSSQL#

  1. Create rangersync-custom.properties file and add the base properties.

    vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom.properties
    
  2. Example to add another MSSQL connection with connector ID 7. For information about each property, click here.

    ranger.policysync.connector.7=Mssql
    
    # Enable below property to enable the mssql connector
    ranger.policysync.connector.7.enabled=false
    ranger.policysync.connector.7.servicetype=mssql
    ranger.policysync.connector.7.class=com.privacera.policysync.connector.PSMSSQLConnector
    ranger.policysync.connector.7.jdbc.driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
    
    # DB Connection Properties
    ranger.policysync.connector.7.jdbc.url={{MSSQL_JDBC_URL}}
    ranger.policysync.connector.7.jdbc.db={{MSSQL_DEFAULT_DB}}
    ranger.policysync.connector.7.jdbc.username={{MSSQL_SYNC_USER_NAME}}
    ranger.policysync.connector.7.jdbc.password={{MSSQL_SYNC_USER_PASSWORD}}
    
    # ranger.policysync.connector.7.jdbc.authentication= (SqlPassword/ActiveDirectoryPassword)
    # Use ActiveDirectoryPassword in case of your jdbc admin is Azure AD User
    ranger.policysync.connector.7.jdbc.authentication=SqlPassword
    ranger.policysync.connector.7.master.database=master
    
    ranger.policysync.connector.7.database.list.format=database
    ranger.policysync.connector.7.schema.list.format=database.schema
    ranger.policysync.connector.7.table.list.format=database.schema.table
    ranger.policysync.connector.7.view.list.format=database.schema.view
    
    # Manage Lists
    #Database name which needs to be managed, Accepts : single name or multiple database names with comma separation.
    #Regex can be used i.e *_database (This will manage all the database named as company_database, products_database .etc).
    #Set the value as blank, to manage all the database.
    #Set the value as : none, to skip all the database.
    ranger.policysync.connector.7.manage.database.list={{MSSQL_DATABASES_LIST}}
    
    #schema name which needs to be managed, Accepts : single name or multiple schema names with comma separation.
    #Regex can be used i.e *_schema (This will manage all the schema named as company_schema, products_schema .etc).
    #Set the value as blank, to manage all the schema.
    #Set the value as : none, to skip all the schema.
    ranger.policysync.connector.7.manage.schema.list=
    
    # Ignore Lists
    ##Set list of database to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_database (This will manage all the database named as admin_database, testing_database .etc).
    ##Set the value as blank, to manage all the database.
    ##Set the value as : none, to skip all the database.
    ranger.policysync.connector.7.ignore.database.list=
    
    ##Set list of schema to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_schema (This will manage all the schema named as admin_schema, testing_schema .etc).
    ##Set the value as blank, to manage all the schema.
    ##Set the value as : none, to skip all the schema.
    ranger.policysync.connector.7.ignore.schema.list=*.sys,*.privacera_security,*.guest,*.db_denydatareader,*.db_denydatawriter,*.db_datareader,*.db_datawriter,*.db_ddladmin,*.db_backupoperator,*.db_accessadmin,*.db_securityadmin,*.db_owner
    
    ##Set list of user to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_user (This will manage all the role named as admin_user, testing_user .etc).
    ##Set the value as blank, to manage all the user.
    ##Set the value as : none, to skip all the user.
    ranger.policysync.connector.7.ignore.user.list={{MSSQL_IGNORE_USERS}}
    
    # New User Password
    #ranger.policysync.connector.7.new.user.password=
    
    # New Resource Ownership
    ranger.policysync.connector.7.switch.ownership.role=dbo
    
    # Ranger Plugin Properties
    ranger.policysync.connector.7.ranger.service.type=mssql
    ranger.policysync.connector.7.ranger.service.appid=privacera_mssql
    
    ##Set prefix to create internal role for policy-sync
    ranger.policysync.connector.7.User.role.prefix=priv_user_
    ranger.policysync.connector.7.Group.role.prefix=priv_group_
    ranger.policysync.connector.7.Role.role.prefix=priv_role_
    
    ##To perform dry run when value is set as false, Default value : false
    ranger.policysync.connector.7.perform.grant.updates=false
    ranger.policysync.connector.7.ranger.resource.matching.scope=SELF
    
    #set value as true to perform grant update in a separate thread / Default Value : true
    ranger.policysync.connector.7.apply.perms.with.separate.thread=true
    ranger.policysync.connector.7.ranger.resource.zone.matching.scope=SELF_OR_ANCESTOR
    
    # Masking
    #The masking will not be applied to mentioned entities (User, Group, Role).  Accepts : single name or multiple names with comma separation.
    ranger.policysync.connector.7.masking.unmasked.users=
    ranger.policysync.connector.7.masking.unmasked.groups=
    ranger.policysync.connector.7.masking.unmasked.roles=
    ranger.policysync.connector.7.load.resources=load
    ranger.policysync.connector.7.load.users=load
    ranger.policysync.connector.7.load.policies=load
    ranger.policysync.connector.7.sync.interval.sec=60
    ranger.policysync.connector.7.manage.service.user=true
    ranger.policysync.connector.7.manage.service.group=true
    ranger.policysync.connector.7.manage.service.role=true
    
    # Audits
    ranger.policysync.connector.7.enable.audit=false
    ranger.policysync.connector.7.audit.storage.url=
    ranger.policysync.connector.7.audit.initial.pull.min=30
    
    # set 'load_synapse' in case of synapse.
    # eg.ranger.policysync.connector.7.load.audits=load_synapse
    ranger.policysync.connector.7.load.audits=load
    
  3. Run the following command.

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
    

Snowflake#

  1. Create rangersync-custom.properties file and add the base properties.

    vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom.properties
    
  2. Example to add another Snowflake connection with connector ID 6. For information about each property, click here.

    ranger.policysync.connector.6=Snowflake
    ranger.policysync.connector.6.enabled=false
    
    #ranger.policysync.connector.6.jdbc.url=jdbc:snowflake://${YOURHOST}
    ranger.policysync.connector.6.jdbc.url={{SNOWFLAKE_JDBC_URL}}
    ranger.policysync.connector.6.switch.ownership.role={{SNOWFLAKE_OWNER_ROLE}}
    ranger.policysync.connector.6.jdbc.username={{SNOWFLAKE_SYNC_USER_NAME}}
    ranger.policysync.connector.6.jdbc.password={{SNOWFLAKE_SYNC_USER_PASSWORD}}
    
    #Database name which needs to be managed, Accepts : single name or multiple database names with comma separation.
    #Regex can be used i.e *_database (This will manage all the database named as company_database, products_database .etc).
    #Set the value as blank, to manage all the database.
    #Set the value as : none, to skip all the database.
    ranger.policysync.connector.6.manage.database.list={{SNOWFLAKE_DATABASES_LIST}}
    
    #Warehouse which need to be used, Accepts : single value  i.e COMPUTE_WH
    ranger.policysync.connector.6.warehouse={{SNOWFLAKE_WAREHOUSE_TO_USE}}
    
    #Role which need to be used by policy-sync, Accepts : single value  i.e PRIVACERA_SYNC_ROLE
    ranger.policysync.connector.6.role={{SNOWFLAKE_ROLE_TO_USE}}
    #need to set simple OR advance property as true for audit
    ranger.policysync.connector.6.audit.source.simple=false
    ranger.policysync.connector.6.audit.source.advance=false
    ranger.policysync.connector.6.advance.audit.db.name=PRIVACERA_ACCESS_LOGS_DB
    ranger.policysync.connector.6.audit.initial.pull.min=30
    
    ##Set value true to create managed users at end service , Default value : False
    ranger.policysync.connector.6.manage.service.user=false
    
    ##Set list of users to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_user (This will manage all the user named as admin_user, clerk_user .etc).
    ##Set the value as blank, to manage all the users.
    ##Set the value as : none, to skip all the users.
    #ranger.policysync.connector.6.manage.user.list=
    
    ##Set value true to create managed groups at end service , Default value : False
    ranger.policysync.connector.6.manage.service.group=false
    
    ##Set list of groups to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_groups (This will manage all the groups named as admin_groups, clerk_groups .etc).
    ##Set the value as blank, to manage all the groups.
    ##Set the value as : none, to skip all the groups.
    #ranger.policysync.connector.6.manage.group.list=
    
    ##Set value true to create managed roles at end service , Default value : False
    ranger.policysync.connector.6.manage.service.role=false
    
    ##Set list of roles to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_role (This will manage all the role named as admin_role, testing_role .etc).
    ##Set the value as blank, to manage all the roles.
    ##Set the value as : none, to skip all the roles.
    #ranger.policysync.connector.6.manage.role.list=
    
    ##To perform dry run when value is set as false, Default value : false
    ranger.policysync.connector.6.perform.grant.updates=false
    
    ##Set list of roles to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_role (This will manage all the role named as admin_role, testing_role .etc).
    ##Set the value as blank, to manage all the roles.
    ##Set the value as : none, to skip all the roles.
    ranger.policysync.connector.6.ignore.role.list=SYSADMIN,ACCOUNTADMIN,SECURITYADMIN
    
    ##Set list of schema to be ignored by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_schema (This will manage all the schema named as finance_schema, dev_schema .etc).
    ##Set the value as blank, to manage all the schema.
    ##Set the value as : none, to skip all the schema.
    ranger.policysync.connector.6.ignore.schema.list=*.information_schema
    ranger.policysync.connector.6.ranger.service.appid=privacera_snowflake
    ranger.policysync.connector.6.servicetype=snowflake
    ranger.policysync.connector.6.class=com.privacera.policysync.connector.PSSnowflakeConnector
    ranger.policysync.connector.6.jdbc.driver=net.snowflake.client.jdbc.SnowflakeDriver
    ranger.policysync.connector.6.jdbc.db=snowflake
    
    ##Set list of database to be ignored by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_database (This will manage all the database named as finance_database, dev_database .etc).
    ##Set the value as blank, to manage all the database.
    ##Set the value as : none, to skip all the database.
    ranger.policysync.connector.6.ignore.database.list=demo_db,snowflake,util_db,SNOWFLAKE_SAMPLE_DATA
    ranger.policysync.connector.6.database.list.format=database
    ranger.policysync.connector.6.schema.list.format=database.schema
    ranger.policysync.connector.6.table.list.format=database.schema.table
    ranger.policysync.connector.6.view.list.format=database.schema.view
    #ranger.policysync.connector.6.systemconfig=customSnowflakeConfig.json
    ranger.policysync.connector.6.load.resources=load
    #ranger.policysync.connector.6.load.resources=load_md
    ranger.policysync.connector.6.load.users=load_md
    ranger.policysync.connector.6.load.policies=load
    
    ##Set list of roles to be user and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
    ##Regex can be used i.e *_user (This will manage all the user named as admin_user, testing_user .etc).
    ##Set the value as blank, to manage all the user.
    ##Set the value as : none, to skip all the user.
    ranger.policysync.connector.6.ignore.user.list=snowflake,privacera
    ranger.policysync.connector.6.sync.interval.sec=60
    
    #ranger.policysync.connector.6.new.user.password=
    ##Set prefix to create internal role for policy-sync
    ranger.policysync.connector.6.User.role.prefix=priv_user_
    ranger.policysync.connector.6.Group.role.prefix=priv_group_
    ranger.policysync.connector.6.Role.role.prefix=priv_role_
    
    # Set below property to true to enable column level access control
    ranger.policysync.connector.6.enable.column.level.access.control=false
    ##Database and schema to store masking policies, Accepts : single name
    ranger.policysync.connector.6.masking.policy.db.name=privacera_db
    ranger.policysync.connector.6.masking.policy.schema.name=privacera_db.public
    
    # For Masking
    ##Set true to enable masking, Default value : false
    ranger.policysync.connector.6.enable.masking=false
    
    # Masked Value for Column Access Control
    #ranger.policysync.connector.6.access.control.text.value='{{REDACTED}}'
    
  3. Run the following command.

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
    

Redshift#

  1. Create rangersync-custom.properties file and add the base properties.

    vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom.properties
    
  2. Example to add another Redshift connection with connector ID 3. For information about each property, click here.

    ranger.policysync.connector.3=Redshift
    ranger.policysync.connector.3.enabled=true
    ranger.policysync.connector.3.servicetype=redshift-db
    ranger.policysync.connector.3.jdbc.url=jdbc:postgresql://c8nwggihrpkl.us-east-1.redshift.amazonaws.com:5439
    ranger.policysync.connector.3.jdbc.db=customer
    ranger.policysync.connector.3.jdbc.username=xxyyzz
    ranger.policysync.connector.3.jdbc.password=xxxxxxxx
    ranger.policysync.connector.3.master.database=customer
    ranger.policysync.connector.3.manage.database.list=customer
    ranger.policysync.connector.3.manage.schema.list=
    ranger.policysync.connector.3.manage.table.list=
    ranger.policysync.connector.3.manage.view.list=
    # Ignore Resource Lists
    ranger.policysync.connector.3.new.user.password=xxxxxxxxx
    ranger.policysync.connector.3.switch.ownership.role=
    ranger.policysync.connector.3.manage.service.user=true
    ranger.policysync.connector.3.manage.service.group=true
    ranger.policysync.connector.3.manage.service.role=true
    ranger.policysync.connector.3.perform.grant.updates=true
    ranger.policysync.connector.3.User.role.prefix=priv_user_
    ranger.policysync.connector.3.Group.role.prefix=priv_group_
    ranger.policysync.connector.3.Role.role.prefix=priv_role_
    # Masked Value for Masking
    ranger.policysync.connector.3.masked.number.value=0
    ranger.policysync.connector.3.masked.double.value=0
    ranger.policysync.connector.3.masked.text.value='<MASKED>'
    ranger.policysync.connector.3.masked.varchar.value='<MASKED>'
    ranger.policysync.connector.3.manage.user.list=
    ranger.policysync.connector.3.manage.group.list=
    ranger.policysync.connector.3.manage.role.list=
    # Filter User/Group
    ranger.policysync.connector.3.manage.user.filterby.group=false
    ranger.policysync.connector.3.manage.user.filterby.role=false
    ranger.policysync.connector.3.user.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
    ranger.policysync.connector.3.user.name.replace.to.string=_
    ranger.policysync.connector.3.group.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
    ranger.policysync.connector.3.group.name.replace.to.string=_
    ranger.policysync.connector.3.role.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
    ranger.policysync.connector.3.role.name.replace.to.string=_
    # Ignore User/Group/Role Lists
    # View Based Masking and Row Filter
    ranger.policysync.connector.3.enable.view.based.row.filter=true
    ranger.policysync.connector.3.enable.view.based.masking=true
    ranger.policysync.connector.3.secure.view.schema.name=
    ranger.policysync.connector.3.secure.view.schema.name.prefix=
    ranger.policysync.connector.3.secure.view.schema.name.postfix=
    ranger.policysync.connector.3.secure.view.name.prefix=
    ranger.policysync.connector.3.secure.view.name.postfix=_secure
    ranger.policysync.connector.3.secure.view.schema.name.remove.suffix.list=
    ranger.policysync.connector.3.secure.view.name.remove.suffix.list=
    ranger.policysync.connector.3.secure.view.create.for.all=false
    ranger.policysync.connector.3.secure.view.access.by.table.policy=false
    # Audit Properties
    # Make this property true for audits
    ranger.policysync.connector.3.enable.audit=false
    
  3. Run the following command.

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
    

Last update: October 13, 2021