Skip to content

Starburst System Plugin Configuration

Manual Installation#

Expand

Install and configure on Starburst Enterprise Presto (Enterprise PrestoSQL/Trino)

There are several possible configurations for Privacera integration with Starburst. The most commonly used are:

  • System-level Plugin Only: With this option, Starburst uses the starburst-enterprise-presto Service Definition in Privacera for all policies, including the Hive catalog. Policies under privacera_hive or privacera_sql Hive-style (or SQL) policies are ignored and must be replicated in privacera_starburst to be effective.
  • Hive-style and System-level Plugins: With this option, Starburst uses both the starburst-enterprise-presto Service definition and the Hive Service definition. Policies under privacera_hive or privacera_sql Hive-style (or SQL) policies will be evaluated for queries in the Hive catalog, and privacera_starburst policies will be effective for all other catalogs.

For System-level Plugin Only

hive.properties:

  • Usually located in etc/catalog
  • Points to configuration file/s for plugins
  • Comment out all settings beginning with ranger.

Ensure that below line is present in the file:

hive.security=allow-all

config.properties

  • Usually located in etc directory
  • Points to configuration file/s for plugins

Ensure that below line is present in the file:

access-control.config-files=etc/access-control-privacera.properties

access-control-privacera.properties

  • Usually located in etc directory
  • Defines settings for one plugin per file

File contents:

access-control.name=privacera-starburst
# Example: ranger.policy-rest-url=http://starburst.tryprivacera.com:6080
ranger.policy-rest-url=http://${Privacera Ranger API URL}:${Ranger port}
ranger.service-name=privacera_starburst
ranger.presto-plugin-username=${Ranger API username}
ranger.presto-plugin-password=${Ranger API user password}
ranger.policy-refresh-interval=3s
# Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml
ranger.config-resources=${presto configuration path}/etc/ranger-hive-audit.xml
# Example: ranger.policy-cache-dir=/tmp/ranger
ranger.policy-cache-dir=${presto temp file location}

ranger-hive-audit.xml

  • Usually located in etc directory
  • Defines settings for one plugin per file

File contents:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<property>
    <name>ranger.plugin.hive.service.name</name>
    <value>privacera_hive</value>
</property>
<property>
    <name>ranger.plugin.hive.policy.pollIntervalMs</name>
    <value>5000</value>
</property>
<property>
    <name>ranger.service.store.rest.url</name>
    <value>
        http://
        <Privacera Ranger API URL>
        :<Ranger port - e.g., 6080>
    </value>
</property>
<property>
    <name>ranger.plugin.hive.policy.rest.url</name>
    <value>
        http://
        <Privacera Ranger API URL>
        :<Ranger port - e.g., 6080>
    </value>
</property>
<property>
    <name>xasecure.audit.destination.solr</name>
    <value>true</value>
</property>
<property>
    <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
    <value>
        <presto temp file location>
    </value>
</property>
<property>
    <name>xasecure.audit.destination.solr.urls</name>
    <value>
        http://
        <Privacera Ranger API URL>
        :8983/solr/ranger_audits
    </value>
</property>
<property>
    <name>xasecure.audit.is.enabled</name>
    <value>true</value>
</property>
</configuration>

For Hive-style and System-level Plugins

hive.properties

  • This is same as above section "For System-level Plugin Only".

access-control-privacera.properties

  • This is same as above section "For System-level Plugin Only".

ranger-hive-audit.xml

  • This is same as above section "For System-level Plugin Only".

access-control-priv-hive.properties

  • Usually located in etc directory
  • Defines settings for one plugin per file

File contents:

access-control.name=privacera
# Example: ranger.policy-rest-url=http://starburst.tryprivacera.com:6080
ranger.policy-rest-url=http://<Privacera Ranger API URL>:<Ranger port - e.g., 6080>
ranger.service-name=privacera_hive
privacera.catalogs=hive
ranger.presto-plugin-username=<Ranger API username>
ranger.presto-plugin-password=<Ranger API user password>
ranger.policy-refresh-interval=3s
# Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml
ranger.config-resources=<presto configuration path>/etc/ranger-hive-audit.xml
# Example: ranger.policy-cache-dir=/tmp/ranger
ranger.policy-cache-dir=<presto temp file location>
# Fallback allow-all allows privacera_starburst catalog-level permissions as fallback
privacera.fallback-access-control=allow-all

config.properties

  • Usually located in etc/ directory
  • Points to configuration file/s for plugins

Ensure that below line is present in the file (note multiple comma-separated config files):

access-control.config-files=etc/access-control-ranger.privacera,etc/access-control-priv-hive.properties
  • After updating the files above, restart Starburst. The STARBURST-ENTERPRISE-PRESTO Service definition should appear in Ranger and Privacera Portal.
  • Add a new service repository to the STARBURST-ENTERPRISE-PRESTO service (e.g., "privacera_starburst") for new policies.
  • Import or create policies.

Sample JSON Templates

  1. Starburst_Tags_sample.json

    {
    "op": "add_or_update",
    "serviceName": "privacera_starburst",
    "tagVersion": 0,
    "tagDefinitions": {
        "0": {
        "name": "MEDICAL_RECORD",
        "source": "privacera",
        "attributeDefs": [],
        "id": 0,
        "isEnabled": true
        }
    },
    "tags": {
        "0": {
        "type": "MEDICAL_RECORD",
        "owner": 0,
        "attributes": {},
        "id": 0,
        "isEnabled": true
        }
    },
    "serviceResources": [
        {
        "serviceName": "privacera_starburst",
        "resourceElements": {
            "schema": {
            "values": [
                "claims"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "catalog": {
            "values": [
                "oracle"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "column": {
            "values": [
                "desynpuf_id"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "table": {
            "values": [
                "claim_outpat"
            ],
            "isExcludes": false,
            "isRecursive": false
            }
        },
        "id": 0,
        "isEnabled": true
        }
    ],
    "resourceToTagIds": {
        "0": [
        0
        ]
    }
    }
    
  2. Starburst_Tag_Policy_sample.json

    {
    "service": "privacera_tag",
    "name": "Medical Record Number Access",
    "policyType": 0,
    "policyPriority": 1,
    "description": "",
    "isAuditEnabled": true,
    "resources": {
        "tag": {
        "values": [
            "MEDICAL_RECORD"
        ],
        "isExcludes": false,
        "isRecursive": false
        }
    },
    "conditions": [],
    "policyItems": [],
    "denyPolicyItems": [
        {
        "accesses": [
            {
            "type": "starburst-enterprise-presto:select",
            "isAllowed": true
            },
            {
            "type": "starburst-enterprise-presto:insert",
            "isAllowed": true
            },
            {
            "type": "starburst-enterprise-presto:delete",
            "isAllowed": true
            },
            {
            "type": "starburst-enterprise-presto:update",
            "isAllowed": true
            },
            {
            "type": "starburst-enterprise-presto:ownership",
            "isAllowed": true
            },
            {
            "type": "starburst-enterprise-presto:execute",
            "isAllowed": true
            },
            {
            "type": "starburst-enterprise-presto:kill",
            "isAllowed": true
            }
        ],
        "users": [],
        "groups": [
            "public"
        ],
        "roles": [],
        "conditions": [],
        "delegateAdmin": false
        }
    ],
    "allowExceptions": [],
    "denyExceptions": [
        {
        "accesses": [
            {
            "type": "starburst-enterprise-presto:select",
            "isAllowed": true
            },
            {
            "type": "starburst-enterprise-presto:execute",
            "isAllowed": true
            }
        ],
        "users": [],
        "groups": [
            "clinical"
        ],
        "roles": [],
        "conditions": [],
        "delegateAdmin": false
        }
    ],
    "dataMaskPolicyItems": [],
    "rowFilterPolicyItems": [],
    "serviceType": "tag",
    "options": {},
    "validitySchedules": [],
    "policyLabels": [],
    "zoneName": "",
    "isDenyAllElse": false,
    "id": 278,
    "guid": "ea05eba4-8f94-4d3a-a9b9-1dc18d0aa86e",
    "isEnabled": true,
    "version": 2
    }
    
  3. Starburst_Policies_sample.json

    {
    "serviceName": "privacera_starburst",
    "serviceId": 30,
    "policyVersion": 100,
    "policyUpdateTime": 1610650802000,
    "policies": [
        {
        "id": 236,
        "guid": "9b72a680-11ab-4952-8eca-a056bb55fa6d",
        "isEnabled": true,
        "version": 6,
        "service": "privacera_starburst",
        "name": "all - query",
        "policyType": 0,
        "policyPriority": 0,
        "description": "Policy for all - query",
        "isAuditEnabled": true,
        "resources": {
            "query": {
            "values": [
                "*"
            ],
            "isExcludes": false,
            "isRecursive": false
            }
        },
        "policyItems": [
            {
            "accesses": [
                {
                "type": "select",
                "isAllowed": true
                },
                {
                "type": "execute",
                "isAllowed": true
                },
                {
                "type": "kill",
                "isAllowed": true
                }
            ],
            "users": [
                "fiona_emily"
            ],
            "groups": [],
            "roles": [
                "fiona_sales_role"
            ],
            "conditions": [],
            "delegateAdmin": true
            }
        ],
        "denyPolicyItems": [],
        "allowExceptions": [],
        "denyExceptions": [],
        "dataMaskPolicyItems": [],
        "rowFilterPolicyItems": [],
        "serviceType": "starburst-enterprise-presto",
        "options": {},
        "validitySchedules": [],
        "policyLabels": [],
        "zoneName": "",
        "isDenyAllElse": false
        },
        {
        "id": 240,
        "guid": "1e0dae00-1aef-4631-843b-1af97e3e451d",
        "isEnabled": true,
        "version": 5,
        "service": "privacera_starburst",
        "name": "all - function",
        "policyType": 0,
        "policyPriority": 0,
        "description": "Policy for all - function",
        "isAuditEnabled": true,
        "resources": {
            "function": {
            "values": [
                "*"
            ],
            "isExcludes": false,
            "isRecursive": false
            }
        },
        "policyItems": [
            {
            "accesses": [
                {
                "type": "execute",
                "isAllowed": true
                }
            ],
            "users": [
                "fiona_emily"
            ],
            "groups": [],
            "roles": [
                "fiona_sales_role"
            ],
            "conditions": [],
            "delegateAdmin": true
            }
        ],
        "denyPolicyItems": [],
        "allowExceptions": [],
        "denyExceptions": [],
        "dataMaskPolicyItems": [],
        "rowFilterPolicyItems": [],
        "serviceType": "starburst-enterprise-presto",
        "options": {},
        "validitySchedules": [],
        "policyLabels": [],
        "zoneName": "",
        "isDenyAllElse": false
        },
        {
        "id": 264,
        "guid": "ff07c7ca-c619-4da8-b4ac-6e6489d2d35d",
        "isEnabled": true,
        "version": 16,
        "service": "privacera_starburst",
        "name": "Oracle schema access",
        "policyType": 0,
        "policyPriority": 0,
        "description": "",
        "isAuditEnabled": true,
        "resources": {
            "schema": {
            "values": [
                "claims"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "catalog": {
            "values": [
                "oracle"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "column": {
            "values": [
                "desynpuf_id"
            ],
            "isExcludes": true,
            "isRecursive": false
            },
            "table": {
            "values": [
                "claim_outpat",
                "foo"
            ],
            "isExcludes": false,
            "isRecursive": false
            }
        },
        "conditions": [],
        "policyItems": [
            {
            "accesses": [
                {
                "type": "select",
                "isAllowed": true
                },
                {
                "type": "insert",
                "isAllowed": true
                },
                {
                "type": "delete",
                "isAllowed": true
                },
                {
                "type": "update",
                "isAllowed": true
                },
                {
                "type": "ownership",
                "isAllowed": true
                },
                {
                "type": "execute",
                "isAllowed": true
                },
                {
                "type": "kill",
                "isAllowed": true
                }
            ],
            "users": [
                "admin"
            ],
            "groups": [
                "us_users"
            ],
            "roles": [],
            "conditions": [],
            "delegateAdmin": false
            }
        ],
        "denyPolicyItems": [],
        "allowExceptions": [],
        "denyExceptions": [],
        "dataMaskPolicyItems": [],
        "rowFilterPolicyItems": [],
        "serviceType": "starburst-enterprise-presto",
        "options": {},
        "validitySchedules": [],
        "policyLabels": [],
        "zoneName": "",
        "isDenyAllElse": false
        },
        {
        "id": 279,
        "guid": "42527a18-7230-491f-b435-c356ccd5e3e6",
        "isEnabled": true,
        "version": 1,
        "service": "privacera_starburst",
        "name": "Medical Record Number Mask",
        "policyType": 1,
        "policyPriority": 0,
        "description": "",
        "isAuditEnabled": true,
        "resources": {
            "schema": {
            "values": [
                "claims"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "catalog": {
            "values": [
                "oracle"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "column": {
            "values": [
                "desynpuf_id"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "table": {
            "values": [
                "claim_outpat"
            ],
            "isExcludes": false,
            "isRecursive": false
            }
        },
        "conditions": [],
        "policyItems": [],
        "denyPolicyItems": [],
        "allowExceptions": [],
        "denyExceptions": [],
        "dataMaskPolicyItems": [
            {
            "accesses": [
                {
                "type": "select",
                "isAllowed": true
                }
            ],
            "users": [],
            "groups": [
                "clinical"
            ],
            "roles": [],
            "conditions": [],
            "delegateAdmin": false,
            "dataMaskInfo": {
                "dataMaskType": "MASK_HASH"
            }
            }
        ],
        "rowFilterPolicyItems": [],
        "serviceType": "starburst-enterprise-presto",
        "options": {},
        "validitySchedules": [],
        "policyLabels": [],
        "zoneName": "",
        "isDenyAllElse": false
        },
        {
        "id": 280,
        "guid": "e28cdb6d-2c12-4eb4-b9d3-6d00d1bea2bd",
        "isEnabled": true,
        "version": 4,
        "service": "privacera_starburst",
        "name": "Oracle catalog access",
        "policyType": 0,
        "policyPriority": 0,
        "description": "",
        "isAuditEnabled": true,
        "resources": {
            "session-property": {
            "values": [
                "*"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "catalog": {
            "values": [
                "oracle"
            ],
            "isExcludes": false,
            "isRecursive": false
            }
        },
        "conditions": [],
        "policyItems": [
            {
            "accesses": [
                {
                "type": "select",
                "isAllowed": true
                },
                {
                "type": "execute",
                "isAllowed": true
                }
            ],
            "users": [
                "admin"
            ],
            "groups": [
                "public"
            ],
            "roles": [],
            "conditions": [],
            "delegateAdmin": false
            }
        ],
        "denyPolicyItems": [],
        "allowExceptions": [],
        "denyExceptions": [],
        "dataMaskPolicyItems": [],
        "rowFilterPolicyItems": [],
        "serviceType": "starburst-enterprise-presto",
        "options": {},
        "validitySchedules": [],
        "policyLabels": [],
        "zoneName": "",
        "isDenyAllElse": false
        },
        {
        "id": 281,
        "guid": "1a7db411-a786-4ab1-ba6c-bb98f48f33ca",
        "isEnabled": true,
        "version": 2,
        "service": "privacera_starburst",
        "name": "Medical Record Number Access",
        "policyType": 0,
        "policyPriority": 0,
        "description": "",
        "isAuditEnabled": true,
        "resources": {
            "schema": {
            "values": [
                "claims"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "catalog": {
            "values": [
                "oracle"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "column": {
            "values": [
                "desynpuf_id"
            ],
            "isExcludes": false,
            "isRecursive": false
            },
            "table": {
            "values": [
                "claim_outpat"
            ],
            "isExcludes": false,
            "isRecursive": false
            }
        },
        "conditions": [],
        "policyItems": [
            {
            "accesses": [
                {
                "type": "select",
                "isAllowed": true
                }
            ],
            "users": [
                "admin"
            ],
            "groups": [
                "clinical"
            ],
            "roles": [],
            "conditions": [],
            "delegateAdmin": false
            }
        ],
        "denyPolicyItems": [],
        "allowExceptions": [],
        "denyExceptions": [],
        "dataMaskPolicyItems": [],
        "rowFilterPolicyItems": [],
        "serviceType": "starburst-enterprise-presto",
        "options": {},
        "validitySchedules": [],
        "policyLabels": [],
        "zoneName": "",
        "isDenyAllElse": false
        }
    ],
    "serviceDef": {
        "id": 119,
        "guid": "d90c596b-e2c0-4f44-aa12-303f3d98c819",
        "isEnabled": true,
        "createdBy": "Admin",
        "updatedBy": "Admin",
        "createTime": 1602619696000,
        "updateTime": 1602619696000,
        "version": 1,
        "name": "starburst-enterprise-presto",
        "displayName": "starburst-enterprise-presto",
        "implClass": "com.starburstdata.ranger.services.presto.RangerServiceStarburstPresto",
        "label": "Starburst Enterprise Presto",
        "description": "Starburst Enterprise Presto",
        "options": {
        "enableDenyAndExceptionsInPolicies": "true"
        },
        "configs": [
        {
            "itemId": 1,
            "name": "username",
            "type": "string",
            "mandatory": true,
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Username"
        },
        {
            "itemId": 2,
            "name": "password",
            "type": "password",
            "mandatory": false,
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Password"
        },
        {
            "itemId": 3,
            "name": "jdbc.driverClassName",
            "type": "string",
            "mandatory": true,
            "defaultValue": "io.prestosql.jdbc.PrestoDriver",
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": ""
        },
        {
            "itemId": 4,
            "name": "jdbc.url",
            "type": "string",
            "mandatory": true,
            "defaultValue": "",
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": ""
        },
        {
            "itemId": 5,
            "name": "resource-lookup",
            "type": "enum",
            "subType": "check",
            "mandatory": false,
            "defaultValue": "true",
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Resource look-up"
        },
        {
            "itemId": 6,
            "name": "commonNameForCertificate",
            "type": "string",
            "mandatory": false,
            "label": "Common Name for Certificate"
        }
        ],
        "resources": [
        {
            "itemId": 1,
            "name": "catalog",
            "type": "string",
            "level": 10,
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Catalog",
            "description": "Catalog",
            "accessTypeRestrictions": [],
            "isValidLeaf": false
        },
        {
            "itemId": 5,
            "name": "function",
            "type": "string",
            "level": 10,
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Function",
            "description": "Function",
            "accessTypeRestrictions": [
            "execute"
            ],
            "isValidLeaf": true
        },
        {
            "itemId": 8,
            "name": "system-session-property",
            "type": "string",
            "level": 10,
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "System session property",
            "description": "System session property",
            "accessTypeRestrictions": [
            "update"
            ],
            "isValidLeaf": true
        },
        {
            "itemId": 9,
            "name": "query",
            "type": "string",
            "level": 10,
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Query",
            "description": "Query",
            "accessTypeRestrictions": [
            "select",
            "kill",
            "execute"
            ],
            "isValidLeaf": true
        },
        {
            "itemId": 2,
            "name": "schema",
            "type": "string",
            "level": 20,
            "parent": "catalog",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Schema",
            "description": "Schema",
            "accessTypeRestrictions": [],
            "isValidLeaf": false
        },
        {
            "itemId": 7,
            "name": "session-property",
            "type": "string",
            "level": 20,
            "parent": "catalog",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Session property",
            "description": "Session property",
            "accessTypeRestrictions": [
            "update"
            ],
            "isValidLeaf": true
        },
        {
            "itemId": 3,
            "name": "table",
            "type": "string",
            "level": 30,
            "parent": "schema",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Table",
            "description": "Table",
            "accessTypeRestrictions": [],
            "isValidLeaf": false
        },
        {
            "itemId": 6,
            "name": "procedure",
            "type": "string",
            "level": 30,
            "parent": "schema",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Procedure",
            "description": "Procedure",
            "accessTypeRestrictions": [
            "execute"
            ],
            "isValidLeaf": true
        },
        {
            "itemId": 4,
            "name": "column",
            "type": "string",
            "level": 40,
            "parent": "table",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": true,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
            "wildCard": "true",
            "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "",
            "label": "Column",
            "description": "Column",
            "accessTypeRestrictions": [
            "select",
            "ownership",
            "insert",
            "update",
            "delete"
            ],
            "isValidLeaf": true
        }
        ],
        "accessTypes": [
        {
            "itemId": 1,
            "name": "select",
            "label": "Select",
            "impliedGrants": []
        },
        {
            "itemId": 2,
            "name": "insert",
            "label": "Insert",
            "impliedGrants": []
        },
        {
            "itemId": 3,
            "name": "delete",
            "label": "Delete",
            "impliedGrants": []
        },
        {
            "itemId": 4,
            "name": "update",
            "label": "Update",
            "impliedGrants": []
        },
        {
            "itemId": 5,
            "name": "ownership",
            "label": "Ownership",
            "impliedGrants": [
            "select",
            "insert",
            "delete",
            "update"
            ]
        },
        {
            "itemId": 6,
            "name": "execute",
            "label": "Execute",
            "impliedGrants": []
        },
        {
            "itemId": 7,
            "name": "kill",
            "label": "Kill",
            "impliedGrants": []
        }
        ],
        "policyConditions": [],
        "contextEnrichers": [],
        "enums": [
        {
            "itemId": 1,
            "name": "check",
            "elements": [
            {
                "itemId": 1,
                "name": "true",
                "label": "Enabled"
            },
            {
                "itemId": 2,
                "name": "false",
                "label": "Disabled"
            }
            ],
            "defaultIndex": 0
        }
        ],
        "dataMaskDef": {
        "maskTypes": [
            {
            "itemId": 1,
            "name": "MASK",
            "label": "Mask",
            "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
            "transformer": "mask({col})",
            "dataMaskOptions": {}
            },
            {
            "itemId": 2,
            "name": "MASK_SHOW_LAST_4",
            "label": "Partial mask: show last 4",
            "description": "Show last 4 characters; replace rest with 'x'",
            "transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')",
            "dataMaskOptions": {}
            },
            {
            "itemId": 3,
            "name": "MASK_SHOW_FIRST_4",
            "label": "Partial mask: show first 4",
            "description": "Show first 4 characters; replace rest with 'x'",
            "transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')",
            "dataMaskOptions": {}
            },
            {
            "itemId": 4,
            "name": "MASK_HASH",
            "label": "Hash",
            "description": "Hash the value",
            "transformer": "mask_hash({col})",
            "dataMaskOptions": {}
            },
            {
            "itemId": 5,
            "name": "MASK_NULL",
            "label": "Nullify",
            "description": "Replace with NULL",
            "dataMaskOptions": {}
            }
        ],
        "accessTypes": [
            {
            "itemId": 1,
            "name": "select",
            "label": "Select",
            "impliedGrants": []
            }
        ],
        "resources": [
            {
            "itemId": 1,
            "name": "catalog",
            "type": "string",
            "level": 10,
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": false,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
                "wildCard": "false",
                "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "{ \"singleValue\":true }",
            "label": "Catalog",
            "description": "Catalog",
            "accessTypeRestrictions": [],
            "isValidLeaf": false
            },
            {
            "itemId": 2,
            "name": "schema",
            "type": "string",
            "level": 20,
            "parent": "catalog",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": false,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
                "wildCard": "false",
                "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "{ \"singleValue\":true }",
            "label": "Schema",
            "description": "Schema",
            "accessTypeRestrictions": [],
            "isValidLeaf": false
            },
            {
            "itemId": 3,
            "name": "table",
            "type": "string",
            "level": 30,
            "parent": "schema",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": false,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
                "wildCard": "false",
                "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "{ \"singleValue\":true }",
            "label": "Table",
            "description": "Table",
            "accessTypeRestrictions": [],
            "isValidLeaf": false
            },
            {
            "itemId": 4,
            "name": "column",
            "type": "string",
            "level": 40,
            "parent": "table",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": false,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
                "wildCard": "false",
                "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "{ \"singleValue\":true }",
            "label": "Column",
            "description": "Column",
            "accessTypeRestrictions": [
                "select",
                "ownership",
                "insert",
                "update",
                "delete"
            ],
            "isValidLeaf": true
            }
        ]
        },
        "rowFilterDef": {
        "accessTypes": [
            {
            "itemId": 1,
            "name": "select",
            "label": "Select",
            "impliedGrants": []
            }
        ],
        "resources": [
            {
            "itemId": 1,
            "name": "catalog",
            "type": "string",
            "level": 10,
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": false,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
                "wildCard": "false",
                "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "{ \"singleValue\":true }",
            "label": "Catalog",
            "description": "Catalog",
            "accessTypeRestrictions": [],
            "isValidLeaf": false
            },
            {
            "itemId": 2,
            "name": "schema",
            "type": "string",
            "level": 20,
            "parent": "catalog",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": false,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
                "wildCard": "false",
                "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "{ \"singleValue\":true }",
            "label": "Schema",
            "description": "Schema",
            "accessTypeRestrictions": [],
            "isValidLeaf": false
            },
            {
            "itemId": 3,
            "name": "table",
            "type": "string",
            "level": 30,
            "parent": "schema",
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": false,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
                "wildCard": "false",
                "ignoreCase": "true"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "{ \"singleValue\":true }",
            "label": "Table",
            "description": "Table",
            "accessTypeRestrictions": [],
            "isValidLeaf": true
            }
        ]
        }
    },
    "auditMode": "audit-default",
    "tagPolicies": {
        "serviceName": "privacera_tag",
        "serviceId": 2,
        "policyVersion": 145,
        "policyUpdateTime": 1610588253000,
        "policies": [
        {
            "id": 8,
            "guid": "0192c692-c3c7-4374-bdda-5ad225bb3da9",
            "isEnabled": true,
            "version": 3,
            "service": "privacera_tag",
            "name": "EXPIRES_ON",
            "policyType": 0,
            "policyPriority": 0,
            "description": "Policy for data with EXPIRES_ON tag",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "EXPIRES_ON"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "policyItems": [],
            "denyPolicyItems": [
            {
                "accesses": [
                {
                    "type": "hive:select",
                    "isAllowed": true
                },
                {
                    "type": "hive:update",
                    "isAllowed": true
                },
                {
                    "type": "hive:create",
                    "isAllowed": true
                },
                {
                    "type": "hive:drop",
                    "isAllowed": true
                },
                {
                    "type": "hive:alter",
                    "isAllowed": true
                },
                {
                    "type": "hive:index",
                    "isAllowed": true
                },
                {
                    "type": "hive:lock",
                    "isAllowed": true
                },
                {
                    "type": "hive:all",
                    "isAllowed": true
                },
                {
                    "type": "hive:read",
                    "isAllowed": true
                },
                {
                    "type": "hive:write",
                    "isAllowed": true
                },
                {
                    "type": "kms:create",
                    "isAllowed": true
                },
                {
                    "type": "kms:delete",
                    "isAllowed": true
                },
                {
                    "type": "kms:rollover",
                    "isAllowed": true
                },
                {
                    "type": "kms:setkeymaterial",
                    "isAllowed": true
                },
                {
                    "type": "kms:get",
                    "isAllowed": true
                },
                {
                    "type": "kms:getkeys",
                    "isAllowed": true
                },
                {
                    "type": "kms:getmetadata",
                    "isAllowed": true
                },
                {
                    "type": "kms:generateeek",
                    "isAllowed": true
                },
                {
                    "type": "kms:decrypteek",
                    "isAllowed": true
                }
                ],
                "users": [],
                "groups": [
                "public"
                ],
                "roles": [],
                "conditions": [
                {
                    "type": "accessed-after-expiry",
                    "values": [
                    "yes"
                    ]
                }
                ],
                "delegateAdmin": false
            }
            ],
            "allowExceptions": [],
            "denyExceptions": [],
            "dataMaskPolicyItems": [],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "",
            "isDenyAllElse": false
        },
        {
            "id": 93,
            "guid": "a9f9f5ba-33fe-48a5-9b7e-e10a938a66bd",
            "isEnabled": true,
            "version": 2,
            "service": "privacera_tag",
            "name": "UNPROTECT_CC",
            "policyType": 1,
            "policyPriority": 0,
            "description": "",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "PROTECTED_CC"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "policyItems": [],
            "denyPolicyItems": [],
            "allowExceptions": [],
            "denyExceptions": [],
            "dataMaskPolicyItems": [
            {
                "accesses": [
                {
                    "type": "hive:select",
                    "isAllowed": true
                }
                ],
                "users": [
                "kate"
                ],
                "groups": [],
                "roles": [
                "fiona_sales_role"
                ],
                "conditions": [],
                "delegateAdmin": false,
                "dataMaskInfo": {
                "dataMaskType": "hive:CUSTOM",
                "valueExpr": "privacera.unprotect({col},'CREDITCARD')"
                }
            }
            ],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "",
            "isDenyAllElse": false
        },
        {
            "id": 117,
            "guid": "4e1dfe80-b1e8-4870-96bf-178f62ec82a7",
            "isEnabled": true,
            "version": 1,
            "service": "privacera_tag",
            "name": "Decrypt SSN",
            "policyType": 1,
            "policyPriority": 0,
            "description": "",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "SSN"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "conditions": [],
            "policyItems": [],
            "denyPolicyItems": [],
            "allowExceptions": [],
            "denyExceptions": [],
            "dataMaskPolicyItems": [
            {
                "accesses": [
                {
                    "type": "hive:select",
                    "isAllowed": true
                }
                ],
                "users": [],
                "groups": [
                "public"
                ],
                "roles": [],
                "conditions": [],
                "delegateAdmin": false,
                "dataMaskInfo": {
                "dataMaskType": "hive:CUSTOM",
                "valueExpr": "privacera.unprotect({col}, 'TEST')"
                }
            }
            ],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "",
            "isDenyAllElse": false
        },
        {
            "id": 173,
            "guid": "3c07813a-53a9-4af5-82fe-6c93cdb95b49",
            "isEnabled": true,
            "version": 13,
            "service": "privacera_tag",
            "name": "COE Access",
            "policyType": 0,
            "policyPriority": 0,
            "description": "",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "REQ_COE_CERT"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "conditions": [],
            "policyItems": [],
            "denyPolicyItems": [
            {
                "accesses": [
                {
                    "type": "s3:read",
                    "isAllowed": true
                },
                {
                    "type": "s3:write",
                    "isAllowed": true
                },
                {
                    "type": "s3:delete",
                    "isAllowed": true
                },
                {
                    "type": "s3:mread",
                    "isAllowed": true
                },
                {
                    "type": "s3:mwrite",
                    "isAllowed": true
                },
                {
                    "type": "s3:admin",
                    "isAllowed": true
                },
                {
                    "type": "athena:Alter",
                    "isAllowed": true
                },
                {
                    "type": "athena:BatchGetNamedQuery",
                    "isAllowed": true
                },
                {
                    "type": "athena:BatchGetQueryExecution",
                    "isAllowed": true
                },
                {
                    "type": "athena:Create",
                    "isAllowed": true
                },
                {
                    "type": "athena:CreateNamedQuery",
                    "isAllowed": true
                },
                {
                    "type": "athena:CreateWorkGroup",
                    "isAllowed": true
                },
                {
                    "type": "athena:DeleteNamedQuery",
                    "isAllowed": true
                },
                {
                    "type": "athena:DeleteWorkGroup",
                    "isAllowed": true
                },
                {
                    "type": "athena:Drop",
                    "isAllowed": true
                },
                {
                    "type": "athena:GetNamedQuery",
                    "isAllowed": true
                },
                {
                    "type": "athena:GetWorkGroup",
                    "isAllowed": true
                },
                {
                    "type": "athena:ListNamedQueries",
                    "isAllowed": true
                },
                {
                    "type": "athena:ListQueryExecutions",
                    "isAllowed": true
                },
                {
                    "type": "athena:ListTagsForResource",
                    "isAllowed": true
                },
                {
                    "type": "athena:ListWorkGroups",
                    "isAllowed": true
                },
                {
                    "type": "athena:Select",
                    "isAllowed": true
                },
                {
                    "type": "athena:StopQueryExecution",
                    "isAllowed": true
                },
                {
                    "type": "athena:TagResource",
                    "isAllowed": true
                },
                {
                    "type": "athena:UntagResource",
                    "isAllowed": true
                },
                {
                    "type": "athena:UpdateWorkGroup",
                    "isAllowed": true
                },
                {
                    "type": "adls:read",
                    "isAllowed": true
                },
                {
                    "type": "adls:write",
                    "isAllowed": true
                },
                {
                    "type": "adls:delete",
                    "isAllowed": true
                },
                {
                    "type": "adls:mread",
                    "isAllowed": true
                },
                {
                    "type": "adls:mwrite",
                    "isAllowed": true
                },
                {
                    "type": "adls:admin",
                    "isAllowed": true
                }
                ],
                "users": [],
                "groups": [
                "public"
                ],
                "roles": [],
                "conditions": [],
                "delegateAdmin": false
            }
            ],
            "allowExceptions": [],
            "denyExceptions": [
            {
                "accesses": [
                {
                    "type": "s3:read",
                    "isAllowed": true
                },
                {
                    "type": "s3:write",
                    "isAllowed": true
                },
                {
                    "type": "s3:delete",
                    "isAllowed": true
                },
                {
                    "type": "s3:mread",
                    "isAllowed": true
                },
                {
                    "type": "s3:mwrite",
                    "isAllowed": true
                },
                {
                    "type": "athena:Alter",
                    "isAllowed": true
                },
                {
                    "type": "athena:BatchGetNamedQuery",
                    "isAllowed": true
                },
                {
                    "type": "athena:BatchGetQueryExecution",
                    "isAllowed": true
                },
                {
                    "type": "athena:Create",
                    "isAllowed": true
                },
                {
                    "type": "athena:CreateNamedQuery",
                    "isAllowed": true
                },
                {
                    "type": "athena:CreateWorkGroup",
                    "isAllowed": true
                },
                {
                    "type": "athena:DeleteNamedQuery",
                    "isAllowed": true
                },
                {
                    "type": "athena:DeleteWorkGroup",
                    "isAllowed": true
                },
                {
                    "type": "athena:Drop",
                    "isAllowed": true
                },
                {
                    "type": "athena:GetNamedQuery",
                    "isAllowed": true
                },
                {
                    "type": "athena:GetWorkGroup",
                    "isAllowed": true
                },
                {
                    "type": "athena:ListNamedQueries",
                    "isAllowed": true
                },
                {
                    "type": "athena:ListQueryExecutions",
                    "isAllowed": true
                },
                {
                    "type": "athena:ListTagsForResource",
                    "isAllowed": true
                },
                {
                    "type": "athena:ListWorkGroups",
                    "isAllowed": true
                },
                {
                    "type": "athena:Select",
                    "isAllowed": true
                },
                {
                    "type": "athena:StopQueryExecution",
                    "isAllowed": true
                },
                {
                    "type": "athena:TagResource",
                    "isAllowed": true
                },
                {
                    "type": "athena:UntagResource",
                    "isAllowed": true
                },
                {
                    "type": "athena:UpdateWorkGroup",
                    "isAllowed": true
                },
                {
                    "type": "adls:read",
                    "isAllowed": true
                },
                {
                    "type": "adls:write",
                    "isAllowed": true
                },
                {
                    "type": "adls:delete",
                    "isAllowed": true
                },
                {
                    "type": "adls:mread",
                    "isAllowed": true
                },
                {
                    "type": "adls:mwrite",
                    "isAllowed": true
                }
                ],
                "users": [],
                "groups": [],
                "roles": [
                "coe_certified_role"
                ],
                "conditions": [],
                "delegateAdmin": false
            }
            ],
            "dataMaskPolicyItems": [],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "Sales Zone",
            "isDenyAllElse": false
        },
        {
            "id": 175,
            "guid": "56cd874e-c0c0-4166-b0de-e0fd262bb5ad",
            "isEnabled": true,
            "version": 6,
            "service": "privacera_tag",
            "name": "SPI Phone Access",
            "policyType": 0,
            "policyPriority": 0,
            "description": "",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "SSN",
                "PERSON_NAME"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "conditions": [],
            "policyItems": [],
            "denyPolicyItems": [
            {
                "accesses": [
                {
                    "type": "s3:read",
                    "isAllowed": true
                },
                {
                    "type": "s3:write",
                    "isAllowed": true
                },
                {
                    "type": "s3:delete",
                    "isAllowed": true
                },
                {
                    "type": "s3:mread",
                    "isAllowed": true
                },
                {
                    "type": "s3:mwrite",
                    "isAllowed": true
                },
                {
                    "type": "s3:admin",
                    "isAllowed": true
                },
                {
                    "type": "adls:read",
                    "isAllowed": true
                },
                {
                    "type": "adls:write",
                    "isAllowed": true
                },
                {
                    "type": "adls:delete",
                    "isAllowed": true
                },
                {
                    "type": "adls:mread",
                    "isAllowed": true
                },
                {
                    "type": "adls:mwrite",
                    "isAllowed": true
                },
                {
                    "type": "adls:admin",
                    "isAllowed": true
                },
                {
                    "type": "gcs:read",
                    "isAllowed": true
                },
                {
                    "type": "gcs:write",
                    "isAllowed": true
                },
                {
                    "type": "gcs:delete",
                    "isAllowed": true
                },
                {
                    "type": "gcs:mread",
                    "isAllowed": true
                },
                {
                    "type": "gcs:mwrite",
                    "isAllowed": true
                },
                {
                    "type": "gcs:admin",
                    "isAllowed": true
                }
                ],
                "users": [],
                "groups": [
                "public"
                ],
                "roles": [],
                "conditions": [],
                "delegateAdmin": false
            }
            ],
            "allowExceptions": [],
            "denyExceptions": [],
            "dataMaskPolicyItems": [],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "",
            "isDenyAllElse": false
        },
        {
            "id": 259,
            "guid": "e29b71e0-bb3a-48aa-a5b5-c40357206bf5",
            "isEnabled": true,
            "version": 1,
            "service": "privacera_tag",
            "name": "abc",
            "policyType": 0,
            "policyPriority": 0,
            "description": "",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "PLAYER"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "conditions": [],
            "policyItems": [
            {
                "accesses": [
                {
                    "type": "hive:select",
                    "isAllowed": true
                },
                {
                    "type": "hive:update",
                    "isAllowed": true
                },
                {
                    "type": "hive:create",
                    "isAllowed": true
                },
                {
                    "type": "hive:drop",
                    "isAllowed": true
                },
                {
                    "type": "hive:alter",
                    "isAllowed": true
                },
                {
                    "type": "hive:index",
                    "isAllowed": true
                },
                {
                    "type": "hive:lock",
                    "isAllowed": true
                },
                {
                    "type": "hive:all",
                    "isAllowed": true
                },
                {
                    "type": "hive:read",
                    "isAllowed": true
                },
                {
                    "type": "hive:write",
                    "isAllowed": true
                },
                {
                    "type": "redshift:CreateDatabase",
                    "isAllowed": true
                },
                {
                    "type": "redshift:CreateSchema",
                    "isAllowed": true
                },
                {
                    "type": "redshift:UsageSchema",
                    "isAllowed": true
                },
                {
                    "type": "redshift:CreateTable",
                    "isAllowed": true
                },
                {
                    "type": "redshift:Select",
                    "isAllowed": true
                },
                {
                    "type": "redshift:Insert",
                    "isAllowed": true
                },
                {
                    "type": "redshift:Update",
                    "isAllowed": true
                },
                {
                    "type": "redshift:Delete",
                    "isAllowed": true
                },
                {
                    "type": "redshift:ListClusters",
                    "isAllowed": true
                },
                {
                    "type": "redshift:CreateCluster",
                    "isAllowed": true
                },
                {
                    "type": "redshift:UpdateCluster",
                    "isAllowed": true
                },
                {
                    "type": "redshift:DeleteCluster",
                    "isAllowed": true
                },
                {
                    "type": "redshift:ResizeCluster",
                    "isAllowed": true
                },
                {
                    "type": "redshift:PauseCluster",
                    "isAllowed": true
                },
                {
                    "type": "redshift:RebootCluster",
                    "isAllowed": true
                },
                {
                    "type": "redshift:CreateSnapshot",
                    "isAllowed": true
                },
                {
                    "type": "redshift:RestoreSnapshot",
                    "isAllowed": true
                }
                ],
                "users": [
                "emily"
                ],
                "groups": [],
                "roles": [],
                "conditions": [],
                "delegateAdmin": false
            }
            ],
            "denyPolicyItems": [],
            "allowExceptions": [],
            "denyExceptions": [],
            "dataMaskPolicyItems": [],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "",
            "isDenyAllElse": false
        },
        {
            "id": 261,
            "guid": "dabb75b3-0c4a-49bc-8e89-2050b7ef52a2",
            "isEnabled": true,
            "version": 1,
            "service": "privacera_tag",
            "name": "PATIENT data access",
            "policyType": 0,
            "policyPriority": 0,
            "description": "",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "PATIENT"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "conditions": [],
            "policyItems": [
            {
                "accesses": [
                {
                    "type": "hive:select",
                    "isAllowed": true
                },
                {
                    "type": "snowflake:Select",
                    "isAllowed": true
                },
                {
                    "type": "redshift:UsageSchema",
                    "isAllowed": true
                },
                {
                    "type": "redshift:Select",
                    "isAllowed": true
                }
                ],
                "users": [
                "emily",
                "imad.qureshi"
                ],
                "groups": [],
                "roles": [],
                "conditions": [],
                "delegateAdmin": false
            }
            ],
            "denyPolicyItems": [],
            "allowExceptions": [],
            "denyExceptions": [],
            "dataMaskPolicyItems": [],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "Sales Zone",
            "isDenyAllElse": false
        },
        {
            "id": 262,
            "guid": "9a687ae8-124e-47e4-a7cd-a6280fab8306",
            "isEnabled": true,
            "version": 21,
            "service": "privacera_tag",
            "name": "Deny SSN to offshore",
            "policyType": 0,
            "policyPriority": 0,
            "description": "",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "SSN"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "conditions": [],
            "policyItems": [],
            "denyPolicyItems": [
            {
                "accesses": [
                {
                    "type": "hive:select",
                    "isAllowed": true
                },
                {
                    "type": "hive:read",
                    "isAllowed": true
                },
                {
                    "type": "s3:read",
                    "isAllowed": true
                },
                {
                    "type": "adls:read",
                    "isAllowed": true
                },
                {
                    "type": "adls:write",
                    "isAllowed": true
                },
                {
                    "type": "adls:delete",
                    "isAllowed": true
                },
                {
                    "type": "adls:mread",
                    "isAllowed": true
                },
                {
                    "type": "adls:mwrite",
                    "isAllowed": true
                },
                {
                    "type": "adls:admin",
                    "isAllowed": true
                },
                {
                    "type": "gcs:read",
                    "isAllowed": true
                },
                {
                    "type": "gcs:write",
                    "isAllowed": true
                },
                {
                    "type": "gcs:delete",
                    "isAllowed": true
                },
                {
                    "type": "gcs:mread",
                    "isAllowed": true
                },
                {
                    "type": "gcs:mwrite",
                    "isAllowed": true
                },
                {
                    "type": "gcs:admin",
                    "isAllowed": true
                }
                ],
                "users": [],
                "groups": [],
                "roles": [
                "offshore"
                ],
                "conditions": [],
                "delegateAdmin": false
            }
            ],
            "allowExceptions": [],
            "denyExceptions": [],
            "dataMaskPolicyItems": [],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "Sales Zone",
            "isDenyAllElse": false
        },
        {
            "id": 278,
            "guid": "ea05eba4-8f94-4d3a-a9b9-1dc18d0aa86e",
            "isEnabled": true,
            "version": 2,
            "service": "privacera_tag",
            "name": "Medical Record Number Access",
            "policyType": 0,
            "policyPriority": 1,
            "description": "",
            "isAuditEnabled": true,
            "resources": {
            "tag": {
                "values": [
                "MEDICAL_RECORD"
                ],
                "isExcludes": false,
                "isRecursive": false
            }
            },
            "conditions": [],
            "policyItems": [],
            "denyPolicyItems": [
            {
                "accesses": [
                {
                    "type": "starburst-enterprise-presto:select",
                    "isAllowed": true
                },
                {
                    "type": "starburst-enterprise-presto:insert",
                    "isAllowed": true
                },
                {
                    "type": "starburst-enterprise-presto:delete",
                    "isAllowed": true
                },
                {
                    "type": "starburst-enterprise-presto:update",
                    "isAllowed": true
                },
                {
                    "type": "starburst-enterprise-presto:ownership",
                    "isAllowed": true
                },
                {
                    "type": "starburst-enterprise-presto:execute",
                    "isAllowed": true
                },
                {
                    "type": "starburst-enterprise-presto:kill",
                    "isAllowed": true
                }
                ],
                "users": [],
                "groups": [
                "public"
                ],
                "roles": [],
                "conditions": [],
                "delegateAdmin": false
            }
            ],
            "allowExceptions": [],
            "denyExceptions": [
            {
                "accesses": [
                {
                    "type": "starburst-enterprise-presto:select",
                    "isAllowed": true
                },
                {
                    "type": "starburst-enterprise-presto:execute",
                    "isAllowed": true
                }
                ],
                "users": [],
                "groups": [
                "clinical"
                ],
                "roles": [],
                "conditions": [],
                "delegateAdmin": false
            }
            ],
            "dataMaskPolicyItems": [],
            "rowFilterPolicyItems": [],
            "serviceType": "tag",
            "options": {},
            "validitySchedules": [],
            "policyLabels": [],
            "zoneName": "",
            "isDenyAllElse": false
        }
        ],
        "serviceDef": {
        "id": 100,
        "guid": "0d047248-baff-4cf9-8e9e-d5d377284b2e",
        "isEnabled": true,
        "createdBy": "Admin",
        "updatedBy": "Admin",
        "createTime": 1588366042000,
        "updateTime": 1602619697000,
        "version": 26,
        "name": "tag",
        "displayName": "tag",
        "implClass": "org.apache.ranger.services.tag.RangerServiceTag",
        "label": "TAG",
        "description": "TAG Service Definition",
        "options": {
            "enableDenyAndExceptionsInPolicies": "true",
            "ui.pages": "tag-based-policies"
        },
        "configs": [],
        "resources": [
            {
            "itemId": 1,
            "name": "tag",
            "type": "string",
            "level": 1,
            "mandatory": true,
            "lookupSupported": true,
            "recursiveSupported": false,
            "excludesSupported": false,
            "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
            "matcherOptions": {
                "wildCard": "false",
                "ignoreCase": "false"
            },
            "validationRegEx": "",
            "validationMessage": "",
            "uiHint": "{ \"singleValue\":false }",
            "label": "TAG",
            "description": "TAG",
            "accessTypeRestrictions": [],
            "isValidLeaf": true
            }
        ],
        "accessTypes": [
            {
            "itemId": 3004,
            "name": "hive:select",
            "label": "select",
            "impliedGrants": []
            },
            {
            "itemId": 3005,
            "name": "hive:update",
            "label": "update",
            "impliedGrants": []
            },
            {
            "itemId": 3006,
            "name": "hive:create",
            "label": "Create",
            "impliedGrants": []
            },
            {
            "itemId": 3007,
            "name": "hive:drop",
            "label": "Drop",
            "impliedGrants": []
            },
            {
            "itemId": 3008,
            "name": "hive:alter",
            "label": "Alter",
            "impliedGrants": []
            },
            {
            "itemId": 3009,
            "name": "hive:index",
            "label": "Index",
            "impliedGrants": []
            },
            {
            "itemId": 3010,
            "name": "hive:lock",
            "label": "Lock",
            "impliedGrants": []
            },
            {
            "itemId": 3011,
            "name": "hive:all",
            "label": "All",
            "impliedGrants": [
                "hive:select",
                "hive:update",
                "hive:create",
                "hive:drop",
                "hive:alter",
                "hive:index",
                "hive:lock",
                "hive:read",
                "hive:write"
            ]
            },
            {
            "itemId": 3012,
            "name": "hive:read",
            "label": "Read",
            "impliedGrants": []
            },
            {
            "itemId": 3013,
            "name": "hive:write",
            "label": "Write",
            "impliedGrants": []
            },
            {
            "itemId": 7008,
            "name": "kms:create",
            "label": "Create",
            "impliedGrants": []
            },
            {
            "itemId": 7009,
            "name": "kms:delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 7010,
            "name": "kms:rollover",
            "label": "Rollover",
            "impliedGrants": []
            },
            {
            "itemId": 7011,
            "name": "kms:setkeymaterial",
            "label": "Set Key Material",
            "impliedGrants": []
            },
            {
            "itemId": 7012,
            "name": "kms:get",
            "label": "Get",
            "impliedGrants": []
            },
            {
            "itemId": 7013,
            "name": "kms:getkeys",
            "label": "Get Keys",
            "impliedGrants": []
            },
            {
            "itemId": 7014,
            "name": "kms:getmetadata",
            "label": "Get Metadata",
            "impliedGrants": []
            },
            {
            "itemId": 7015,
            "name": "kms:generateeek",
            "label": "Generate EEK",
            "impliedGrants": []
            },
            {
            "itemId": 7016,
            "name": "kms:decrypteek",
            "label": "Decrypt EEK",
            "impliedGrants": []
            },
            {
            "itemId": 101102,
            "name": "s3:read",
            "label": "read",
            "impliedGrants": []
            },
            {
            "itemId": 101103,
            "name": "s3:write",
            "label": "write",
            "impliedGrants": []
            },
            {
            "itemId": 101104,
            "name": "s3:delete",
            "label": "delete",
            "impliedGrants": []
            },
            {
            "itemId": 101105,
            "name": "s3:mread",
            "label": "metadata read",
            "impliedGrants": []
            },
            {
            "itemId": 101106,
            "name": "s3:mwrite",
            "label": "metadata write",
            "impliedGrants": []
            },
            {
            "itemId": 101107,
            "name": "s3:admin",
            "label": "admin",
            "impliedGrants": []
            },
            {
            "itemId": 102103,
            "name": "dynamodb:read",
            "label": "Read",
            "impliedGrants": []
            },
            {
            "itemId": 102104,
            "name": "dynamodb:write",
            "label": "Write",
            "impliedGrants": []
            },
            {
            "itemId": 102105,
            "name": "dynamodb:create",
            "label": "Create",
            "impliedGrants": []
            },
            {
            "itemId": 102106,
            "name": "dynamodb:delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 102107,
            "name": "dynamodb:listtables",
            "label": "ListTables",
            "impliedGrants": []
            },
            {
            "itemId": 102108,
            "name": "dynamodb:admin",
            "label": "Admin",
            "impliedGrants": [
                "dynamodb:read",
                "dynamodb:write",
                "dynamodb:create",
                "dynamodb:delete",
                "dynamodb:listtables"
            ]
            },
            {
            "itemId": 103104,
            "name": "athena:Alter",
            "label": "Alter",
            "impliedGrants": []
            },
            {
            "itemId": 103105,
            "name": "athena:BatchGetNamedQuery",
            "label": "BatchGetNamedQuery",
            "impliedGrants": []
            },
            {
            "itemId": 103106,
            "name": "athena:BatchGetQueryExecution",
            "label": "BatchGetQueryExecution",
            "impliedGrants": []
            },
            {
            "itemId": 103107,
            "name": "athena:Create",
            "label": "Create",
            "impliedGrants": []
            },
            {
            "itemId": 103108,
            "name": "athena:CreateNamedQuery",
            "label": "CreateNamedQuery",
            "impliedGrants": []
            },
            {
            "itemId": 103109,
            "name": "athena:CreateWorkGroup",
            "label": "CreateWorkGroup",
            "impliedGrants": []
            },
            {
            "itemId": 103110,
            "name": "athena:DeleteNamedQuery",
            "label": "DeleteNamedQuery",
            "impliedGrants": []
            },
            {
            "itemId": 103111,
            "name": "athena:DeleteWorkGroup",
            "label": "DeleteWorkGroup",
            "impliedGrants": []
            },
            {
            "itemId": 103112,
            "name": "athena:Drop",
            "label": "Drop",
            "impliedGrants": []
            },
            {
            "itemId": 103113,
            "name": "athena:GetNamedQuery",
            "label": "GetNamedQuery",
            "impliedGrants": []
            },
            {
            "itemId": 103114,
            "name": "athena:GetWorkGroup",
            "label": "GetWorkGroup",
            "impliedGrants": []
            },
            {
            "itemId": 103115,
            "name": "athena:ListNamedQueries",
            "label": "ListNamedQueries",
            "impliedGrants": []
            },
            {
            "itemId": 103116,
            "name": "athena:ListQueryExecutions",
            "label": "ListQueryExecutions",
            "impliedGrants": []
            },
            {
            "itemId": 103117,
            "name": "athena:ListTagsForResource",
            "label": "ListTagsForResource",
            "impliedGrants": []
            },
            {
            "itemId": 103118,
            "name": "athena:ListWorkGroups",
            "label": "ListWorkGroups",
            "impliedGrants": []
            },
            {
            "itemId": 103119,
            "name": "athena:Select",
            "label": "Select",
            "impliedGrants": []
            },
            {
            "itemId": 103120,
            "name": "athena:StopQueryExecution",
            "label": "StopQueryExecution",
            "impliedGrants": []
            },
            {
            "itemId": 103121,
            "name": "athena:TagResource",
            "label": "TagResource",
            "impliedGrants": []
            },
            {
            "itemId": 103122,
            "name": "athena:UntagResource",
            "label": "UntagResource",
            "impliedGrants": []
            },
            {
            "itemId": 103123,
            "name": "athena:UpdateWorkGroup",
            "label": "UpdateWorkGroup",
            "impliedGrants": []
            },
            {
            "itemId": 104105,
            "name": "glue:GetCatalogImportStatus",
            "label": "GetCatalogImportStatus",
            "impliedGrants": []
            },
            {
            "itemId": 104106,
            "name": "glue:GetDatabases",
            "label": "GetDatabases",
            "impliedGrants": []
            },
            {
            "itemId": 104107,
            "name": "glue:GetDatabase",
            "label": "GetDatabase",
            "impliedGrants": []
            },
            {
            "itemId": 104108,
            "name": "glue:GetTables",
            "label": "GetTables",
            "impliedGrants": []
            },
            {
            "itemId": 104109,
            "name": "glue:GetTable",
            "label": "GetTable",
            "impliedGrants": []
            },
            {
            "itemId": 104110,
            "name": "glue:CreateTable",
            "label": "CreateTable",
            "impliedGrants": []
            },
            {
            "itemId": 104111,
            "name": "glue:CreateDatabase",
            "label": "CreateDatabase",
            "impliedGrants": []
            },
            {
            "itemId": 104112,
            "name": "glue:DeleteDatabase",
            "label": "DeleteDatabase",
            "impliedGrants": []
            },
            {
            "itemId": 104113,
            "name": "glue:DeleteTable",
            "label": "DeleteTable",
            "impliedGrants": []
            },
            {
            "itemId": 106107,
            "name": "kinesis:AddTagsToStream",
            "label": "AddTagsToStream",
            "impliedGrants": []
            },
            {
            "itemId": 106108,
            "name": "kinesis:CreateStream",
            "label": "CreateStream",
            "impliedGrants": []
            },
            {
            "itemId": 106109,
            "name": "kinesis:DecreaseStreamRetentionPeriod",
            "label": "DecreaseStreamRetentionPeriod",
            "impliedGrants": []
            },
            {
            "itemId": 106110,
            "name": "kinesis:DeleteStream",
            "label": "DeleteStream",
            "impliedGrants": []
            },
            {
            "itemId": 106111,
            "name": "kinesis:DeregisterStreamConsumer",
            "label": "DeregisterStreamConsumer",
            "impliedGrants": []
            },
            {
            "itemId": 106112,
            "name": "kinesis:DescribeLimits",
            "label": "DescribeLimits",
            "impliedGrants": []
            },
            {
            "itemId": 106113,
            "name": "kinesis:DescribeStream",
            "label": "DescribeStream",
            "impliedGrants": []
            },
            {
            "itemId": 106114,
            "name": "kinesis:DescribeStreamConsumer",
            "label": "DescribeStreamConsumer",
            "impliedGrants": []
            },
            {
            "itemId": 106115,
            "name": "kinesis:DescribeStreamSummary",
            "label": "DescribeStreamSummary",
            "impliedGrants": []
            },
            {
            "itemId": 106116,
            "name": "kinesis:DisableEnhancedMonitoring",
            "label": "DisableEnhancedMonitoring",
            "impliedGrants": []
            },
            {
            "itemId": 106117,
            "name": "kinesis:EnableEnhancedMonitoring",
            "label": "EnableEnhancedMonitoring",
            "impliedGrants": []
            },
            {
            "itemId": 106118,
            "name": "kinesis:GetRecords",
            "label": "GetRecords",
            "impliedGrants": []
            },
            {
            "itemId": 106119,
            "name": "kinesis:GetShardIterator",
            "label": "GetShardIterator",
            "impliedGrants": []
            },
            {
            "itemId": 106120,
            "name": "kinesis:IncreaseStreamRetentionPeriod",
            "label": "IncreaseStreamRetentionPeriod",
            "impliedGrants": []
            },
            {
            "itemId": 106121,
            "name": "kinesis:ListShards",
            "label": "ListShards",
            "impliedGrants": []
            },
            {
            "itemId": 106122,
            "name": "kinesis:ListStreamConsumers",
            "label": "ListStreamConsumers",
            "impliedGrants": []
            },
            {
            "itemId": 106123,
            "name": "kinesis:ListStreams",
            "label": "ListStreams",
            "impliedGrants": []
            },
            {
            "itemId": 106124,
            "name": "kinesis:ListTagsForStream",
            "label": "ListTagsForStream",
            "impliedGrants": []
            },
            {
            "itemId": 106125,
            "name": "kinesis:MergeShards",
            "label": "MergeShards",
            "impliedGrants": []
            },
            {
            "itemId": 106126,
            "name": "kinesis:PutRecord",
            "label": "PutRecord",
            "impliedGrants": []
            },
            {
            "itemId": 106127,
            "name": "kinesis:PutRecords",
            "label": "PutRecords",
            "impliedGrants": []
            },
            {
            "itemId": 106128,
            "name": "kinesis:RegisterStreamConsumer",
            "label": "RegisterStreamConsumer",
            "impliedGrants": []
            },
            {
            "itemId": 106129,
            "name": "kinesis:RemoveTagsFromStream",
            "label": "RemoveTagsFromStream",
            "impliedGrants": []
            },
            {
            "itemId": 106130,
            "name": "kinesis:SplitShard",
            "label": "SplitShard",
            "impliedGrants": []
            },
            {
            "itemId": 106131,
            "name": "kinesis:StartStreamEncryption",
            "label": "StartStreamEncryption",
            "impliedGrants": []
            },
            {
            "itemId": 106132,
            "name": "kinesis:StopStreamEncryption",
            "label": "StopStreamEncryption",
            "impliedGrants": []
            },
            {
            "itemId": 106133,
            "name": "kinesis:SubscribeToShard",
            "label": "SubscribeToShard",
            "impliedGrants": []
            },
            {
            "itemId": 106134,
            "name": "kinesis:UpdateShardCount",
            "label": "UpdateShardCount",
            "impliedGrants": []
            },
            {
            "itemId": 106135,
            "name": "kinesis:CreateDeliveryStream",
            "label": "CreateDeliveryStream",
            "impliedGrants": []
            },
            {
            "itemId": 106136,
            "name": "kinesis:DeleteDeliveryStream",
            "label": "DeleteDeliveryStream",
            "impliedGrants": []
            },
            {
            "itemId": 106137,
            "name": "kinesis:DescribeDeliveryStream",
            "label": "DescribeDeliveryStream",
            "impliedGrants": []
            },
            {
            "itemId": 106138,
            "name": "kinesis:ListDeliveryStreams",
            "label": "ListDeliveryStreams",
            "impliedGrants": []
            },
            {
            "itemId": 106139,
            "name": "kinesis:UpdateDestination",
            "label": "UpdateDestination",
            "impliedGrants": []
            },
            {
            "itemId": 107108,
            "name": "lambda:Create",
            "label": "Create",
            "impliedGrants": []
            },
            {
            "itemId": 107109,
            "name": "lambda:Delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 107110,
            "name": "lambda:Execute",
            "label": "Execute",
            "impliedGrants": []
            },
            {
            "itemId": 107111,
            "name": "lambda:List",
            "label": "List",
            "impliedGrants": []
            },
            {
            "itemId": 107112,
            "name": "lambda:Read",
            "label": "Read",
            "impliedGrants": []
            },
            {
            "itemId": 107113,
            "name": "lambda:Write",
            "label": "Write",
            "impliedGrants": []
            },
            {
            "itemId": 108109,
            "name": "mssql:CreateDatabase",
            "label": "Create Database",
            "impliedGrants": []
            },
            {
            "itemId": 108110,
            "name": "mssql:CreateSchema",
            "label": "Create Schema",
            "impliedGrants": []
            },
            {
            "itemId": 108111,
            "name": "mssql:CreateTable",
            "label": "Create Table",
            "impliedGrants": []
            },
            {
            "itemId": 108112,
            "name": "mssql:Select",
            "label": "Select",
            "impliedGrants": []
            },
            {
            "itemId": 108113,
            "name": "mssql:Insert",
            "label": "Insert",
            "impliedGrants": []
            },
            {
            "itemId": 108114,
            "name": "mssql:Update",
            "label": "Update",
            "impliedGrants": []
            },
            {
            "itemId": 108115,
            "name": "mssql:Delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 109110,
            "name": "adls:read",
            "label": "read",
            "impliedGrants": []
            },
            {
            "itemId": 109111,
            "name": "adls:write",
            "label": "write",
            "impliedGrants": []
            },
            {
            "itemId": 109112,
            "name": "adls:delete",
            "label": "delete",
            "impliedGrants": []
            },
            {
            "itemId": 109113,
            "name": "adls:mread",
            "label": "metadata read",
            "impliedGrants": []
            },
            {
            "itemId": 109114,
            "name": "adls:mwrite",
            "label": "metadata write",
            "impliedGrants": []
            },
            {
            "itemId": 109115,
            "name": "adls:admin",
            "label": "admin",
            "impliedGrants": []
            },
            {
            "itemId": 111112,
            "name": "kafka:publish",
            "label": "Publish",
            "impliedGrants": [
                "kafka:describe"
            ]
            },
            {
            "itemId": 111113,
            "name": "kafka:consume",
            "label": "Consume",
            "impliedGrants": [
                "kafka:describe"
            ]
            },
            {
            "itemId": 111116,
            "name": "kafka:configure",
            "label": "Configure",
            "impliedGrants": [
                "kafka:describe"
            ]
            },
            {
            "itemId": 111117,
            "name": "kafka:describe",
            "label": "Describe",
            "impliedGrants": []
            },
            {
            "itemId": 111118,
            "name": "kafka:kafka_admin",
            "label": "Kafka Admin",
            "impliedGrants": [
                "kafka:publish",
                "kafka:consume",
                "kafka:configure",
                "kafka:describe",
                "kafka:create",
                "kafka:delete",
                "kafka:describe_configs",
                "kafka:alter_configs",
                "kafka:idempotent_write",
                "kafka:cluster_action"
            ]
            },
            {
            "itemId": 111119,
            "name": "kafka:create",
            "label": "Create",
            "impliedGrants": []
            },
            {
            "itemId": 111120,
            "name": "kafka:delete",
            "label": "Delete",
            "impliedGrants": [
                "kafka:describe"
            ]
            },
            {
            "itemId": 111121,
            "name": "kafka:idempotent_write",
            "label": "Idempotent Write",
            "impliedGrants": []
            },
            {
            "itemId": 111122,
            "name": "kafka:describe_configs",
            "label": "Describe Configs",
            "impliedGrants": []
            },
            {
            "itemId": 111123,
            "name": "kafka:alter_configs",
            "label": "Alter Configs",
            "impliedGrants": [
                "kafka:describe_configs"
            ]
            },
            {
            "itemId": 111124,
            "name": "kafka:cluster_action",
            "label": "Cluster Action",
            "impliedGrants": []
            },
            {
            "itemId": 113114,
            "name": "powerbi:Contributor",
            "label": "Contributor",
            "impliedGrants": []
            },
            {
            "itemId": 113115,
            "name": "powerbi:Member",
            "label": "Member",
            "impliedGrants": []
            },
            {
            "itemId": 113116,
            "name": "powerbi:Admin",
            "label": "Admin",
            "impliedGrants": []
            },
            {
            "itemId": 113117,
            "name": "powerbi:None",
            "label": "None",
            "impliedGrants": []
            },
            {
            "itemId": 114115,
            "name": "gcs:read",
            "label": "read",
            "impliedGrants": []
            },
            {
            "itemId": 114116,
            "name": "gcs:write",
            "label": "write",
            "impliedGrants": []
            },
            {
            "itemId": 114117,
            "name": "gcs:delete",
            "label": "delete",
            "impliedGrants": []
            },
            {
            "itemId": 114118,
            "name": "gcs:mread",
            "label": "metadata read",
            "impliedGrants": []
            },
            {
            "itemId": 114119,
            "name": "gcs:mwrite",
            "label": "metadata write",
            "impliedGrants": []
            },
            {
            "itemId": 114120,
            "name": "gcs:admin",
            "label": "admin",
            "impliedGrants": []
            },
            {
            "itemId": 115116,
            "name": "gbq:CreateTable",
            "label": "CreateTable",
            "impliedGrants": []
            },
            {
            "itemId": 115117,
            "name": "gbq:CreateTableAsSelect",
            "label": "CreateTableAsSelect",
            "impliedGrants": []
            },
            {
            "itemId": 115118,
            "name": "gbq:CreateView",
            "label": "CreateView",
            "impliedGrants": []
            },
            {
            "itemId": 115119,
            "name": "gbq:Delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 115120,
            "name": "gbq:DropTable",
            "label": "DropTable",
            "impliedGrants": []
            },
            {
            "itemId": 115121,
            "name": "gbq:DropView",
            "label": "DropView",
            "impliedGrants": []
            },
            {
            "itemId": 115122,
            "name": "gbq:Insert",
            "label": "Insert",
            "impliedGrants": []
            },
            {
            "itemId": 115123,
            "name": "gbq:Query",
            "label": "Query",
            "impliedGrants": []
            },
            {
            "itemId": 115124,
            "name": "gbq:Update",
            "label": "Update",
            "impliedGrants": []
            },
            {
            "itemId": 116117,
            "name": "snowflake:CreateSchema",
            "label": "CreateSchema",
            "impliedGrants": []
            },
            {
            "itemId": 116118,
            "name": "snowflake:CreateTmpTable",
            "label": "CreateTmpTable",
            "impliedGrants": []
            },
            {
            "itemId": 116119,
            "name": "snowflake:CreateTable",
            "label": "CreateTable",
            "impliedGrants": []
            },
            {
            "itemId": 116120,
            "name": "snowflake:UseSchema",
            "label": "UseSchema",
            "impliedGrants": []
            },
            {
            "itemId": 116121,
            "name": "snowflake:Select",
            "label": "Select",
            "impliedGrants": []
            },
            {
            "itemId": 116122,
            "name": "snowflake:Insert",
            "label": "Insert",
            "impliedGrants": []
            },
            {
            "itemId": 116123,
            "name": "snowflake:Update",
            "label": "Update",
            "impliedGrants": []
            },
            {
            "itemId": 116124,
            "name": "snowflake:Delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 116125,
            "name": "snowflake:UseDB",
            "label": "UseDB",
            "impliedGrants": []
            },
            {
            "itemId": 116126,
            "name": "snowflake:Operate",
            "label": "Operate",
            "impliedGrants": []
            },
            {
            "itemId": 116127,
            "name": "snowflake:UseWarehouse",
            "label": "UseWarehouse",
            "impliedGrants": []
            },
            {
            "itemId": 116128,
            "name": "snowflake:SelectOnView",
            "label": "SelectOnView",
            "impliedGrants": []
            },
            {
            "itemId": 116129,
            "name": "snowflake:CreateWarehouse",
            "label": "CreateWarehouse",
            "impliedGrants": []
            },
            {
            "itemId": 116130,
            "name": "snowflake:CreateDatabase",
            "label": "CreateDatabase",
            "impliedGrants": []
            },
            {
            "itemId": 117118,
            "name": "postgres:CreateDatabase",
            "label": "Create Database",
            "impliedGrants": []
            },
            {
            "itemId": 117119,
            "name": "postgres:ConnectDatabase",
            "label": "Connect Database",
            "impliedGrants": []
            },
            {
            "itemId": 117120,
            "name": "postgres:CreateSchema",
            "label": "Create Schema",
            "impliedGrants": []
            },
            {
            "itemId": 117121,
            "name": "postgres:UsageSchema",
            "label": "Usage Schema",
            "impliedGrants": []
            },
            {
            "itemId": 117122,
            "name": "postgres:CreateTable",
            "label": "Create Table",
            "impliedGrants": []
            },
            {
            "itemId": 117123,
            "name": "postgres:Select",
            "label": "Select",
            "impliedGrants": []
            },
            {
            "itemId": 117124,
            "name": "postgres:Insert",
            "label": "Insert",
            "impliedGrants": []
            },
            {
            "itemId": 117125,
            "name": "postgres:Update",
            "label": "Update",
            "impliedGrants": []
            },
            {
            "itemId": 117126,
            "name": "postgres:Delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 117127,
            "name": "postgres:Truncate",
            "label": "Truncate",
            "impliedGrants": []
            },
            {
            "itemId": 118119,
            "name": "redshift:CreateDatabase",
            "label": "Create Database",
            "impliedGrants": []
            },
            {
            "itemId": 118120,
            "name": "redshift:CreateSchema",
            "label": "Create Schema",
            "impliedGrants": []
            },
            {
            "itemId": 118121,
            "name": "redshift:UsageSchema",
            "label": "Usage Schema",
            "impliedGrants": []
            },
            {
            "itemId": 118122,
            "name": "redshift:CreateTable",
            "label": "Create Table",
            "impliedGrants": []
            },
            {
            "itemId": 118123,
            "name": "redshift:Select",
            "label": "Select",
            "impliedGrants": []
            },
            {
            "itemId": 118124,
            "name": "redshift:Insert",
            "label": "Insert",
            "impliedGrants": []
            },
            {
            "itemId": 118125,
            "name": "redshift:Update",
            "label": "Update",
            "impliedGrants": []
            },
            {
            "itemId": 118126,
            "name": "redshift:Delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 118127,
            "name": "redshift:ListClusters",
            "label": "ListClusters",
            "impliedGrants": []
            },
            {
            "itemId": 118128,
            "name": "redshift:CreateCluster",
            "label": "CreateCluster",
            "impliedGrants": []
            },
            {
            "itemId": 118129,
            "name": "redshift:UpdateCluster",
            "label": "UpdateCluster",
            "impliedGrants": []
            },
            {
            "itemId": 118130,
            "name": "redshift:DeleteCluster",
            "label": "DeleteCluster",
            "impliedGrants": []
            },
            {
            "itemId": 118131,
            "name": "redshift:ResizeCluster",
            "label": "ResizeCluster",
            "impliedGrants": []
            },
            {
            "itemId": 118132,
            "name": "redshift:PauseCluster",
            "label": "PauseCluster",
            "impliedGrants": []
            },
            {
            "itemId": 118133,
            "name": "redshift:RebootCluster",
            "label": "RebootCluster",
            "impliedGrants": []
            },
            {
            "itemId": 118134,
            "name": "redshift:CreateSnapshot",
            "label": "CreateSnapshot",
            "impliedGrants": []
            },
            {
            "itemId": 118135,
            "name": "redshift:RestoreSnapshot",
            "label": "RestoreSnapshot",
            "impliedGrants": []
            },
            {
            "itemId": 119120,
            "name": "starburst-enterprise-presto:select",
            "label": "Select",
            "impliedGrants": []
            },
            {
            "itemId": 119121,
            "name": "starburst-enterprise-presto:insert",
            "label": "Insert",
            "impliedGrants": []
            },
            {
            "itemId": 119122,
            "name": "starburst-enterprise-presto:delete",
            "label": "Delete",
            "impliedGrants": []
            },
            {
            "itemId": 119123,
            "name": "starburst-enterprise-presto:update",
            "label": "Update",
            "impliedGrants": []
            },
            {
            "itemId": 119124,
            "name": "starburst-enterprise-presto:ownership",
            "label": "Ownership",
            "impliedGrants": [
                "starburst-enterprise-presto:select",
                "starburst-enterprise-presto:insert",
                "starburst-enterprise-presto:delete",
                "starburst-enterprise-presto:update"
            ]
            },
            {
            "itemId": 119125,
            "name": "starburst-enterprise-presto:execute",
            "label": "Execute",
            "impliedGrants": []
            },
            {
            "itemId": 119126,
            "name": "starburst-enterprise-presto:kill",
            "label": "Kill",
            "impliedGrants": []
            }
        ],
        "policyConditions": [
            {
            "itemId": 1,
            "name": "accessed-after-expiry",
            "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptTemplateConditionEvaluator",
            "evaluatorOptions": {
                "scriptTemplate": "ctx.isAccessedAfter('expiry_date');"
            },
            "uiHint": "{ \"singleValue\":true }",
            "label": "Accessed after expiry_date (yes/no)?",
            "description": "Accessed after expiry_date? (yes/no)"
            },
            {
            "itemId": 2,
            "name": "expression",
            "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
            "evaluatorOptions": {
                "ui.isMultiline": "true",
                "engineName": "JavaScript"
            },
            "label": "Enter boolean expression",
            "description": "Boolean expression"
            }
        ],
        "contextEnrichers": [
            {
            "itemId": 1,
            "name": "TagEnricher",
            "enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
            "enricherOptions": {
                "tagRetrieverClassName": "org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever",
                "tagRefresherPollingInterval": "60000"
            }
            }
        ],
        "enums": [],
        "dataMaskDef": {
            "maskTypes": [
            {
                "itemId": 3004,
                "name": "hive:MASK",
                "label": "Redact",
                "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
                "transformer": "mask({col})",
                "dataMaskOptions": {}
            },
            {
                "itemId": 3005,
                "name": "hive:MASK_SHOW_LAST_4",
                "label": "Partial mask: show last 4",
                "description": "Show last 4 characters; replace rest with 'x'",
                "transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')",
                "dataMaskOptions": {}
            },
            {
                "itemId": 3006,
                "name": "hive:MASK_SHOW_FIRST_4",
                "label": "Partial mask: show first 4",
                "description": "Show first 4 characters; replace rest with 'x'",
                "transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')",
                "dataMaskOptions": {}
            },
            {
                "itemId": 3007,
                "name": "hive:MASK_HASH",
                "label": "Hash",
                "description": "Hash the value",
                "transformer": "mask_hash({col})",
                "dataMaskOptions": {}
            },
            {
                "itemId": 3008,
                "name": "hive:MASK_NULL",
                "label": "Nullify",
                "description": "Replace with NULL",
                "dataMaskOptions": {}
            },
            {
                "itemId": 3009,
                "name": "hive:MASK_NONE",
                "label": "Unmasked (retain original value)",
                "description": "No masking",
                "dataMaskOptions": {}
            },
            {
                "itemId": 3015,
                "name": "hive:MASK_DATE_SHOW_YEAR",
                "label": "Date: show only year",
                "description": "Date: show only year",
                "transformer": "mask({col}, 'x', 'x', 'x', -1, '1', 1, 0, -1)",
                "dataMaskOptions": {}
            },
            {
                "itemId": 3016,
                "name": "hive:CUSTOM",
                "label": "Custom",
                "description": "Custom",
                "dataMaskOptions": {}
            },
            {
                "itemId": 108109,
                "name": "mssql:MASK",
                "label": "Default",
                "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
                "transformer": "default()",
                "dataMaskOptions": {}
            },
            {
                "itemId": 108121,
                "name": "mssql:CUSTOM",
                "label": "Custom",
                "description": "Custom",
                "dataMaskOptions": {}
            },
            {
                "itemId": 116117,
                "name": "snowflake:MASK",
                "label": "Default",
                "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
                "transformer": "default()",
                "dataMaskOptions": {}
            },
            {
                "itemId": 116118,
                "name": "snowflake:MASK_HASH",
                "label": "Hash",
                "description": "Hash the value",
                "dataMaskOptions": {}
            },
            {
                "itemId": 116119,
                "name": "snowflake:MASK_NULL",
                "label": "Nullify",
                "description": "Replace with NULL",
                "dataMaskOptions": {}
            },
            {
                "itemId": 116120,
                "name": "snowflake:MASK_NONE",
                "label": "Unmasked (retain original value)",
                "description": "No masking",
                "dataMaskOptions": {}
            },
            {
                "itemId": 116121,
                "name": "snowflake:REGEX_EXPR",
                "label": "Regular expression",
                "description": "regular expression",
                "dataMaskOptions": {
                "inputField": "true",
                "inputFieldInfo": "[{\"placeHolder\": \"Enter regular expression\",\"targetKey\": \"valueExpr\"},{\"placeHolder\": \"Enter replace value\",\"targetKey\": \"replaceValue\"}]"
                }
            },
            {
                "itemId": 116122,
                "name": "snowflake:MASK_VALUE",
                "label": "Literal mask",
                "description": "maskValue",
                "dataMaskOptions": {
                "inputField": "true",
                "inputFieldInfo": "[{\"placeHolder\": \"Enter masked value\",\"targetKey\": \"valueExpr\"}]"
                }
            },
            {
                "itemId": 116123,
                "name": "snowflake:MASK_SHOW_LAST_4",
                "label": "Partial mask: show last 4",
                "description": "Show last 4 characters; replace rest with 'x'",
                "dataMaskOptions": {}
            },
            {
                "itemId": 116124,
                "name": "snowflake:MASK_SHOW_FIRST_4",
                "label": "Partial mask: show first 4",
                "description": "Show first 4 characters; replace rest with 'x'",
                "dataMaskOptions": {}
            },
            {
                "itemId": 116125,
                "name": "snowflake:PROTECT",
                "label": "Protect",
                "description": "Protect Data with PEG Scheme",
                "dataMaskOptions": {
                "inputField": "true",
                "inputFieldInfo": "[{\"placeHolder\": \"Enter scheme name\",\"targetKey\": \"valueExpr\"}]"
                }
            },
            {
                "itemId": 116126,
                "name": "snowflake:UNPROTECT",
                "label": "Unprotect",
                "description": "Unprotect Data with PEG Scheme",
                "dataMaskOptions": {
                "inputField": "true",
                "inputFieldInfo": "[{\"placeHolder\": \"Enter scheme name\",\"targetKey\": \"valueExpr\"}]"
                }
            },
            {
                "itemId": 116127,
                "name": "snowflake:CUSTOM",
                "label": "Custom",
                "description": "Custom",
                "dataMaskOptions": {}
            },
            {
                "itemId": 117118,
                "name": "postgres:MASK",
                "label": "Default",
                "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
                "transformer": "default()",
                "dataMaskOptions": {}
            },
            {
                "itemId": 117119,
                "name": "postgres:NULLIFY",
                "label": "Nullify",
                "description": "Displays null values",
                "dataMaskOptions": {}
            },
            {
                "itemId": 117120,
                "name": "postgres:UNMASKED",
                "label": "Unmasked",
                "description": "Unmasked (retain original value)",
                "dataMaskOptions": {}
            },
            {
                "itemId": 117121,
                "name": "postgres:CUSTOM",
                "label": "Custom",
                "description": "Custom",
                "dataMaskOptions": {}
            },
            {
                "itemId": 119120,
                "name": "starburst-enterprise-presto:MASK",
                "label": "Mask",
                "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
                "transformer": "mask({col})",
                "dataMaskOptions": {}
            },
            {
                "itemId": 119121,
                "name": "starburst-enterprise-presto:MASK_SHOW_LAST_4",
                "label": "Partial mask: show last 4",
                "description": "Show last 4 characters; replace rest with 'x'",
                "transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')",
                "dataMaskOptions": {}
            },
            {
                "itemId": 119122,
                "name": "starburst-enterprise-presto:MASK_SHOW_FIRST_4",
                "label": "Partial mask: show first 4",
                "description": "Show first 4 characters; replace rest with 'x'",
                "transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')",
                "dataMaskOptions": {}
            },
            {
                "itemId": 119123,
                "name": "starburst-enterprise-presto:MASK_HASH",
                "label": "Hash",
                "description": "Hash the value",
                "transformer": "mask_hash({col})",
                "dataMaskOptions": {}
            },
            {
                "itemId": 119124,
                "name": "starburst-enterprise-presto:MASK_NULL",
                "label": "Nullify",
                "description": "Replace with NULL",
                "dataMaskOptions": {}
            }
            ],
            "accessTypes": [
            {
                "itemId": 3004,
                "name": "hive:select",
                "label": "select",
                "impliedGrants": []
            },
            {
                "itemId": 108112,
                "name": "mssql:Select",
                "label": "Select",
                "impliedGrants": []
            },
            {
                "itemId": 116121,
                "name": "snowflake:Select",
                "label": "Select",
                "impliedGrants": []
            },
            {
                "itemId": 117123,
                "name": "postgres:Select",
                "label": "Select",
                "impliedGrants": []
            },
            {
                "itemId": 119120,
                "name": "starburst-enterprise-presto:select",
                "label": "Select",
                "impliedGrants": []
            }
            ],
            "resources": [
            {
                "itemId": 1,
                "name": "tag",
                "type": "string",
                "level": 1,
                "mandatory": true,
                "lookupSupported": true,
                "recursiveSupported": false,
                "excludesSupported": false,
                "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
                "matcherOptions": {
                "__isValidLeaf": "true",
                "wildCard": "false",
                "__accessTypeRestrictions": "[]",
                "ignoreCase": "false"
                },
                "validationRegEx": "",
                "validationMessage": "",
                "uiHint": "{ \"singleValue\":false }",
                "label": "TAG",
                "description": "TAG",
                "accessTypeRestrictions": [],
                "isValidLeaf": true
            }
            ]
        },
        "rowFilterDef": {
            "accessTypes": [],
            "resources": []
        }
        },
        "auditMode": "audit-default"
    },
    "serviceConfig": {}
    }
    

Starburst Enterprise Platform#

Starburst Enterprise platform (SEP) is a commercial distribution of PrestoSQL. It includes additional security features, more connectors, and a cost-based query optimizer. As with standard PrestoSQL, SEP is designed to support an external Apache Ranger plug-in control. This can be configured in following two ways:

  1. System-Level: Resource policies defined in PrivaceraCloud under the 'privacera_starburst' resource service control access to Starburst resources;

  2. System-Plus-Hive: Resource policies defined in PrivaceraCloud under both the 'privacera_starburst' AND 'privacera_hive' resource services control access to Starburst resources;

Configuration for System-Plus-Hive approach requires two additional files to be configured. Let's configure Starburst Enterprise (SEP) to use your PrivaceraCloud Ranger account.

Configuration#

Configure the following six files as per below table.

File Standard Location Usage
hive.properties etc/catalog Global Hive properties
config.properties etc Points to plug-in configuration files
access-control-privacera.properties etc Values for Privacera access control
ranger-policymgr-ssl.xml etc Values for Ranger Policy Manager
ranger-hive-audit.xml etc Values for Ranger Hive and Audit
access-control-priv-hive.properties etc Values for Hive Policies (used only for "System-Plus-Hive" configuration)

Steps#

  1. Edit the file - hive.properties

    1. Comment out all lines beginning with the "ranger" keyword.
    2. Add (if missing) the following properties and save the file.

      hive.metastore=glue
      hive.security=allow-all
      
  2. Edit the file - access-control-privacera.properties

    1. Add the following properties and update the below variables as per your environment.

      ${RANGER_URL}, ${RANGER_API_USERNAME}, ${RANGER_API_PASSWORD}, ${PRESTO_CONFIG_PATH} and ${PRESTO_TEMP_DIRECTORY}.

      access-control.name=privacera-starburst
      ranger.policy-rest-url=https://${RANGER_URL}
      ranger.service-name=privacera_starburstenterprisepresto
      ranger.presto-plugin-username=${RANGER_API_USERNAME}
      ranger.presto-plugin-password=${RANGER_API_PASSWORD}
      ranger.policy-refresh-interval=3s
      #Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml
      ranger.config-resources=${PRESTO_CONFIG_PATH}/etc/ranger-hive-audit.xml
      #Example: ranger.policy-cache-dir=/tmp/ranger
      ranger.policy-cache-dir=${PRESTO_TEMP_DIRECTORY}
      ranger.plugin-policy-ssl-config-file=${PRESTO_CONFIG_PATH}/etc/ranger-policymgr-ssl.xml
      
    2. Save the file.

  3. Create/edit ranger-policymgr-ssl.xml file in folder ${PRESTO_CONFIG_PATH}/etc/ with the following content:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <property>
        <name>xasecure.policymgr.clientssl.truststore</name>
        <value>/usr/lib/jvm/java-11-amazon-corretto.x86_64/lib/security/cacerts</value>
        </property>
        <property>
        <name>xasecure.policymgr.clientssl.truststore.password</name>
        <value>crypted</value>
        </property>
        <property>
        <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
        <value>jceks://file/home/hadoop/downloads/presto-server/etc/ranger.jceks</value>
        </property>
    </configuration>
    
  4. Create/edit ranger-hive-audit.xml file in folder ${PRESTO_CONFIG_PATH}/etc/ with the following content and update the ${RANGER_URL} variable as per your environment.

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <property>
            <name>ranger.plugin.hive.service.name</name>
            <value>privacera_hive</value>
        </property>
        <property>
            <name>ranger.plugin.hive.policy.pollIntervalMs</name>
            <value>5000</value>
        </property>
        <property>
            <name>ranger.service.store.rest.url</name>
            <value>
                https://${RANGER_URL}
            </value>
        </property>
        <property>
            <name>ranger.plugin.hive.policy.rest.url</name>
            <value>
                https://${RANGER_URL}
            </value>
        </property>
        <property>
            <name>ranger.plugin.hive.policy.source.impl</name>
            <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
            <description>
                Class to retrieve policies from the source
            </description>
        </property>
        <property>
            <name>ranger.plugin.hive.policy.rest.ssl.config.file</name>
            <value>/home/hadoop/downloads/presto-server/etc/ranger-policymgr-ssl.xml</value>
            <description>
                Path to the file containing SSL details to contact Ranger Admin
            </description>
        </property>
        <property>
            <name>ranger.service.store.rest.ssl.config.file</name>
            <value>/home/hadoop/downloads/presto-server/etc/ranger-policymgr-ssl.xml</value>
        </property>
        <property>
            <name>ranger.plugin.hive.policy.cache.dir</name>
            <value>/tmp/ranger</value>
            <description>
            Directory where Ranger policies are cached after successful retrieval from the source
            </description>
        </property>
        <property>
            <name>ranger.plugin.starburst-enterprise-presto.policy.cache.dir</name>
            <value>/tmp/ranger</value>
            <description>
            Directory where Ranger policies are cached after successful retrieval from the source
            </description>
        </property>
        <property>
            <name>xasecure.audit.destination.solr</name>
            <value>true</value>
        </property>
        <property>
            <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
            <value>
                <presto temp file location>
            </value>
        </property>
        <property>
            <name>xasecure.audit.destination.solr.urls</name>
            <value>
                https://${RANGER_AUDIT_URL}
            </value>
        </property>
        <property>
            <name>xasecure.audit.is.enabled</name>
            <value>true</value>
        </property>
        <property>
            <name>xasecure.audit.solr.is.enabled</name>
            <value>true</value>
        </property>
        <property>
            <name>xasecure.audit.solr.async.max.queue.size</name>
            <value>1</value>
        </property>
        <property>
            <name>xasecure.audit.solr.async.max.flush.interval.ms</name>
            <value>1000</value>
        </property>
    </configuration>
    
  5. Modify the file - access-control-priv-hive.properties

    If you are configuring for "System-Plus-Hive" then edit this file as follows substituting values for ${RANGER_URL}, ${RANGER_API_USERNAME}, ${RANGER_API_PSWD}, and {PRESTO_CONFIG_PATH} as they are referenced.

    Do not modify this file if you are configuring for "System-Level" only.

    access-control.name=privacera
    ranger.policy-rest-url=https://${RANGER_URL}
    ranger.service-name=privacera_hive
    privacera.catalogs=hive
    ranger.presto-plugin-username=${RANGER_API_USERNAME}
    ranger.presto-plugin-password=${RANGER_API_PSWD}
    ranger.policy-refresh-interval=3s
    #Example: ranger.config-resources=/usr/presto-server-341-e/etc/ranger-hive-audit.xml
    ranger.config-resources={PRESTO_CONFIG_PATH}/etc/ranger-hive-audit.xml
    #Example: ranger.policy-cache-dir=/tmp/ranger
    ranger.policy-cache-dir=${PRESTO_TEMP_DIRECTORY}
    #Fallback allow-all allows privacera_starburst catalog-level permissions as fallback
    privacera.fallback-access-control=allow-all
    ranger.plugin-policy-ssl-config-file={PRESTO_CONFIG_PATH}/etc/ranger-policymgr-ssl.xml
    ranger.enable-row-filtering=true
    
  6. Edit the file - config.properties

    • If you are configuring for System-Level then add the following property:

      access-control.config-files=etc/access-control-privacera.properties
      
    • If you are configuring for System-Plus-Hive then add the following property.

      Note: This is a single line property and need to be added as it is below.

      access-control.config-files=etc/access-control-privacera.properties,etc/access-control-priv-hive.properties
      
  7. Restart the Starburst.


Last update: July 23, 2021