Skip to main content

Privacera Platform master publication

Dremio user guide

:
Access control
Access control

Note

The Privacera Plugin uses the privacera_dremio repository for access control.

Ensure the following prerequisites are met:

  • A Privacera Manager host with Privacera services running.

  • A Dremio host with Dremio Enterprise Edition installed. (The Community Edition is not supported.)

  • Need to onboard data-lake which user want to run query for supported datalake: 

    • s3

    • ADLS

    • Hive

    • Redshift

S3 Data-lake source

Access Control on a Create VDS

Access Control on a select VDS

Redshift Data-lake Source

ADLS Data-lake Source

Glue Data-lake Source

Dremio Ranger Based authorization
Dremio Ranger Based authorization
Dremio Ranger Based authorization

Dremio Ranger Based authorization is a Hive authorization client that checks your Ranger policy permissions and then allows or disallows access as defined by the Ranger policy. Connecting Dremio Ranger Based Hive authorization with Privacera’s Ranger-based data access governance extends Apache Ranger’s open source capabilities to take advantage of Privacera’s centralized enterprise-ready solution.

Install and set up the Privacera Dremio plugin.

For Privacera Platform see: https://docs.privacera.com/latest/platform/pm-ig/dremio/)

To configure the Dremio Hive source:

  1. Dremio dashboard home page in the Data Lakes section: click the Add Data Lake / Plus icon to add the source.

  2. Select Hive 2.x or Hive 3.x from Table Stores.

  3. Enter your Hive source Name, Hive Metastore Host, and Port Number.

  4. In Authorization > Client enter the following information: 

    1. Ranger Based Authorization

    2. Ranger Service name: privacera_hive

    3. Enter the Ranger Host URL:

      Platform: https://ranger-plugin-my-eks.mydomain.com

      Cloud: https://privacera.com/api/api-key.

      For information on obtaining an API key, see: https://docs.privacera.com/goto/pcloud/pcloud-ug/api_key/#manage-api-keys

Continue with Advanced Options:

  1. Uncheck Enable external authorization plugin.

    Unchecking the box will use Ranger Base Authorization

    Checking the box will use the Privacera Dremio plugin

  2. Add the following Connection Properties for SSL and Audit server configuration:

    Property

    Description

    Example

    ranger.plugin.hive.policy.rest.ssl.config.file

    Path of ranger SSL cofig ranger-policymgr-ssl.xml file

    /opt/privacera/conf/ranger-policymgr-ssl.xml

    xasecure.audit.is.enabled

    To enable auditing set to true.

    true

    xasecure.audit.destination.solr

    To use SOLR as auditing using server set to true

    true

    xasecure.audit.destination.solr.urls

    URL of SOLR audit server.

    Platform:https://auditserver-plugin-mydomain.com/solr/ranger_audits

    Pcloud: https://privacera.com/api/<api-key>/solr/ranger_audits

    See API Key

    xasecure.audit.destination.hdfs

    To use HDFS as an auditing service.

    false

    xasecure.audit.destination.file.dir

    Audit directory for HDFS

    ranger/audit/file

    xasecure.audit.destination.solr.batch.filespool.dir

    Audit directory for SOLR

    ranger/audit/solr/spool

    xasecure.audit.provider.summary.enabled

    To enable summarization set to true

  3. In Metadata > Authorization > Expire after set the authorization.

  4. Choose Save.

Run queries
Select data in table

Note

The Privacera Plugin for Dremio supports access control only for SELECT queries on tables.

  1. Run the following command:

    select*fromtest_catalog.test_db.test_table

    In Privacera Portal, when you check Access Manager > Audits, access will be denied.

  2. In Privacera Portal, create an access policy in Access Management > Resource Policies > privacera_dremio for the table and grant the Select permission as shown in the image.

    dremio_select_query.jpg
  3. Run the query again. Now, you will see access is granted.