Skip to content

AWS Data Server

Configure Privacera Data Access Server

This section covers how you can configure Privacera Data Access Server.

CLI Configuration Steps

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/
    
  3. Edit the properties. For property details and description, refer to the Configuration Properties below.

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

    Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, click here.

  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Configuration Properties

Property Description Example
DATASERVER_RANGER_AUTH_ENABLED Enable/disable Ranger authorization in DataServer.
DATASERVER_V2_WORKDER_THREADS Number of worker threads to process inbound connection. 20
DATASERVER_V2_CHANNEL_CONNECTION_BACKLOG Maximum queue size for inbound connection. 128
DATASERVER_V2_CHANNEL_CONNECTION_POOL Enable connection pool for outbound request. The property is disabled by default.
DATASERVER_V2_FRONT_CHANNEL_IDLE_TIMEOUT Idle timeout for inbound connection. 60
DATASERVER_V2_BACK_CHANNEL_IDLE_TIMEOUT Idle timeout for outbound connection and will take effect only if the connection pool enabled. 60
DATASERVER_HEAP_MIN_MEMORY_MB Add the minimum Java Heap memory in MB used by Dataserver.  1024
DATASERVER_HEAP_MAX_MEMORY_MB Add the maximum Java Heap memory in MB used by Dataserver.  1024
DATASERVER_USE_REGIONAL_ENDPOINT Set this property to enforce default region for all S3 buckets. true
DATASERVER_AWS_REGION Default AWS region for S3 bucket. us-east-1

AWS S3 Data Server

This section covers how you can configure access control for AWS S3 through Privacera Data Access Server.

Prerequisites

Ensure that the following prerequisites are met:

  • Create and add an AWS IAM Policy defined to allow access to S3 resources.

    Follow AWS IAM Create and Attach Policy instructions, using either "Full S3 Access" or "Limited S3 Access" policy templates, depending on your enterprise requirements.

    Return to this section once the Policy is attached to the Privacera Manager Host VM.

CLI Configuration

  1. SSH to the instance where Privacera Manager is installed.

  2. Configure Privacera Data Server.

  3. Edit the properties. For property details and description, refer to the Configuration Properties below.

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

    • In Kubernetes environment, enable DATASERVER_USE_POD_IAM_ROLE and DATASERVER_IAM_POLICY_ARN for using a specific IAM role for Dataserver pod. For property details and description, see S3 properties.
    • You can also add custom properties that are not included by default. See Dataserver.
  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Configuration Properties

Property Description Example
DATASERVER_USE_POD_IAM_ROLE Property to enable the creation of an IAM role that will be used for the Dataserver pod. true
DATASERVER_IAM_POLICY_ARN Full IAM policy ARN which needs to be attached to the IAM role associated with the Dataserver pod. arn:aws:iam::aws:policy/AmazonS3FullAccess
DATASERVER_USE_IAM_ROLE If you've given permission to an IAM role to access the bucket, enable **Use IAM Roles**.
DATASERVER_S3_AWS_API_KEY If you've used a access to access the bucket, disable **Use IAM Role**, and set the AWS API Key. AKIAIOSFODNN7EXAMPLE
DATASERVER_S3_AWS_SECRET_KEY If you've used a secret key to access the bucket, disable **Use IAM Role**, and set the AWS Secret Key. wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
DATASERVER_V2_S3_ENDPOINT_ENABLE Enable to use a custom S3 endpoint.
DATASERVER_V2_S3_ENDPOINT_SSL Property to enable/disable, if SSL is enabled/disabled on the MinIO server.
DATASERVER_V2_S3_ENDPOINT_HOST Add the endpoint server host. 192.468.12.142
DATASERVER_V2_S3_ENDPOINT_PORT Add the endpoint server port. 9000
DATASERVER_AWS_REQUEST_INCLUDE_USERINFO

Property to enable adding session role in CloudWatch logs for requests going via Dataserver.

This will be available with the **privacera-user** key in the Request Params of CloudWatch logs.

Set to true, if you want to see the **privacera-user** in CloudWatch.

true

AWS Athena Data Server

This section covers how you can configure access control for AWS Athena through Privacera Data Access Server.

Prerequisites

Ensure the following:

  • Create and add an AWS IAM Policy defined to allow rights to use Athena and Glue resources and databases.

    Follow AWS IAM Create and Attach Policy instructions, using the "Athena Access" policy modified as necessary for your enterprise. Return to this section once the Policy is attached to the Privacera Manager Host VM. 

CLI Configuration

  1. SSH to the instance where Privacera Manager is installed.

  2. Configure Privacera Data Server.

  3. Edit the properties. For property details and description, refer to the Configuration Properties below.

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

    Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, click here.

  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Configuration Properties

Identify an existing S3 bucket or create one to store the Athena query results.

AWS_ATHENA_RESULT_STORAGE_URL: "s3://${S3_BUCKET_FOR_QUERY_RESULTS}/athena-query-results/"