PolicySync properties

This topic covers how to configure additional system properties for multiple connectors for Privacera PolicySync.

You can add properties for the following connectors in the configuration file rangersync-custom-v2.properties, which is described below for the following datasources:

• PostgreSQL
• Microsoft SQL Server
• Snowflake
• Redshift

PolicySync and scalability

Each configured connector consumes memory and processing resources based on factors like the number of data objects, policies, and users. You may need to increase the memory or processing available to PolicySync as your usage grows.

The preferred strategy for scaling to large numbers of datasources for PolicySync is to add PolicySync repositories. Use of multiple PolicySync repositories is supported only in Kubernetes. Privacera Manager only supports deployment of a single PolicySync repository, so you may need to modify Helm charts directly.

In Docker, the only option is to use a larger node and add multiple connectors as described above.

PostgreSQL

1. Create rangersync-custom-v2.properties file and add the base properties.

   vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom-v2.properties
   

2. Example to add another PostgreSQL connection with connector ID 5. For information about each property, click here.

   ranger.policysync.connector.5=Postgres-dev
   ranger.policysync.connector.5.enabled=true
   ranger.policysync.connector.5.servicetype=postgres
   ranger.policysync.connector.5.jdbc.url=jdbc:postgresql://<connection_url>:5432
   ranger.policysync.connector.5.jdbc.username=postgres
   ranger.policysync.connector.5.jdbc.password=
   ranger.policysync.connector.5.jdbc.db=
   ranger.policysync.connector.5.master.database=
   ranger.policysync.connector.5.manage.database.list=
   ranger.policysync.connector.5.manage.schema.list=
   ranger.policysync.connector.5.manage.table.list=
   ranger.policysync.connector.5.manage.view.list=
   
   #Ignore Resource Lists
   ranger.policysync.connector.5.ignore.schema.list=
   ranger.policysync.connector.5.ignore.table.list=
   ranger.policysync.connector.5.new.user.password=
   ranger.policysync.connector.5.switch.ownership.role=
   ranger.policysync.connector.5.manage.service.user=true
   ranger.policysync.connector.5.manage.service.group=true
   ranger.policysync.connector.5.manage.service.role=true
   ranger.policysync.connector.5.perform.grant.updates=true
   
   #Filter User/Group
   ranger.policysync.connector.5.manage.user.filterby.group=false
   ranger.policysync.connector.5.manage.user.filterby.role=false
   ranger.policysync.connector.5.User.role.prefix=priv_user_
   ranger.policysync.connector.5.Group.role.prefix=priv_group_
   ranger.policysync.connector.5.Role.role.prefix=priv_role_
   
   #Enable Row Filter
   ranger.policysync.connector.5.enable.row.filter=true
   
   #Masked Value for Masking
   ranger.policysync.connector.5.masked.number.value=0
   ranger.policysync.connector.5.masked.double.value=0
   ranger.policysync.connector.5.masked.text.value='<MASKED>'
   ranger.policysync.connector.5.masked.varchar.value='<MASKED>'
   
   ranger.policysync.connector.5.manage.user.list=
   ranger.policysync.connector.5.manage.group.list=
   ranger.policysync.connector.5.manage.role.list=
   
   #View Based Masking and Row Filter
   ranger.policysync.connector.5.enable.view.based.row.filter=false
   ranger.policysync.connector.5.enable.view.based.masking=true
   ranger.policysync.connector.5.secure.view.schema.name=
   ranger.policysync.connector.5.secure.view.schema.name.prefix=
   ranger.policysync.connector.5.secure.view.schema.name.postfix=
   ranger.policysync.connector.5.secure.view.name.prefix=
   ranger.policysync.connector.5.secure.view.name.postfix=_secure
   ranger.policysync.connector.5.secure.view.schema.name.remove.suffix.list=
   ranger.policysync.connector.5.secure.view.name.remove.suffix.list=
   ranger.policysync.connector.5.secure.view.create.for.all=false
   
   #Audit Properties
   
   #Make this property true for audits
   ranger.policysync.connector.5.enable.audit=true
   ranger.policysync.connector.5.audit.sqs.queue.name=
   ranger.policysync.connector.5.region=
   

3. Run the following command.

   cd ~/privacera/privacera-manager/
   ./privacera-manager.sh update
   

Microsoft SQL Server

1. Create rangersync-custom-v2.properties file and add the base properties.

   vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom-v2.properties
   

2. Example to add another Microsoft SQL Server connection with connector ID 7. For information about each property, click here.

   ranger.policysync.connector.7=Mssql
   
   # Enable below property to enable the mssql connector
   ranger.policysync.connector.7.enabled=false
   ranger.policysync.connector.7.servicetype=mssql
   ranger.policysync.connector.7.class=com.privacera.policysync.connector.PSMSSQLConnector
   ranger.policysync.connector.7.jdbc.driver=com.microsoft.sqlserver.jdbc.SQLServerDriver
   
   # DB Connection Properties
   ranger.policysync.connector.7.jdbc.url={{MSSQL_JDBC_URL}}
   ranger.policysync.connector.7.jdbc.db={{MSSQL_DEFAULT_DB}}
   ranger.policysync.connector.7.jdbc.username={{MSSQL_SYNC_USER_NAME}}
   ranger.policysync.connector.7.jdbc.password={{MSSQL_SYNC_USER_PASSWORD}}
   
   # ranger.policysync.connector.7.jdbc.authentication= (SqlPassword/ActiveDirectoryPassword)
   # Use ActiveDirectoryPassword in case of your jdbc admin is Azure AD User
   ranger.policysync.connector.7.jdbc.authentication=SqlPassword
   ranger.policysync.connector.7.master.database=master
   
   ranger.policysync.connector.7.database.list.format=database
   ranger.policysync.connector.7.schema.list.format=database.schema
   ranger.policysync.connector.7.table.list.format=database.schema.table
   ranger.policysync.connector.7.view.list.format=database.schema.view
   
   # Manage Lists
   #Database name which needs to be managed, Accepts : single name or multiple database names with comma separation.
   #Regex can be used i.e *_database (This will manage all the database named as company_database, products_database .etc).
   #Set the value as blank, to manage all the database.
   #Set the value as : none, to skip all the database.
   ranger.policysync.connector.7.manage.database.list={{MSSQL_DATABASES_LIST}}
   
   #schema name which needs to be managed, Accepts : single name or multiple schema names with comma separation.
   #Regex can be used i.e *_schema (This will manage all the schema named as company_schema, products_schema .etc).
   #Set the value as blank, to manage all the schema.
   #Set the value as : none, to skip all the schema.
   ranger.policysync.connector.7.manage.schema.list=
   
   # Ignore Lists
   ##Set list of database to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_database (This will manage all the database named as admin_database, testing_database .etc).
   ##Set the value as blank, to manage all the database.
   ##Set the value as : none, to skip all the database.
   ranger.policysync.connector.7.ignore.database.list=
   
   ##Set list of schema to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_schema (This will manage all the schema named as admin_schema, testing_schema .etc).
   ##Set the value as blank, to manage all the schema.
   ##Set the value as : none, to skip all the schema.
   ranger.policysync.connector.7.ignore.schema.list=*.sys,*.privacera_security,*.guest,*.db_denydatareader,*.db_denydatawriter,*.db_datareader,*.db_datawriter,*.db_ddladmin,*.db_backupoperator,*.db_accessadmin,*.db_securityadmin,*.db_owner
   
   ##Set list of user to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_user (This will manage all the role named as admin_user, testing_user .etc).
   ##Set the value as blank, to manage all the user.
   ##Set the value as : none, to skip all the user.
   ranger.policysync.connector.7.ignore.user.list={{MSSQL_IGNORE_USERS}}
   
   # New User Password
   #ranger.policysync.connector.7.new.user.password=
   
   # New Resource Ownership
   ranger.policysync.connector.7.switch.ownership.role=dbo
   
   # Ranger Plugin Properties
   ranger.policysync.connector.7.ranger.service.type=mssql
   ranger.policysync.connector.7.ranger.service.appid=privacera_mssql
   
   ##Set prefix to create internal role for policy-sync
   ranger.policysync.connector.7.User.role.prefix=priv_user_
   ranger.policysync.connector.7.Group.role.prefix=priv_group_
   ranger.policysync.connector.7.Role.role.prefix=priv_role_
   
   ##To perform dry run when value is set as false, Default value : false
   ranger.policysync.connector.7.perform.grant.updates=false
   ranger.policysync.connector.7.ranger.resource.matching.scope=SELF
   
   #set value as true to perform grant update in a separate thread / Default Value : true
   ranger.policysync.connector.7.apply.perms.with.separate.thread=true
   ranger.policysync.connector.7.ranger.resource.zone.matching.scope=SELF_OR_ANCESTOR
   
   # Masking
   #The masking will not be applied to mentioned entities (User, Group, Role).  Accepts : single name or multiple names with comma separation.
   ranger.policysync.connector.7.masking.unmasked.users=
   ranger.policysync.connector.7.masking.unmasked.groups=
   ranger.policysync.connector.7.masking.unmasked.roles=
   ranger.policysync.connector.7.load.resources=load
   ranger.policysync.connector.7.load.users=load
   ranger.policysync.connector.7.load.policies=load
   ranger.policysync.connector.7.sync.interval.sec=60
   ranger.policysync.connector.7.manage.service.user=true
   ranger.policysync.connector.7.manage.service.group=true
   ranger.policysync.connector.7.manage.service.role=true
   
   # Audits
   ranger.policysync.connector.7.enable.audit=false
   ranger.policysync.connector.7.audit.storage.url=
   ranger.policysync.connector.7.audit.initial.pull.min=30
   
   # set 'load_synapse' in case of synapse.
   # eg.ranger.policysync.connector.7.load.audits=load_synapse
   ranger.policysync.connector.7.load.audits=load
   

3. Run the following command.

   cd ~/privacera/privacera-manager/
   ./privacera-manager.sh update
   

Snowflake

1. Create rangersync-custom-v2.properties file and add the base properties.

   vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom-v2.properties
   

2. Example to add another Snowflake connection with connector ID 6. For information about each property, click here.

   ranger.policysync.connector.6=Snowflake
   ranger.policysync.connector.6.enabled=false
   
   #ranger.policysync.connector.6.jdbc.url=jdbc:snowflake://${YOURHOST}
   ranger.policysync.connector.6.jdbc.url={{SNOWFLAKE_JDBC_URL}}
   ranger.policysync.connector.6.switch.ownership.role={{SNOWFLAKE_OWNER_ROLE}}
   ranger.policysync.connector.6.jdbc.username={{SNOWFLAKE_SYNC_USER_NAME}}
   ranger.policysync.connector.6.jdbc.password={{SNOWFLAKE_SYNC_USER_PASSWORD}}
   
   #Database name which needs to be managed, Accepts : single name or multiple database names with comma separation.
   #Regex can be used i.e *_database (This will manage all the database named as company_database, products_database .etc).
   #Set the value as blank, to manage all the database.
   #Set the value as : none, to skip all the database.
   ranger.policysync.connector.6.manage.database.list={{SNOWFLAKE_DATABASES_LIST}}
   
   #Warehouse which need to be used, Accepts : single value  i.e COMPUTE_WH
   ranger.policysync.connector.6.warehouse={{SNOWFLAKE_WAREHOUSE_TO_USE}}
   
   #Role which need to be used by policy-sync, Accepts : single value  i.e PRIVACERA_SYNC_ROLE
   ranger.policysync.connector.6.role={{SNOWFLAKE_ROLE_TO_USE}}
   #need to set simple OR advance property as true for audit
   ranger.policysync.connector.6.audit.source.simple=false
   ranger.policysync.connector.6.audit.source.advance=false
   ranger.policysync.connector.6.advance.audit.db.name=PRIVACERA_ACCESS_LOGS_DB
   ranger.policysync.connector.6.audit.initial.pull.min=30
   
   ##Set value true to create managed users at end service , Default value : False
   ranger.policysync.connector.6.manage.service.user=false
   
   ##Set list of users to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_user (This will manage all the user named as admin_user, clerk_user .etc).
   ##Set the value as blank, to manage all the users.
   ##Set the value as : none, to skip all the users.
   #ranger.policysync.connector.6.manage.user.list=
   
   ##Set value true to create managed groups at end service , Default value : False
   ranger.policysync.connector.6.manage.service.group=false
   
   ##Set list of groups to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_groups (This will manage all the groups named as admin_groups, clerk_groups .etc).
   ##Set the value as blank, to manage all the groups.
   ##Set the value as : none, to skip all the groups.
   #ranger.policysync.connector.6.manage.group.list=
   
   ##Set value true to create managed roles at end service , Default value : False
   ranger.policysync.connector.6.manage.service.role=false
   
   ##Set list of roles to be managed by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_role (This will manage all the role named as admin_role, testing_role .etc).
   ##Set the value as blank, to manage all the roles.
   ##Set the value as : none, to skip all the roles.
   #ranger.policysync.connector.6.manage.role.list=
   
   ##To perform dry run when value is set as false, Default value : false
   ranger.policysync.connector.6.perform.grant.updates=false
   
   ##Set list of roles to be ignored and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_role (This will manage all the role named as admin_role, testing_role .etc).
   ##Set the value as blank, to manage all the roles.
   ##Set the value as : none, to skip all the roles.
   ranger.policysync.connector.6.ignore.role.list=SYSADMIN,ACCOUNTADMIN,SECURITYADMIN
   
   ##Set list of schema to be ignored by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_schema (This will manage all the schema named as finance_schema, dev_schema .etc).
   ##Set the value as blank, to manage all the schema.
   ##Set the value as : none, to skip all the schema.
   ranger.policysync.connector.6.ignore.schema.list=*.information_schema
   ranger.policysync.connector.6.ranger.service.appid=privacera_snowflake
   ranger.policysync.connector.6.servicetype=snowflake
   ranger.policysync.connector.6.class=com.privacera.policysync.connector.PSSnowflakeConnector
   ranger.policysync.connector.6.jdbc.driver=net.snowflake.client.jdbc.SnowflakeDriver
   ranger.policysync.connector.6.jdbc.db=snowflake
   
   ##Set list of database to be ignored by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_database (This will manage all the database named as finance_database, dev_database .etc).
   ##Set the value as blank, to manage all the database.
   ##Set the value as : none, to skip all the database.
   ranger.policysync.connector.6.ignore.database.list=demo_db,snowflake,util_db,SNOWFLAKE_SAMPLE_DATA
   ranger.policysync.connector.6.database.list.format=database
   ranger.policysync.connector.6.schema.list.format=database.schema
   ranger.policysync.connector.6.table.list.format=database.schema.table
   ranger.policysync.connector.6.view.list.format=database.schema.view
   #ranger.policysync.connector.6.systemconfig=customSnowflakeConfig.json
   ranger.policysync.connector.6.load.resources=load
   #ranger.policysync.connector.6.load.resources=load_md
   ranger.policysync.connector.6.load.users=load_md
   ranger.policysync.connector.6.load.policies=load
   
   ##Set list of roles to be user and not managed by policy-sync, Accepts : single name or multiple names with comma separation.
   ##Regex can be used i.e *_user (This will manage all the user named as admin_user, testing_user .etc).
   ##Set the value as blank, to manage all the user.
   ##Set the value as : none, to skip all the user.
   ranger.policysync.connector.6.ignore.user.list=snowflake,privacera
   ranger.policysync.connector.6.sync.interval.sec=60
   
   #ranger.policysync.connector.6.new.user.password=
   ##Set prefix to create internal role for policy-sync
   ranger.policysync.connector.6.User.role.prefix=priv_user_
   ranger.policysync.connector.6.Group.role.prefix=priv_group_
   ranger.policysync.connector.6.Role.role.prefix=priv_role_
   
   # Set below property to true to enable column level access control
   ranger.policysync.connector.6.enable.column.level.access.control=false
   ##Database and schema to store masking policies, Accepts : single name
   ranger.policysync.connector.6.masking.policy.db.name=privacera_db
   ranger.policysync.connector.6.masking.policy.schema.name=privacera_db.public
   
   # For Masking
   ##Set true to enable masking, Default value : false
   ranger.policysync.connector.6.enable.masking=false
   
   # Masked Value for Column Access Control
   #ranger.policysync.connector.6.access.control.text.value='{{REDACTED}}'
   

3. Run the following command.

   cd ~/privacera/privacera-manager/
   ./privacera-manager.sh update
   

Redshift

1. Create rangersync-custom-v2.properties file and add the base properties.

   vi ~/privacera/privacera-manager/config/custom-properties/rangersync-custom-v2.properties
   

2. Example to add another Redshift connection with connector ID 3. For information about each property, click here.

   ranger.policysync.connector.3=Redshift
   ranger.policysync.connector.3.enabled=true
   ranger.policysync.connector.3.servicetype=redshift-db
   ranger.policysync.connector.3.jdbc.url=jdbc:postgresql://c8nwggihrpkl.us-east-1.redshift.amazonaws.com:5439
   ranger.policysync.connector.3.jdbc.db=customer
   ranger.policysync.connector.3.jdbc.username=xxyyzz
   ranger.policysync.connector.3.jdbc.password=xxxxxxxx
   ranger.policysync.connector.3.master.database=customer
   ranger.policysync.connector.3.manage.database.list=customer
   ranger.policysync.connector.3.manage.schema.list=
   ranger.policysync.connector.3.manage.table.list=
   ranger.policysync.connector.3.manage.view.list=
   # Ignore Resource Lists
   ranger.policysync.connector.3.new.user.password=xxxxxxxxx
   ranger.policysync.connector.3.switch.ownership.role=
   ranger.policysync.connector.3.manage.service.user=true
   ranger.policysync.connector.3.manage.service.group=true
   ranger.policysync.connector.3.manage.service.role=true
   ranger.policysync.connector.3.perform.grant.updates=true
   ranger.policysync.connector.3.User.role.prefix=priv_user_
   ranger.policysync.connector.3.Group.role.prefix=priv_group_
   ranger.policysync.connector.3.Role.role.prefix=priv_role_
   # Masked Value for Masking
   ranger.policysync.connector.3.masked.number.value=0
   ranger.policysync.connector.3.masked.double.value=0
   ranger.policysync.connector.3.masked.text.value='<MASKED>'
   ranger.policysync.connector.3.masked.varchar.value='<MASKED>'
   ranger.policysync.connector.3.manage.user.list=
   ranger.policysync.connector.3.manage.group.list=
   ranger.policysync.connector.3.manage.role.list=
   # Filter User/Group
   ranger.policysync.connector.3.manage.user.filterby.group=false
   ranger.policysync.connector.3.manage.user.filterby.role=false
   ranger.policysync.connector.3.user.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
   ranger.policysync.connector.3.user.name.replace.to.string=_
   ranger.policysync.connector.3.group.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
   ranger.policysync.connector.3.group.name.replace.to.string=_
   ranger.policysync.connector.3.role.name.replace.from.regex=[~`$&+:;=?@#|'<>.^*()_%\\[\\]!\\-\\/\\\\{}]
   ranger.policysync.connector.3.role.name.replace.to.string=_
   # Ignore User/Group/Role Lists
   # View Based Masking and Row Filter
   ranger.policysync.connector.3.enable.view.based.row.filter=true
   ranger.policysync.connector.3.enable.view.based.masking=true
   ranger.policysync.connector.3.secure.view.schema.name=
   ranger.policysync.connector.3.secure.view.schema.name.prefix=
   ranger.policysync.connector.3.secure.view.schema.name.postfix=
   ranger.policysync.connector.3.secure.view.name.prefix=
   ranger.policysync.connector.3.secure.view.name.postfix=_secure
   ranger.policysync.connector.3.secure.view.schema.name.remove.suffix.list=
   ranger.policysync.connector.3.secure.view.name.remove.suffix.list=
   ranger.policysync.connector.3.secure.view.create.for.all=false
   ranger.policysync.connector.3.secure.view.access.by.table.policy=false
   # Audit Properties
   # Make this property true for audits
   ranger.policysync.connector.3.enable.audit=false
   

3. Run the following command.

   cd ~/privacera/privacera-manager/
   ./privacera-manager.sh update
   

Configuring multiple connectors for a single PolicySync repository

A single PolicySync repository can be configured to serve more than one datasource. Add a section in rangersync-custom-v2.properties for each connector. Be sure to assign each connector its own unique integer connector ID.

For example:

# First, a PostgreSQL source with connector ID 5 named Postgres-dev
ranger.policysync.connector.5=Postgres-dev
ranger.policysync.connector.5.enabled=true
ranger.policysync.connector.5.servicetype=postgres

# additional properties for connector 5 as needed...

# Next, an MSSQL source with connector ID 7 named MSSql-Dev
ranger.policysync.connector.7=MSSql-Dev
# Enable below property to enable the mssql connector
ranger.policysync.connector.7.enabled=false
ranger.policysync.connector.7.servicetype=mssql

# additional properties for connector 7 as needed...

Configuring multiple connectors for multiple PolicySync repositories

By default, when you configure multiple connectors (datasources), they connect to the default PolicySync repository in Privacera Portal. All the policies defined in the default PolicySync repository get applied on the connectors.

However, it is recommended to configure a different PolicySync repository for each connector. Add the following two connectors properties and enter the name of the PolicySync repository. Where <CONNECTOR_ID> is the unique number assigned to the connector and <POLICYSYNC_INSTANCE> is the PolicySync repository name you have configured in Privacera Portal.

ranger.policysync.connector.<CONNECTOR_ID>.ranger.service.name=<POLICYSYNC_INSTANCE>
ranger.policysync.connector.<CONNECTOR_ID>.ranger.service.appid=<POLICYSYNC_INSTANCE>

Example 1: The following configuration shows two Microsoft SQL Server connectors connected to the default PolicySync repository named privacera_mssql in Privacera Portal.

# MSSQL with connector ID 5 connected to default PolicySync
ranger.policysync.connector.5=mssql-dev
ranger.policysync.connector.5.enabled=true
ranger.policysync.connector.5.servicetype=mssql



# MSSQL with connector ID 7 connected to default PolicySync
ranger.policysync.connector.7=mssql-prod
ranger.policysync.connector.7.enabled=true
ranger.policysync.connector.7.servicetype=mssql

Example 2: The following configuration shows one Microsoft SQL Server connector with ID 5 is connected to the default PolicySync repository named privacera_mssql in Privacera Portal, and the second connector with ID 7 is connected to the PolicySync repository named privacera_mssqltwo. Where privacera_mssqltwo is the newly created PolicySync repository in Privacera Portal.

# MSSQL with connector ID 5 connected to default PolicySync privacera_mssql
ranger.policysync.connector.5=mssql-dev
ranger.policysync.connector.5.enabled=true
ranger.policysync.connector.5.servicetype=mssql



# MSSQL with connector ID 7 connected to PolicySync privacera_mssqltwo
ranger.policysync.connector.7=mssql-prod
ranger.policysync.connector.7.enabled=true
ranger.policysync.connector.7.servicetype=mssql
ranger.policysync.connector.7.ranger.service.name=privacera_mssqltwo
ranger.policysync.connector.7.ranger.service.appid=privacera_mssqltwo

Configure a PolicySync connector to run in a dedicated Kubernetes pod

If your Privacera installation is deployed to a Kubernetes cluster, you can configure each PolicySync connector to run in a dedicated Kubernetes pod. A dedicated pod runs an instance of PolicySync for a connector that you specify.

You might want to use a dedicated pod to optimize resource allocation in your cluster by scheduling the pod in a particular region or on a specific node type.

Privacera supports the following scenarios:

• Deploying dedicated pods for different connector types
• Deploying dedicated pods for multiple instances of the same connector type

If you enable this feature, you must configure a dedicated pod for every PolicySync connector in your current configuration.

How a dedicated pod is configured

To enable dedicated PolicySync pods, you modify your Privacera Manager configuration. You specify the POLICYSYNC_V2_CONNECTORS_LIST variable and provide a list of one or more connector profiles.

If you are deploying a dedicated pod for an additional instance of an existing connector type, such as two Snowflake connectors, you must provide a new connector configuration for each connector of the same type.

PolicySync pod configuration variables

The following variables must be set to enable multiple PolicySync pods.

• POLICYSYNC_V2_CONNECTORS_LIST: Specifies a list of PolicySync connector profiles:

  • If you want to deploy dedicated pods only for different connector types, you can specify one or more of the following types: bigquery, databricks-sql-analytics, mssql, postgres, powerbi, redshift, snowflake. For example:

    POLICYSYNC_V2_CONNECTORS_LIST:
    - powerbi
    - mssql
    

  • If you want to deploy multiple dedicated pods for the same connector type, you must specify unique connector profile names, as in the following example:

    POLICYSYNC_V2_CONNECTORS_LIST:
    - snowflake
    - snowflake2
    - snowflake3
    

    You can use lowercase alphanumeric characters, including dashes (-), for the connector profile name. The connector properties are sourced from a config/custom-properties/rangersync-<profile_name>.properties file that you must provide.

• POLICYSYNC_V2_ENABLE_MULTIPLE_INSTANCES: Set to true to enable multiple PolicySync pods. This feature is disabled by default.

Configure dedicated PolicySync connector pods for different connectors

To create dedicated PolicySync connector pods, complete the following steps.

Prerequisites

• You have installed Privacera on a Kubernetes cluster
• You have configured at least one PolicySync connector as described in Privacera component services

Procedure

1. In a terminal, enter the ~/privacera/privacera-manager directory.

2. Copy the PolicySync connectors YAML file into the custom-vars/ directory:

   cp config/sample-vars/vars.policysync.connectors.yml config/custom-vars
   

3. Edit the YAML file from the previous step in an editor and set the following values:

4. POLICYSYNC_V2_CONNECTORS_LIST

5. POLICYSYNC_V2_ENABLE_MULTIPLE_INSTANCES

   For example:

   POLICYSYNC_V2_CONNECTORS_LIST:
   - mssql
   - postgres
   POLICYSYNC_V2_ENABLE_MULTIPLE_INSTANCES: true
   

6. Invoke Privacera Manager to apply the update:

   ./privacera-manager.sh update 
   

Configure dedicated PolicySync connector pods for the same connector type

To create dedicated PolicySync connector pods for the same connector type, complete the following steps.

Prerequisites

• You have installed Privacera on a Kubernetes cluster
• You have configured at least one PolicySync connector as described in Privacera component services

Procedure

1. In a terminal, enter the ~/privacera/privacera-manager directory.

2. Copy the PolicySync connectors YAML file into the custom-vars/ directory:

   cp config/sample-vars/vars.policysync.connectors.yml config/custom-vars
   

3. Edit the YAML file from the previous step in an editor and set the following values:

   • POLICYSYNC_V2_CONNECTORS_LIST
   • POLICYSYNC_V2_ENABLE_MULTIPLE_INSTANCES

   For example:

   POLICYSYNC_V2_CONNECTORS_LIST:
   - snowflake
   - snowflake-example1
   - snowflake-example2
   POLICYSYNC_V2_ENABLE_MULTIPLE_INSTANCES: true
   

4. For each PolicySync connector profile in the POLICYSYNC_V2_CONNECTORS_LIST list, complete the following steps:

   1. Create a PolicySync connector properties file in the config/custom-properties directory with a file name in the following form: rangersync-<profile_name>.properties. Replace <profile_name> with the name of the PolicySync connector profile from the connectors list.

      For example:

      ls -1 config/custom-properties
      snowflake.properties
      snowflake-example1.properties
      snowflake-example2.properties
      

   2. Populate the properties file that you created in the previous step. Ensure that you use a unique PolicySync connector numeric ID. In the properties file, the ID is included in every option specified and is of the following form: ranger.policysync.connector.<id>. For additional PolicySync connectors, it is recommended to start with an ID of 15 and increment by one for every additional connector properties file that you create.

      • If you want to use an existing connector configuration as a template, you can refer to the existing configuration from the output/kubernetes/helm/policysynv2-<connector_name>/conf directory.
      • If you want to create a new connector configuration, you can refer to PolicySync Properties.

5. Invoke Privacera Manager to apply the update:

   ./privacera-manager.sh update