Starburst Enterprise with Privacera

Using Privacera in Starburst Enterprise LTS, you can enforce system-wide access control. The following information can help provide an expedient way of configuring Starburst Enterprise with port 8443 for TLS/HTTPS so that usernames/passwords are possible. Self-signed certificates work well for testing purposes, but not to be used for production deployments.

Prerequisites

The following items need to be enabled/shared prior to deploying a Starburst Docker image:

• A licensed version of Starburst
• Docker-ce 18+ must be installed
• JDK 11 (to generate the Java keystore)
• Privacera Manager version 4.7 or higher
• JDBC URL to connect to the Starburst Enterprise instance to access the catalogs and schemas
• CA-signed SSL certificate for production deployment.

Configuring Privacera Plugin with Starburst Enterprise

Summary of steps:

1. Generate an access-control file for Starburst.
2. Generate an access-control file for Hive catalogs [optional].
3. Generate a Ranger Audit XML file.
4. Generate a Ranger SSL XML file required for TLS secure Privacera installations.

To configure Privacera plugin:

1. To enable Privacera for authorization, you need to update the etc/config.properties with one of the following entries:

   # privacera auth for hive and system access control
   access-control.config-files=/etc/starburst/access-control-privacera.properties,/etc/starburst/access-control-priv-hive.properties
   

   Or

   # privacera auth for only system access control
   access-control.config-files=/etc/starburst/access-control-privacera.properties
   

2. Edit etc/access-control-privacera.properties. The following is an example of the properties. You need to configure the properties in the file, so that it points to the instance where Privacera is installed. Replace <PRIVACERA_HOST_INSTANCE_IP> with the IP address of Privacera host.

   access-control.name=privacera-starburst
   ranger.policy-rest-url=http://<PRIVACERA_HOST_INSTANCE_IP>:6080
   ranger.service-name=privacera_starburstenterprise
   ranger.username=admin
   ranger.password=welcome1
   ranger.policy-refresh-interval=3s
   ranger.config-resources=/etc/starburst/ranger-hive-audit.xml
   ranger.policy-cache-dir=/etc/starburst/tmp/ranger
   

   To install this file into the Docker container, you can add option to your container creation script:

   -v $DOCKER_HOME/$STARBURST_VERSION/etc/access-control-privacera.properties:$STARBURST_TGT/access-control-privacera.properties \
   

3. Edit etc/access-control-priv-hive.properties. The following is an example of the properties. You need to configure the properties in the file, so that it points to the instance where Privacera is installed. Replace <PRIVACERA_HOST_INSTANCE_IP> with the IP address of Privacera host. Similarly, you need to configure the properties of the comma-separated files such as Hive, Glue, Delta, and so on.

   This file is optional if you are not configuring Hive catalogs with privacera_hive policies.

   access-control.name=privacera
   ranger.policy-rest-url=http://<PRIVACERA_HOST_INSTANCE_IP>:6080
   ranger.service-name=privacera_hive
   privacera.catalogs=hive,glue
   ranger.username=admin
   ranger.password=welcome1
   ranger.policy-refresh-interval=3s
   ranger.config-resources=/etc/starburst/ranger-hive-audit.xml
   ranger.policy-cache-dir=/etc/starburst/tmp/ranger
   privacera.fallback-access-control=allow-all
   

4. To install this file into the Docker container, you can add option to your container creation script:

   -v $DOCKER_HOME/$STARBURST_VERSION/etc/access-control-priv-hive.properties:$STARBURST_TGT/access-control-priv-hive.properties \
   

5. Edit etc/ranger-hive-audit.xml. This file describes the method of auditing the access from Starburst to Privacera Ranger and Solr. The example below is for unsecured Privacera Ranger deployments only. Replace <PRIVACERA_HOST_INSTANCE_IP> with the IP address of Privacera host.

   <?xml version="1.0" encoding="UTF-8"?>
   <configuration>
   <property>
   <name>ranger.plugin.hive.service.name</name>
   <value>privacera_hive</value>
   </property>
   <property>
   <name>ranger.plugin.hive.policy.pollIntervalMs</name>
   <value>5000</value>
   </property>
   <property>
   <name>ranger.service.store.rest.url</name>
   <value>http://<PRIVACERA_HOST_INSTANCE_IP>:6080</value>
   </property>
   <property>
   <name>ranger.plugin.hive.policy.rest.url</name>
   <value>http://<PRIVACERA_HOST_INSTANCE_IP>:6080</value>
   </property>
   <property>
   <name>xasecure.audit.destination.solr</name>
   <value>true</value>
   </property>
   <property>
   <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
   <value>/opt/presto/logs/audits/solr/</value>
   </property>
   <property>
   <name>xasecure.audit.destination.solr.urls</name>
   <value>http://<PRIVACERA_HOST_INSTANCE_IP>:8983/solr/ranger_audits</value>
   </property>
   <property>
   <name>xasecure.audit.is.enabled</name>
   <value>true</value>
   </property>
   </configuration>
   

6. To install this file into the Docker container, you can add option to your container creation script:

   -v $DOCKER_HOME/$STARBURST_VERSION/etc/ranger-hive-audit.xml:$STARBURST_TGT/ranger-hive-audit.xml \