Privacera Platform master publication

AWS
:
AWS Data Server
Configure Privacera Data Access Server

This section covers how you can configure Privacera Data Access Server.

CLI Configuration Steps
  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/
    
  3. Edit the properties. For property details and description, refer to the Configuration properties below.

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

    Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, click here.

  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
Configuration properties

Property

Description

Example

DATASERVER_RANGER_AUTH_ENABLED

Enable/disable Ranger authorization in DataServer.

DATASERVER_V2_WORKDER_THREADS

Number of worker threads to process inbound connection.

20

DATASERVER_V2_CHANNEL_CONNECTION_BACKLOG

Maximum queue size for inbound connection.

128

DATASERVER_V2_CHANNEL_CONNECTION_POOL

Enable connection pool for outbound request. The property is disabled by default.

DATASERVER_V2_FRONT_CHANNEL_IDLE_TIMEOUT

Idle timeout for inbound connection.

60

DATASERVER_V2_BACK_CHANNEL_IDLE_TIMEOUT

Idle timeout for outbound connection and will take effect only if the connection pool enabled.

60

DATASERVER_HEAP_MIN_MEMORY_MB

Add the minimum Java Heap memory in MB used by Dataserver.

1024

DATASERVER_HEAP_MAX_MEMORY_MB

Add the maximum Java Heap memory in MB used by Dataserver.

1024

DATASERVER_USE_REGIONAL_ENDPOINT

Set this property to enforce default region for all S3 buckets.

true

DATASERVER_AWS_REGION

Default AWS region for S3 bucket.

us-east-1

AWS S3 data server

This section covers how you can configure access control for AWS S3 through Privacera Data Access Server.

Prerequisites

Ensure that the following prerequisites are met:

  • Create and add an AWS IAM Policy defined to allow access to S3 resources.

    Follow AWS IAM Create and Attach Policy instructions, using either "Full S3 Access" or "Limited S3 Access" policy templates, depending on your enterprise requirements.

    Return to this section once the Policy is attached to the Privacera Manager Host VM.

CLI configuration
  1. SSH to the instance where Privacera Manager is installed.

  2. Configure Privacera Data Server.

  3. Edit the properties. For property details and description, refer to the Configuration Properties below.

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

    • In Kubernetes environment, enable DATASERVER_USE_POD_IAM_ROLE and DATASERVER_IAM_POLICY_ARN for using a specific IAM role for Dataserver pod. For property details and description, see S3 properties.

    • You can also add custom properties that are not included by default. See Dataserver.

  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
Configuration properties

Property

Description

Example

DATASERVER_USE_POD_IAM_ROLE

Property to enable the creation of an IAM role that will be used for the Dataserver pod.

true

DATASERVER_IAM_POLICY_ARN

Full IAM policy ARN which needs to be attached to the IAM role associated with the Dataserver pod.

arn:aws:iam::aws:policy/AmazonS3FullAccess

DATASERVER_USE_IAM_ROLE

If you've given permission to an IAM role to access the bucket, enable **Use IAM Roles**.

DATASERVER_S3_AWS_API_KEY

If you've used a access to access the bucket, disable **Use IAM Role**, and set the AWS API Key.

AKIAIOSFODNN7EXAMPLE

DATASERVER_S3_AWS_SECRET_KEY

If you've used a secret key to access the bucket, disable **Use IAM Role**, and set the AWS Secret Key.

wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

DATASERVER_V2_S3_ENDPOINT_ENABLE

Enable to use a custom S3 endpoint.

DATASERVER_V2_S3_ENDPOINT_SSL

Property to enable/disable, if SSL is enabled/disabled on the MinIO server.

DATASERVER_V2_S3_ENDPOINT_HOST

Add the endpoint server host.

192.468.12.142

DATASERVER_V2_S3_ENDPOINT_PORT

Add the endpoint server port.

9000

DATASERVER_AWS_REQUEST_INCLUDE_USERINFO

Property to enable adding session role in CloudWatch logs for requests going via Dataserver.

This will be available with the **privacera-user** key in the Request Params of CloudWatch logs.

Set to true, if you want to see the **privacera-user** in CloudWatch.

true

AWS Athena data server

This section covers how you can configure access control for AWS Athena through Privacera Data Access Server.

Prerequisites

Ensure the following:

  • Create and add an AWS IAM Policy defined to allow rights to use Athena and Glue resources and databases.

    Follow AWS IAM Create and Attach Policy instructions, using the "Athena Access" policy modified as necessary for your enterprise. Return to this section once the Policy is attached to the Privacera Manager Host VM.

CLI configuration
  1. SSH to the instance where Privacera Manager is installed.

  2. Configure Privacera Data Server.

  3. Edit the properties. For property details and description, refer to the Configuration Properties below.

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

    Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, click here.

  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
Configuration properties

Identify an existing S3 bucket or create one to store the Athena query results.

AWS_ATHENA_RESULT_STORAGE_URL: "s3://${S3_BUCKET_FOR_QUERY_RESULTS}/athena-query-results/index.html"