Global access control with Privacera Ranger#

The integration of Privacera Ranger with Starburst Enterprise Presto enables a global access control for all configured catalogs. It uses the same configuration properties as global access control with Apache Ranger, with a few exceptions:

  • ranger.wild-card-resource-matching-for-row-filtering is not supported

  • ranger.wild-card-resource-matching-for-column-masking is not supported

Note

Global access control with Privacera Ranger requires a valid Starburst Enterprise Presto license.

Requirements#

Before you configure Presto with Privacera Ranger, verify the following prerequisites:

  • Privacera 3.6.0.63+ must be installed.

  • Presto coordinator and workers have the appropriate network access to communicate with the Privacera service. Typically this is port 6080 or 6182, if SSL is used.

  • Presto Ranger plugin must be manually installed on Privacera Ranger

Configuration#

With Privacera installed and configured, you are ready to configure Presto with Privacera as the activated access control system. Set the path to your Privacera access control configuration file in config.properties:

access-control.config-files=etc/access-control-privacera.properties

Subsequently, configure the following properties in the file:

access-control.name=privacera-starburst
ranger.policy-rest-url=http://ranger-admin:6080
ranger.service-name=hive-service
ranger.row-filtering.enabled=true
ranger.presto-plugin-username=admin
ranger.presto-plugin-password=welcome1
ranger.config-resources=/docker/starburst-product-tests/conf/ranger/ranger-audit.xml
ranger.policy-cache-dir=/tmp/ranger

More details about the supported configuration properties is available in the Ranger overview.

Policy management#

Creation and management of policies in Privacera Ranger is powered by the Presto Ranger plugin and therefore identical to the usage for global access control with Apache Ranger.