Privitar Query Engine JDBC Connection Properties
datasource
Required: Yes
Accepted Values: String
Example Value: b27874c2-658f-4210-b7c6-3b3134de62d2
Description: The ID of the datasource that will be queried via the Query Engine. The property remoteUser must be provided if no requesting user has been set on the QueryEngineDataSource object.
remoteUser
Required: Yes
Accepted Values: String
Example Value: u123
Description: The ID of the user that will be querying the underlying data source through the Privitar Query Engine.
remoteUserGroups
Required: No
Accepted Values: String
Example Values:
If
remoteUserAreIdsExternal=FALSE, an example value isgroup1,group2,group3.If
remoteUserAreIdsExternal=TRUE, an example value is8d7d6732-a89b-11ed-afa1-0242ac120002,d7d6c1e-a89b-11ed-afa1-0242ac120002,8d7d6dae-a89b-11ed-afa1-0242ac120002.
Description: The group IDs to which the user who will be querying the underlying data source through the Privitar Query Engine belongs.
remoteUserAreIdsExternal
Required: No
Accepted Values: True, False
Default Value: FALSE
Description: Whether or not the remote user ID and group IDs are external.
secretManagerConfigPath
Required: No
Accepted Values: String
Example Value:
file:///Users/me/secret-manager.jsonDescription: Path to a JSON file that contains the configuration for the secret manager used in connections. By configuring this, the query engine will expect that all usernames and passwords for the connections are passed as a reference. The format of this reference is adapter specific, but for HashiCorp® Vault it is passed in the form of
{version}|{name}e.g.0|postgres_username.
The JSON file should conform to the following schema:
{
"$schema" : "http://json-schema.org/draft/2019-09/schema#",
"title" : "CUSTOM",
"type" : "object",
"additionalProperties" : false,
"properties" : {
"type" : {
"type" : "string",
"enum" : [ "CUSTOM" ],
"default" : "CUSTOM"
},
"extraPropertiesFilePath" : {
"type" : "string",
"description" : "If not null then read the file at this path in Java Properties file format and merge it with the properties field"
},
"adapterJarPath" : {
"type" : "string",
"description" : "If not null then read the adapter jar file from this path. If null then the adapter jar must be on the JVM classpath"
},
"sharedClassesRegex" : {
"type" : "string",
"description" : "Loaded classes/resources which match this regex will be shared between the adapter/plugin and the rest of the application. If null, will default to sharing SLF4J and Jackson classes."
},
"properties" : {
"type" : "object",
"additionalProperties" : {
"$ref" : "#/definitions/Object"
},
"description" : "Arbitrary set of key-value pairs to configure the KMS"
}
},
"required" : [ "type" ],
"definitions" : {
"Object" : {
"type" : "object",
"additionalProperties" : false,
"properties" : { }
}
}
}Properties for configuration of the key management system (KMS) are specific to the adapter used. For HashiCorp® Vault KMS the properties are as follows:
Property | Description | Required? | Example | Default |
|---|---|---|---|---|
| The URL to the HashiCorp Vault server, including the protocol. | Yes | ||
| If | Variable |
| |
| The path in HashiCorp Vault used as the base path for all secrets to be read. | Yes | secret | |
| The authentication method used to authenticate with HashiCorp Vault. | No | TOKEN, KUBERNETES | TOKEN |
| If | No | KUBERNETES | |
| If | Variable |
See Deploy HashiCorp Vault as KMS or Secrets Manager for more information on how to configure HashiCorp® Vault KMS with the platform.
kmsConnectionConfigRepositoryPath
Required: No
Accepted Values: String
Example Value:
file:///Users/me/kms.jsonDescription: Path to a JSON file which contains the configuration for all the KMS available to the Query Engine. Only required if using NOVLT.
The JSON file should conform to the following schema:
{
"$schema" : "http://json-schema.org/draft/2019-09/schema#",
"title" : "CUSTOM",
"type" : "object",
"additionalProperties" : false,
"properties" : {
"type" : {
"type" : "string",
"enum" : [ "CUSTOM" ],
"default" : "CUSTOM"
},
"extraPropertiesFilePath" : {
"type" : "string",
"description" : "If not null then read the file at this path in Java Properties file format and merge it with the properties field"
},
"vaultlessKeyIdentifier" : {
"type" : "string",
"description" : "The key identifier for NOVLT"
},
"watermarkingKeyIdentifier" : {
"type" : "string",
"description" : "The key identifier for watermarking"
},
"adapterJarPath" : {
"type" : "string",
"description" : "If not null then read the adapter jar file from this path. If null then the adapter jar must be on the JVM classpath"
},
"sharedClassesRegex" : {
"type" : "string",
"description" : "Loaded classes/resources which match this regex will be shared between the adapter/plugin and the rest of the application. If null, will default to sharing SLF4J and Jackson classes."
},
"properties" : {
"type" : "object",
"additionalProperties" : {
"$ref" : "#/definitions/Object"
},
"description" : "Arbitrary set of key-value pairs to configure the KMS"
}
},
"required" : [ "type" ],
"definitions" : {
"Object" : {
"type" : "object",
"additionalProperties" : false,
"properties" : { }
}
}
}Properties for configuration of the key management system (KMS) are specific to the adapter used. For HashiCorp® Vault KMS the properties are as follows:
Property | Description | Required? | Example | Default |
|---|---|---|---|---|
| The URL to the HashiCorp Vault server, including the protocol. | Yes | ||
| If | Variable |
| |
| The path in HashiCorp Vault used as the base path for all secrets to be read. | Yes | secret | |
| The authentication method used to authenticate with HashiCorp Vault. | No | TOKEN, KUBERNETES | TOKEN |
| If | No | KUBERNETES | |
| If | Variable |
See Deploy HashiCorp Vault as KMS or Secrets Manager for more information on how to configure HashiCorp® Vault KMS with the platform.
controlPlaneTarget
Required: Yes
Accepted Values: String
Example Value:
localhost:8081Description: The URL of the data bridge. The Privitar Query Engine will set up a gRPC channel between itself and the data bridge in order to be able to fetch information from the control plane.
exchangeId
Required: No
Accepted Values: String
Example Value:
b27874c2-658f-4210-b7c6-3b3134de62d2Description: The UUID of the data exchange of which users of the Privitar Query Engine are members. The Privitar Query Engine will fetch the connection details of the data source and fetch policies setup in this exchange.
dataPlaneId
Required: Yes
Accepted Values: String
Example Value:
b27874c2-658f-4210-b7c6-3b3134de62d2Description: The UUID of the data plane that will be able to connect to the underlying data source.
policyExpiryInMilliseconds
Required: No
Accepted Values: String
Description: The TTL for the applicable policy and connection details fetched from the control plane. Use -1 to disable caching of policies and connection details.
defaultFetchSize
Required: No
Accepted Values: String
Description: The default number of rows that the Privitar Query Engine will fetch from the underlying database at a time. Setting this property will overwrite the default fetch size of the underlying JDBC driver that connects to the database.
defaultStatementQueryTimeoutSeconds
Required: No
Accepted Values: String
Default Value: 0
Description: Number of seconds that the Privitar Query Engine will wait for the JDBC statement to execute. Setting this property to 0 will indicate that there is no time limit.
controlPlaneChannelUsePlaintext
Required: No
Accepted Values: String
Default Value: FALSE
Description: Whether the gRPC channel to the data bridge should be over plaintext.
controlPlaneChannelKeepAliveTimeSeconds
Required: No
Accepted Values: String
Default Value: 45
Description: The time without read activity on the gRPC channel before the Privitar Query Engine sends a keepalive ping. Setting this option to a non-positive value disables the feature.
controlPlaneChannelTrustedCertificatePath
Required: No
Accepted Values: String
Description: The path of the optional server TLS certificate that the Privitar Query Engine should trust before it begins communication with the data bridge. The file should contain an X.509 certificate collection in PEM format.
Tip
You may be able to retrieve this by running in the control plane namespace the following:
kubectl get secret dpp-control-plane-tls-ingress-cert -o jsonpath='{.data.tls\.crt}' | base64 -D
controlPlaneChannelClientAuthMode
Required: No
Accepted Values: JWT_BEARER_TOKEN, NONE
Default Value: JWT_BEARER_TOKEN
Description: The mechanism used by the Privitar Query Engine to authenticate itself to the data bridge.
controlPlaneChannelClientAuthJwtSigningAlgorithm
Required: No
Accepted Values: String
Default Value: RS256
Description: The JWT signing algorithm used (see RFC 7518) when
controlPlaneChannelClientAuthModeisJWT_BEARER_TOKEN.
controlPlaneChannelClientAuthJwtExpirationSeconds
Required: No
Accepted Values: String
Default Value: 60
Description: The JWT expiration period in seconds when
controlPlaneChannelClientAuthModeisJWT_BEARER_TOKEN.
controlPlaneChannelClientAuthJwtSigningKeyPath
Required: No
Accepted Values: String
Description: The path of the JWT signing key when
controlPlaneChannelClientAuthModeisJWT_BEARER_TOKEN. This must be a PEM-encoded representation of a PKCS#8 key using the algorithm specified incontrolPlaneChannelClientAuthJwtSigningAlgorithm.
Tip
You may be able to retrieve the signing key by running the following in the data plane namespace:
kubectl get secret data-agent-client-auth-secret -o jsonpath='{.data.clientauthkey}' | base64 -D
controlPlaneChannelClientAuthJwtSigningKeyPassword
Required: No
Accepted Values: String
Description: The password used to decrypt the private key (if it is encrypted) when controlPlaneChannelClientAuthMode is JWT_BEARER_TOKEN.
controlPlaneChannelTlsProtocols
Required: No
Accepted Values: String
Example Value: TLSv1.2,TLSv1.3
Default Value: TLSv1.2
Description: A comma-separated list of TLS protocols that should be supported in the gRPC channel to control plane.
controlPlaneResolvedPoliciesRetryMaxAttempts
Required: No
Accepted Values: String
Default Value: 5
Description: Maximum number of attempts made by the Query Engine to fetch the applicable policies from the control plane.
controlPlaneResolvedPoliciesInitialBackoffSeconds
Required: No
Accepted Values: String
Default Value: 1
Description: The number of seconds to wait before making another attempt at fetching applicable policies from the control plane, if the first attempt failed.
controlPlaneResolvedPoliciesBackoffMultiplier
Required: No
Accepted Values: String
Default Value: 3
Description: Multiplier that increases the number of seconds to wait before making another attempt at fetching applicable policies from the control plane, if the previous attempt failed.
controlPlaneResolvedPoliciesMaxBackoffSeconds
Required: No
Accepted Values: String
Default Value: 10
Description: The maximum number of seconds to wait before making another attempt at fetching applicable policies from the control plane, if the previous attempt failed.
controlPlaneResolvedPoliciesTimeoutSeconds
Required: No
Accepted Values: String
Default Value: 45
Description: The number of seconds to wait for a response from the control plane when fetching applicable policies.
controlPlaneConnectionDetailsRetryMaxAttempts
Required: No
Accepted Values: String
Default Value: 5
Description: Maximum number of attempts made by the Privitar Query Engine to fetch the connection details of the data source from the control plane.
controlPlaneConnectionDetailsInitialBackoffSeconds
Required: No
Accepted Values: String
Default Value: 1
Description: The number of seconds to wait before making another attempt at fetching the connection details of the datasource from the control plane if the first attempt failed.
controlPlaneConnectionDetailsBackoffMultiplier
Required: No
Accepted Values: String
Default Value: 3
Description: Multiplier that increases the number of seconds to wait before making another attempt at fetching the connection details of the datasource from the control plane if the previous attempt failed.
controlPlaneConnectionDetailsMaxBackoffSeconds
Required: No
Accepted Values: String
Default Value: 10
Description: The maximum number of seconds to wait before making another attempt at fetching the connection details of the datasource from the control plane if the previous attempt failed.
controlPlaneConnectionDetailsTimeoutSeconds
Required: No
Accepted Values: String
Default Value: 45
Description: The number of seconds to wait for a response from the control plane when fetching the connection details of the datasource.
verboseAuditLog
Required: No
Accepted Values: String
Default Value: FALSE
Description: Whether the audit logs regarding the query and available policies should be verbose.
bypassPolicy
Required: No
Accepted Values: String
Default Value: FALSE
Description: Whether the Privitar Query Engine policy enforcement should be bypassed.
auditEnabled
Required: No
Accepted Values: String
Default Value: FALSE
Description: Whether to enable auditing.
auditStdout
Required: No
Accepted Values: String
Default Value: FALSE
Description: Whether to log audit records to standard output (
STDOUT).
auditServiceUrl
Required: No
Accepted Values: String
Description: The audit service URL to emit log records to.
request.project
Required: Yes
Accepted Values: String
Description: The ID of the project set up in the data exchange.
request.*
Required: No
Accepted Values: String
Description: Any property starting with
request.will be used as a custom user defined attribute to resolve policies.request.projectis handled specially, see the description of that property.The ID of the project set up in the data exchange.