IBM®
watsonx.data now supports Apache Ranger
policies to allow comprehensive data security on integrating with multiple governance tools and
engines.
Before you begin
- IBM
watsonx.data instance.
- Apache Ranger environment.
- The Presto (Java) JDBC URL and credentials in watsonx.data.
- watsonx.data and Apache Ranger are
integrated with LDAP to sync users or groups.
Procedure
- Complete the following steps to create a service in the Ranger.
-
-
- Log in to Apache Ranger by using the username and password.
- The home page lists all the services that are already configured under different resources. To
create a new service, click the + icon next to the
PRESTO resource.
- Provide the following details:
Field |
Description |
Username |
admin |
Password |
UXXXXXXR |
jdbc.url |
Provide the JDBC URL. |
- The service is successfully added in the PRESTO resource list. Click the
service name to verify that the default policies are added.
Note: The testing might fail initially,
you can re-test the connection after saving the details since the default policies will be
automatically added after saving.
- Complete the following steps to enable and configure Apache Ranger in watsonx.data.
-
-
- Log in to watsonx.data console.
- From the navigation menu, select Access control.
- Click the Integrations tab.
- Click Integrate service. The Integrate service
window opens.
- In the Integrate service window, provide the following details:
Field |
Description |
Service |
Select Apache Ranger. |
URL |
The URL of Apache Ranger. |
Username |
The admin credentials. |
Password |
The admin credentials. |
List resources |
Click the link to load the resources that are available in the Apache Ranger server. |
Resources |
Select the resource for which the Apache Ranger policy must be enabled. |
Enable data policy within watsonx.data |
Select the checkbox to enable data policy along with Apache Ranger policy. |
- Click Integrate. The Apache Ranger policy is integrated and listed in the
Access Control page.
- Complete the following steps to verify access control :
-
-
- Log in to watsonx.data instance.
- From the navigation menu, click Query workspace.
- Execute a simple query. The access denied error appears as currently no policies are defined in
the Ranger for the user.
- Complete the following steps to grant permissions to the user:
-
-
- Log in to Apache Ranger.
- Grant the required permission to the test user.
- Scroll down to the bottom, click the Save button.
- Log in to watsonx.data instance and execute
a query again. The access is allowed for the user after adding policies in the Ranger.
- Limitations
-
- For the Apache Iceberg catalog that does not have policy that is defined for snapshot views
related to tables in Ranger, an error occurs. Manually define policies in the Apache Ranger to
eliminate the error.
- The Ranger integration is only supported in the Presto (Java) engine.
- watsonx.data supports access control for
Apache Ranger integration.