Enabling Apache Ranger policy for resources

IBM® watsonx.data now supports Apache Ranger policies to allow comprehensive data security on integrating with multiple governance tools and engines.

Before you begin

  • IBM watsonx.data instance.
  • Apache Ranger environment.
  • The Presto (Java) JDBC URL and credentials in watsonx.data.
  • watsonx.data and Apache Ranger are integrated with LDAP to sync users or groups.

Procedure

  1. Complete the following steps to create a service in the Ranger.
    1. Log in to Apache Ranger by using the username and password.
    2. The home page lists all the services that are already configured under different resources. To create a new service, click the + icon next to the PRESTO resource.
    3. Provide the following details:
      Field Description
      Username admin
      Password UXXXXXXR
      jdbc.url Provide the JDBC URL.
    4. The service is successfully added in the PRESTO resource list. Click the service name to verify that the default policies are added.
      Note: The testing might fail initially, you can re-test the connection after saving the details since the default policies will be automatically added after saving.
  2. Complete the following steps to enable and configure Apache Ranger in watsonx.data.
    1. Log in to watsonx.data console.
    2. From the navigation menu, select Access control.
    3. Click the Integrations tab.
    4. Click Integrate service. The Integrate service window opens.
    5. In the Integrate service window, provide the following details:
      Field Description
      Service Select Apache Ranger.
      URL The URL of Apache Ranger.
      Username The admin credentials.
      Password The admin credentials.
      List resources Click the link to load the resources that are available in the Apache Ranger server.
      Resources Select the resource for which the Apache Ranger policy must be enabled.
      Enable data policy within watsonx.data Select the checkbox to enable data policy along with Apache Ranger policy.
    6. Click Integrate. The Apache Ranger policy is integrated and listed in the Access Control page.
  3. Complete the following steps to verify access control :
    1. Log in to watsonx.data instance.
    2. From the navigation menu, click Query workspace.
    3. Execute a simple query. The access denied error appears as currently no policies are defined in the Ranger for the user.
  4. Complete the following steps to grant permissions to the user:
    1. Log in to Apache Ranger.
    2. Grant the required permission to the test user.
    3. Scroll down to the bottom, click the Save button.
    4. Log in to watsonx.data instance and execute a query again. The access is allowed for the user after adding policies in the Ranger.
    Limitations
    • For the Apache Iceberg catalog that does not have policy that is defined for snapshot views related to tables in Ranger, an error occurs. Manually define policies in the Apache Ranger to eliminate the error.
    • The Ranger integration is only supported in the Presto (Java) engine.
    • watsonx.data supports access control for Apache Ranger integration.