Manta Flow Server Authentication and Authorization
This article describes the overall concepts of authentication and authorization in Manta Flow Server. See Manta Identity Management: Keycloak for more details about authentication management and configuration.
User Roles
The application uses several user roles to authorize specific operations within the metadata repository. The roles are:
-
ROLE_USER — basic role needed for all secured pages, which by default is all pages
-
ROLE_EXPORTER — exports data from the repository
-
ROLE_LIGHTHOUSE _READ — scans the metadata repository and searches for particular patterns or evaluates rules
-
ROLE_MERGER — executes data-modifying operations such as merging objects, truncating databases, and propagating edges
-
ROLE_VIEWER_DATAFLOW — executes operations for the visualization of data flow
-
ROLE_VIEWER_CATALOG — explores and searches the metadata catalog
-
ROLE_USAGE — exports and cleans server-usage metadata
-
ROLE_REPOSITORY_READ — executes data-reading operations via repository API
-
ROLE_REPOSITORY_WRITE — executes data-modifying operations via repository API
-
ROLE_REPOSITORY_EVALUATE — executes special data-modifying operations based on DSL-script evaluation via repository API
-
Additional roles can be created simply by starting to use them as described below. Creating new roles is only useful for the section Access Rights for the Metadata Repository.
Access Rights for the Metadata Repository
It is possible to define access rights for the metadata repository. This means that some parts of the metadata repository may only be visible to particular users.
Enabling and Disabling Access Rights
To enable this feature, set the repository.permissions-enabled
property in the configuration Configurations > Server > Common >
Repository Configuration in Manta Admin UI to true.
To disable this feature, set that property to false
. In this case, the entire repository will be accessible to all users.
Defining Access Rights
If the access rights feature is enabled, it is possible to configure metadata repository permissions for IBM Manta Data Lineage users. This is done on three levels.
Level |
Location of definition |
Description |
---|---|---|
Repository view configuration |
Manta Data Lineage |
A repository view is any part of the repository. It is defined as a set of included and excluded repository subtrees. |
Assigning repository views to user roles |
Manta Data Lineage |
Each role has a set of repository views assigned to it that are accessible to users with this role. It is possible to assign no view (i.e., no part of the repository is accessible) as well as the entire repository. One view can be assigned to more than one role. |
Assigning users to user roles |
External systems (e.g., LDAP) or Manta Data Lineage |
Each user can be assigned one or more roles and vice versa. There is no need to define the roles explicitly in Manta Data Lineage. |
Repository View Configuration
Repository views can be configured in the configuration Configurations > Server > Common > Repository Views in Manta Admin UI. The rows are records of the inclusion of repository objects in the view or the exclusion of them from the view. The record fields are:
Repository view |
Name of the repository view the record applies to |
Type |
Type of record. The value must be either
|
Affected objects |
Case-insensitive regular expressions of repository path entries separated by slashes (
The object resource is the first object path entry. Special cases:
|
Assigning Repository Views to User Roles
The assignment of repository views to user roles can be configured in the configuration Configurations > Server > Common > Repository Views Permissions in Manta Admin UI. The rows are records of view-to-role assignments. The record fields are:
Role | The user role the record applies to; must be unique within the file |
---|---|
Repository views | Comma-separated list of views accessible to the role; if set to * , users with this role have access to the entire repository |
Applying the Changes
To apply changes to the CSV configuration files above, it is necessary to restart the Manta Server or enter an HTTP GET request using the following format.
http://<server_name>:<port>/manta-dataflow-server/api/refresh
where the <server_name>
and <port>
are provided by your application administrator.
If the repository.permissions-enabled
property has been changed, a Manta Server restart is necessary.
Repository Object Permission Evaluation
A repository object is accessible to the user if and only if it is contained in at least one repository view assigned to at least one of the user roles.
Example Configuration
repositoryViews.csv
"Repository View";"Type";"Affected Objects"
Teradata;INCLUDE;Teradata
OracleDwhExclParty;INCLUDE;Oracle/ORCL/DWH
OracleDwhExclParty;EXCLUDE;Oracle/ORCL/DWH/PARTY.*
MSSQLInstance;EXCLUDE;MSSQL/Server\\\\Instance/.*
repositoryViewsPermission.csv
"Role";"Repository Views"
ROLE_SYSTEM;*
ROLE_USER;Teradata,OracleDwhExclParty
Users with the ROLE_SYSTEM
role have access to the entire repository.
Users with the ROLE_USER
role have access to all Teradata databases and ORCL.DWH
Oracle schemas, excluding all objects (tables, views, etc.) having a name starting with PARTY
.