Manta Flow Server Authentication and Authorization

This article describes the overall concepts of authentication and authorization in Manta Flow Server. See Manta Identity Management: Keycloak for more details about authentication management and configuration.

User Roles

The application uses several user roles to authorize specific operations within the metadata repository. The roles are:

Access Rights for the Metadata Repository

It is possible to define access rights for the metadata repository. This means that some parts of the metadata repository may only be visible to particular users.

Enabling and Disabling Access Rights

To enable this feature, set the repository.permissions-enabled property in the configuration Configurations > Server > Common > Repository Configuration in Manta Admin UI to true.

To disable this feature, set that property to false. In this case, the entire repository will be accessible to all users.

Defining Access Rights

If the access rights feature is enabled, it is possible to configure metadata repository permissions for IBM Manta Data Lineage users. This is done on three levels.

Level

Location of definition

Description

Repository view configuration

Manta Data Lineage

A repository view is any part of the repository. It is defined as a set of included and excluded repository subtrees.

Assigning repository views to user roles

Manta Data Lineage

Each role has a set of repository views assigned to it that are accessible to users with this role. It is possible to assign no view (i.e., no part of the repository is accessible) as well as the entire repository. One view can be assigned to more than one role.

Assigning users to user roles

External systems (e.g., LDAP) or Manta Data Lineage

Each user can be assigned one or more roles and vice versa.

There is no need to define the roles explicitly in Manta Data Lineage.

Repository View Configuration

Repository views can be configured in the configuration Configurations > Server > Common > Repository Views in Manta Admin UI. The rows are records of the inclusion of repository objects in the view or the exclusion of them from the view. The record fields are:

Repository view

Name of the repository view the record applies to

Type

Type of record. The value must be either INCLUDE or EXCLUDE. If it is INCLUDE, the affected objects are included in the view. If it is EXCLUDE, the affected objects are excluded from the view. The exclusions precede the inclusions. If only EXCLUDE records are defined for the view, the rest of the repository is considered to be included in the view.

Affected objects

Case-insensitive regular expressions of repository path entries separated by slashes (/). A repository object is affected if and only if:

  1. each entry of its path matches the corresponding regular expression,

  2. or any of its ancestors fulfill point one.

The object resource is the first object path entry.

Special cases:

  • To enclose a path entry in double quotes ("), use the \" sequence.

  • To use double quotes as part of the path entry, use the \"\" sequence.

  • To use a backslash (\) as part of the path entry, use the \\ sequence. Note that a backslash in an object's path needs to be escaped twice — once for the CSV file and another time for the regex.

Assigning Repository Views to User Roles

The assignment of repository views to user roles can be configured in the configuration Configurations > Server > Common > Repository Views Permissions in Manta Admin UI. The rows are records of view-to-role assignments. The record fields are:

Role The user role the record applies to; must be unique within the file
Repository views Comma-separated list of views accessible to the role; if set to *, users with this role have access to the entire repository

Applying the Changes

To apply changes to the CSV configuration files above, it is necessary to restart the Manta Server or enter an HTTP GET request using the following format.

http://<server_name>:<port>/manta-dataflow-server/api/refresh

where the <server_name> and <port> are provided by your application administrator.

If the repository.permissions-enabled property has been changed, a Manta Server restart is necessary.

Repository Object Permission Evaluation

A repository object is accessible to the user if and only if it is contained in at least one repository view assigned to at least one of the user roles.

Example Configuration

repositoryViews.csv
"Repository View";"Type";"Affected Objects"
Teradata;INCLUDE;Teradata
OracleDwhExclParty;INCLUDE;Oracle/ORCL/DWH
OracleDwhExclParty;EXCLUDE;Oracle/ORCL/DWH/PARTY.*
MSSQLInstance;EXCLUDE;MSSQL/Server\\\\Instance/.*
repositoryViewsPermission.csv
"Role";"Repository Views"
ROLE_SYSTEM;*
ROLE_USER;Teradata,OracleDwhExclParty

Users with the ROLE_SYSTEM role have access to the entire repository.

Users with the ROLE_USER role have access to all Teradata databases and ORCL.DWH Oracle schemas, excluding all objects (tables, views, etc.) having a name starting with PARTY.