IBM®
watsonx.data now supports Apache Ranger
policies to allow comprehensive data security on integrating with multiple governance tools and
engines.
Before you begin
Ensure you have the following details:
- IBM
watsonx.data instance.
- Apache Ranger environment.
- The Presto (Java) JDBC URL and credentials in watsonx.data.
- watsonx.data and Apache Ranger are
integrated with LDAP to sync users or groups.
Procedure
- Complete the following steps to create a service in the Ranger.
-
-
- Log in to Apache Ranger by using the username and password.
- The home page lists all the services that are already configured under different resources. To
create a new service, click the + icon next to the
PRESTO resource.
- Provide the following details:
Field |
Description |
Username |
admin |
Password |
UXXXXXXR |
jdbc.url |
Provide the JDBC URL. |
- The service is successfully added in the PRESTO resource list. Click the
service name to verify that the default policies are added.
Note: The testing might fail initially,
you can re-test the connection after saving the details since the default policies will be
automatically added after saving.
- Complete the following steps to enable and configure Apache Ranger in watsonx.data.
-
-
- Log in to watsonx.data console.
- From the navigation menu, select Access control.
- Click the Integrations tab.
- Click Integrate service. The Integrate service
window opens.
- In the Integrate service window, provide the following details:
Field |
Description |
Service |
Select Apache Ranger. |
URL |
The URL of Apache Ranger. |
Username |
The admin credentials. |
Password |
The admin credentials. |
List resources |
Click the link to load the resources that are available in the Apache Ranger server. |
Resources |
Select the resource for which the Apache Ranger policy must be enabled. |
Enable data policy within watsonx.data |
Select the checkbox to enable data policy along with Apache Ranger policy. |
- Click Integrate. The Apache Ranger policy is integrated and listed in the
Access Control page.
- Complete the following steps to verify access control :
-
-
- Log in to watsonx.data instance.
- From the navigation menu, click Query workspace.
- Execute a simple query. The access denied error appears as currently no policies are defined in
the Ranger for the user.
- Complete the following steps to grant permissions to the user:
-
-
- Log in to Apache Ranger.
- Grant the required permission to the test user.
- Scroll down to the bottom, click the Save button.
- Log in to watsonx.data instance and execute
a query again. The access is allowed for the user after adding policies in the Ranger.
- Limitations
-
- In Apache Iceberg catalog, an error occurs if a policy is not defined for the snapshots views
related to the tables in Ranger. You must manually define policies in Apache Ranger to eliminate the
error.
- watsonx.data supports access control for
Apache Ranger integration.