Skip to main content

Security Policy Sync

Qlik Catalog integrates with centralized security administration platforms Apache Ranger and Apache Sentry to synchronize enterprise policies with Qlik Catalog entities, sources, and groups.

Multi-node cluster environments can integrate with either security policy engine but not both. If the cluster security policy engine is Ranger, Qlik Catalog creates two policies for each entity (one for the distribution table and one for the file system). If the cluster security policy engine is Sentry, Qlik Catalog creates one policy for the distribution table of each entity.

Please refer to Qlik Catalog installation guide for property settings for Ranger and Sentry policy engines. The following help topic addresses Policy Sync via Qlik Catalog user interface.

Policy Sync screen

Connection information: Displays in the upper right of the initial Policy Sync screen. Connection information is sourced from core_env properties authorization section and is not editable from within the Qlik Catalog application.

Policy Sync: Entities and Schedule selection, sync initializer

Sync History: Base logs in history are filterable on Start Time, End Time, Sync Type, and Status.

Sentry connection information

Ranger connection information

Ranger connection information

Ranger connection information

Policy Sync: Automatic, Full, Targeted by Entity

Automatic Sync: The following triggers activate synchronization and a policy update as changes are made to corresponding entities and associated objects:

  • Create, edit, delete groups
  • Create, edit, delete sources
  • Create, edit, delete entities

Qlik Catalog will continue to update and synchronize policies in Sentry and Ranger as changes are made to corresponding entities.

Full Sync: Full sync initiates and updates every entity in the environment. Full Sync can be scheduled for a one-time future sync or executed immediately.

To initiate full sync, select Start Sync (with optional day-time schedule setting).

Initiating full sync

Select start sync button to initialize

Sync history status codes

Status Icon Description

Done

sync status done

All entities are successfully synced

Initialized

sync status initialized

Sync has been initialized and is running

Stopped

sync status stopped

Sync was stopped at user's request via Request Stop command on Policy Sync Detail page.

Failed

sync status failed

Sync ran without synchronizing any objects

Done, with errors

sync status done with errors

Sync ran with at least one entity sync failure

The sync automatically opens to the Sync Log page. Overview summary displays on the left with a grid displaying Sync Logs for each policy. To view error details for failed entity syncs, select the status hyperlink.

Sync log page

Sync log page provides status for each entity policy sync status

Users can interrupt the policy sync by selecting Request Stop. Users are asked to confirm that they want to stop the sync, select Continue to stop syncing. Entities synced up until the sync was stopped will not roll back, entities that have yet to sync will remain unsynced.

Interrupting a policy sync

Targeted by Entity Sync: Targeted sync initiates and updates user-selected entities in the environment. Targeted sync can be scheduled for a one-time future sync or executed immediately.

To initiate targeted sync, enter search criteria and select search icon.

Targeted sync

Once the screen opens displaying search results, users have the option to select entities of interest; select Apply to initiate targeted sync on only those entities.

Selected entities

Apply targeted sync on entities meeting search criteria

Logs

Sync Logs display within the grid as base logs, to view the details of sync operation, select icon view sync details (view details).

Policy sync details
View sync details

Log filters provide filter criteria options for Start Time, End Time, Sync Type), and Status

Sync log filter criteria

Sync history filters

Policy sync properties

Entities with associated security policies are automatically given properties specifying policy id number and sync status.

These are internal properties that display in discover screen property panels.

Property Description Values

authorization.hdfs.policy.id

(Ranger only)

HDFS Policy ID

Example: 4278

authorization.hive.policy.id

Hive Policy ID

Example Ranger: 4277

Example Sentry:

Podium.XML_regression_src.OrganizationName

(<Podium>.<sourcename>.<entityname>)

authorization.policy.sync.status

Policy Sync Status

Example: UP_TO_DATE

System generated value options:

ENUM VALUES:

NEVER_SYNCED

UP_TO_DATE

FAILED

Policy deletion from Qlik Catalog user interface

These policies can be deleted by deleting the corresponding object in Qlik Catalog.

When a user deletes an entity in Qlik Catalog, they are given options to:

  • Delete Entity
  • Delete File System data
  • Drop Table Structure

Policy deletion

Delete policy for entity dialog

If the security policy engine is Ranger, the corresponding Hive policy can only be deleted by dropping the table structure. Similarly, the HDFS policy can only be deleted if the file system data is deleted.

If the cluster security policy engine is Sentry, the corresponding Hive policy can only be deleted by dropping the table structure. As no HDFS policy is created in Sentry for Qlik Catalog entities, deleting file system data will not affect Sentry policies.