Security Policy Sync
Qlik Catalog integrates with centralized security administration platforms Apache Ranger and Apache Sentry to synchronize enterprise policies with Qlik Catalog entities, sources, and groups.
Multi-node cluster environments can integrate with either security policy engine but not both. If the cluster security policy engine is Ranger, Qlik Catalog creates two policies for each entity (one for the distribution table and one for the file system). If the cluster security policy engine is Sentry, Qlik Catalog creates one policy for the distribution table of each entity.
Please refer to Qlik Catalog installation guide for property settings for Ranger and Sentry policy engines. The following help topic addresses Policy Sync via Qlik Catalog user interface.
Policy Sync screen
Connection information: Displays in the upper right of the initial Policy Sync screen. Connection information is sourced from core_env properties authorization section and is not editable from within the Qlik Catalog application.
Policy Sync: Entities and Schedule selection, sync initializer
Sync History: Base logs in history are filterable on Start Time, End Time, Sync Type, and Status.
Policy Sync: Automatic, Full, Targeted by Entity
Automatic Sync: The following triggers activate synchronization and a policy update as changes are made to corresponding entities and associated objects:
- Create, edit, delete groups
- Create, edit, delete sources
- Create, edit, delete entities
Qlik Catalog will continue to update and synchronize policies in Sentry and Ranger as changes are made to corresponding entities.
Full Sync: Full sync initiates and updates every entity in the environment. Full Sync can be scheduled for a one-time future sync or executed immediately.
To initiate full sync, select Start Sync (with optional day-time schedule setting).
Sync history status codes
Status | Icon | Description |
---|---|---|
Done |
|
All entities are successfully synced |
Initialized |
|
Sync has been initialized and is running |
Stopped |
|
Sync was stopped at user's request via Request Stop command on Policy Sync Detail page. |
Failed |
|
Sync ran without synchronizing any objects |
Done, with errors |
|
Sync ran with at least one entity sync failure |
The sync automatically opens to the Sync Log page. Overview summary displays on the left with a grid displaying Sync Logs for each policy. To view error details for failed entity syncs, select the status hyperlink.
Users can interrupt the policy sync by selecting Request Stop. Users are asked to confirm that they want to stop the sync, select Continue to stop syncing. Entities synced up until the sync was stopped will not roll back, entities that have yet to sync will remain unsynced.
Targeted by Entity Sync: Targeted sync initiates and updates user-selected entities in the environment. Targeted sync can be scheduled for a one-time future sync or executed immediately.
To initiate targeted sync, enter search criteria and select search icon.
Once the screen opens displaying search results, users have the option to select entities of interest; select Apply to initiate targeted sync on only those entities.
Logs
Sync Logs display within the grid as base logs, to view the details of sync operation, select (view details).
Log filters provide filter criteria options for Start Time, End Time, Sync Type), and Status
Policy sync properties
Entities with associated security policies are automatically given properties specifying policy id number and sync status.
These are internal properties that display in discover screen property panels.
Property | Description | Values |
---|---|---|
authorization.hdfs.policy.id (Ranger only) |
HDFS Policy ID |
Example: 4278 |
authorization.hive.policy.id |
Hive Policy ID |
Example Ranger: 4277 Example Sentry: Podium.XML_regression_src.OrganizationName (<Podium>.<sourcename>.<entityname>) |
authorization.policy.sync.status |
Policy Sync Status |
Example: UP_TO_DATE System generated value options: ENUM VALUES: NEVER_SYNCED UP_TO_DATE FAILED |
Policy deletion from Qlik Catalog user interface
These policies can be deleted by deleting the corresponding object in Qlik Catalog.
When a user deletes an entity in Qlik Catalog, they are given options to:
- Delete Entity
- Delete File System data
- Drop Table Structure
If the security policy engine is Ranger, the corresponding Hive policy can only be deleted by dropping the table structure. Similarly, the HDFS policy can only be deleted if the file system data is deleted.
If the cluster security policy engine is Sentry, the corresponding Hive policy can only be deleted by dropping the table structure. As no HDFS policy is created in Sentry for Qlik Catalog entities, deleting file system data will not affect Sentry policies.