Security Policy Sync

Qlik Catalog integrates with centralized security administration platforms Apache Ranger and Apache Sentry to synchronize enterprise policies with Qlik Catalog entities, sources, and groups.

Multi-node cluster environments can integrate with either security policy engine but not both. If the cluster security policy engine is Ranger, Qlik Catalog creates two policies for each entity (one for the distribution table and one for the file system). If the cluster security policy engine is Sentry, Qlik Catalog creates one policy for the distribution table of each entity.

Please refer to Qlik Catalog installation guide for property settings for Ranger and Sentry policy engines. The following help topic addresses Policy Sync via Qlik Catalog user interface.

Policy Sync screen

Connection information: Displays in the upper right of the initial Policy Sync screen. Connection information is sourced from core_env properties authorization section and is not editable from within the Qlik Catalog application.

Policy Sync: Entities and Schedule selection, sync initializer

Sync History: Base logs in history are filterable on Start Time, End Time, Sync Type, and Status.

Ranger connection information — Sentry connection information

Policy Sync: Automatic, Full, Targeted by Entity

Automatic Sync: The following triggers activate synchronization and a policy update as changes are made to corresponding entities and associated objects:

Create, edit, delete groups
Create, edit, delete sources
Create, edit, delete entities

Qlik Catalog will continue to update and synchronize policies in Sentry and Ranger as changes are made to corresponding entities.

Full Sync: Full sync initiates and updates every entity in the environment. Full Sync can be scheduled for a one-time future sync or executed immediately.

To initiate full sync, select Start Sync (with optional day-time schedule setting).

Select start sync button to initialize — Initiating full sync

Sync history status codes

Status	Icon	Description
Done		All entities are successfully synced
Initialized		Sync has been initialized and is running
Stopped		Sync was stopped at user's request via Request Stop command on Policy Sync Detail page.
Failed		Sync ran without synchronizing any objects
Done, with errors		Sync ran with at least one entity sync failure

The sync automatically opens to the Sync Log page. Overview summary displays on the left with a grid displaying Sync Logs for each policy. To view error details for failed entity syncs, select the status hyperlink.

Sync log page provides status for each entity policy sync status — Sync log page

Users can interrupt the policy sync by selecting Request Stop. Users are asked to confirm that they want to stop the sync, select Continue to stop syncing. Entities synced up until the sync was stopped will not roll back, entities that have yet to sync will remain unsynced.

Click to view full size — Interrupting a policy sync

Targeted by Entity Sync: Targeted sync initiates and updates user-selected entities in the environment. Targeted sync can be scheduled for a one-time future sync or executed immediately.

To initiate targeted sync, enter search criteria and select search icon.

Once the screen opens displaying search results, users have the option to select entities of interest; select Apply to initiate targeted sync on only those entities.

Apply targeted sync on entities meeting search criteria — Selected entities

Logs

Sync Logs display within the grid as base logs, to view the details of sync operation, select icon view sync details (view details).

Log filters provide filter criteria options for Start Time, End Time, Sync Type), and Status

Sync history filters — Sync log filter criteria

Policy sync properties

Entities with associated security policies are automatically given properties specifying policy id number and sync status.

These are internal properties that display in discover screen property panels.

Property	Description	Values
authorization.hdfs.policy.id (Ranger only)	HDFS Policy ID	Example: 4278
authorization.hive.policy.id	Hive Policy ID	Example Ranger: 4277 Example Sentry: Podium.XML_regression_src.OrganizationName (<Podium>.<sourcename>.<entityname>)
authorization.policy.sync.status	Policy Sync Status	Example: UP_TO_DATE System generated value options: ENUM VALUES: NEVER_SYNCED UP_TO_DATE FAILED

Property

Description

Values

authorization.hdfs.policy.id

(Ranger only)

HDFS Policy ID

Example: 4278

authorization.hive.policy.id

Hive Policy ID

Example Ranger: 4277

Example Sentry:

Podium.XML_regression_src.OrganizationName

(<Podium>.<sourcename>.<entityname>)

authorization.policy.sync.status

Policy Sync Status

Example: UP_TO_DATE

System generated value options:

ENUM VALUES:

NEVER_SYNCED

UP_TO_DATE

FAILED

Policy deletion from Qlik Catalog user interface

These policies can be deleted by deleting the corresponding object in Qlik Catalog.

When a user deletes an entity in Qlik Catalog, they are given options to:

Delete Entity
Delete File System data
Drop Table Structure

Delete policy for entity dialog — Policy deletion

If the security policy engine is Ranger, the corresponding Hive policy can only be deleted by dropping the table structure. Similarly, the HDFS policy can only be deleted if the file system data is deleted.

If the cluster security policy engine is Sentry, the corresponding Hive policy can only be deleted by dropping the table structure. As no HDFS policy is created in Sentry for Qlik Catalog entities, deleting file system data will not affect Sentry policies.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here