Security Policy Sync
Qlik Data Catalyst integrates with centralized security administration platforms Apache Ranger and Apache Sentry to synchronize enterprise policies with Qlik Data Catalyst Entities, Sources, and Groups.
Each cluster environment can integrate with either security policy engine but not both. If the cluster security policy engine is Ranger, Qlik Data Catalyst creates two policies for each entity (one for Hive and one for HDFS). If the cluster security policy engine is Sentry, Qlik Data Catalyst creates one Hive policy for each entity.
Please refer to Qlik Data Catalyst installation guide for property settings for Ranger and Sentry policy engines. The following help topic addresses Policy Sync via Qlik Data Catalyst user interface.
Policy Sync screen
Connection information: Displays in the upper right of the initial Policy Sync screen. This information is sourced from core_env properties authorization section and is not editable from within the Qlik Data Catalyst application.
Sync: Entities and Schedule selection, sync initializer
Sync History: Base logs in history are filterable on Start Time, End Time, Sync Type, and Status.
Policy Sync: Automatic, Full, Targeted by Entity
Automatic Sync: The following triggers activate synchronization and a policy update as changes are made to corresponding entities and associated objects:
- Create, Edit, Delete Groups
- Create, Edit, Delete Sources
- Create, Edit, Delete Entities
Qlik Data Catalyst will continue to update and synchronize policies in Sentry and Ranger as changes are made to corresponding entities.
Full Sync: Full sync initiates and updates every entity in the environment. Full Sync can be scheduled for a one-time future sync or executed immediately.
To initiate full sync, select Start Sync (optional schedule setting).
Sync history status codes
Status | Icon | Description |
---|---|---|
Done |
|
All entities are successfully synced |
Initialized |
|
Sync has been initialized and is running |
Stopped |
|
Sync was stopped at user's request via Request Stop command on Policy Sync Detail page. |
Failed |
|
Sync ran without synchronizing any objects |
Done, with errors |
|
Sync ran with at least one entity sync failure |
The sync automatically opens to the Sync Log page. Overview summary displays on the left with a grid displaying Sync Logs for each policy. To view error details for failed entity syncs, select the status hyperlink.
Users can interrupt the policy sync by selecting Request Stop. Users are asked to confirm that they want to stop the sync, select Continue to stop syncing. Entities synced up until the sync was stopped will not roll back, entities that have yet to sync will remain unsynced.
Targeted by Entity Sync: Targeted sync initiates and updates user-selected entities in the environment. Targeted sync can be scheduled for a one-time future sync or executed immediately.
To initiate targeted sync, enter search criteria and select search icon.
Once the screen opens displaying search results, users have the option to select entities of interest; select Apply to initiate targeted sync on only those entities.
Logs
Sync Logs display within the grid as base logs, to view the details of individual entity policies select the log memo icon and select View Details.
Log filters provide filter criteria options for Start Time, End Time, Sync Type (Automatic, Full, Targeted), and Status (Log Changes, Done with Errors, Stopped).
Policy Sync properties
Entities with associated security policies are automatically given properties specifying policy id number and sync status.
These are internal properties that display in discover screen property panels.
Property | Description | Values |
---|---|---|
authorization.hdfs.policy.id (Ranger only) |
HDFS Policy ID |
Example: 4278 |
authorization.hive.policy.id |
Hive Policy ID |
Example Ranger: 4277 Example Sentry: Podium.XML_regression_src.OrganizationName (<Podium>.<sourcename>.<entityname>) |
authorization.policy.sync.status |
Policy Sync Status |
Example: UP_TO_DATE System generated value options: ENUM VALUES: NEVER_SYNCED UP_TO_DATE FAILED |
Policy deletion from Qlik Data Catalyst user interface
These policies can be deleted by deleting the corresponding object in Qlik Data Catalyst.
When a user deletes an entity in Qlik Data Catalyst, they are given options to:
- Delete Entity
- Delete File System data
- Drop Table Structure
If the security policy engine is Ranger, the corresponding Hive policy can only be deleted by dropping the Hive structure. Similarly, the HDFS policy can only be deleted if the HDFS data is deleted.
If the cluster security policy engine is Sentry, the corresponding Hive policy can only be deleted by dropping the Hive structure. As no HDFS policy is created in Sentry for Qlik Data Catalyst entities, deleting HDFS data will not affect Sentry policies.