Skip to main content

Security Policy Sync

Qlik Data Catalyst integrates with centralized security administration platforms Apache Ranger and Apache Sentry to synchronize enterprise policies with Qlik Data Catalyst Entities, Sources, and Groups.

Each cluster environment can integrate with either security policy engine but not both. If the cluster security policy engine is Ranger, Qlik Data Catalyst creates two policies for each entity (one for Hive and one for HDFS). If the cluster security policy engine is Sentry, Qlik Data Catalyst creates one Hive policy for each entity.

Please refer to Qlik Data Catalyst installation guide for property settings for Ranger and Sentry policy engines. The following help topic addresses Policy Sync via Qlik Data Catalyst user interface.

Policy Sync screen

Connection information: Displays in the upper right of the initial Policy Sync screen. This information is sourced from core_env properties authorization section and is not editable from within the Qlik Data Catalyst application.

Sync: Entities and Schedule selection, sync initializer

Sync History: Base logs in history are filterable on Start Time, End Time, Sync Type, and Status.

Ranger connection information

Sentry connection information

Policy Sync: Automatic, Full, Targeted by Entity

Automatic Sync: The following triggers activate synchronization and a policy update as changes are made to corresponding entities and associated objects:

  • Create, Edit, Delete Groups
  • Create, Edit, Delete Sources
  • Create, Edit, Delete Entities

Qlik Data Catalyst will continue to update and synchronize policies in Sentry and Ranger as changes are made to corresponding entities.

Full Sync: Full sync initiates and updates every entity in the environment. Full Sync can be scheduled for a one-time future sync or executed immediately.

To initiate full sync, select Start Sync (optional schedule setting).

Initiating full sync

Sync history status codes

Status Icon Description

Done

All entities are successfully synced

Initialized

Sync has been initialized and is running

Stopped

Sync was stopped at user's request via Request Stop command on Policy Sync Detail page.

Failed

Sync ran without synchronizing any objects

Done, with errors

Sync ran with at least one entity sync failure

The sync automatically opens to the Sync Log page. Overview summary displays on the left with a grid displaying Sync Logs for each policy. To view error details for failed entity syncs, select the status hyperlink.

Sync log page

Users can interrupt the policy sync by selecting Request Stop. Users are asked to confirm that they want to stop the sync, select Continue to stop syncing. Entities synced up until the sync was stopped will not roll back, entities that have yet to sync will remain unsynced.

Interrupting a policy sync

Targeted by Entity Sync: Targeted sync initiates and updates user-selected entities in the environment. Targeted sync can be scheduled for a one-time future sync or executed immediately.

To initiate targeted sync, enter search criteria and select search icon.

Targeted sync

Once the screen opens displaying search results, users have the option to select entities of interest; select Apply to initiate targeted sync on only those entities.

Selected entities

Logs

Sync Logs display within the grid as base logs, to view the details of individual entity policies select the log memo icon and select View Details.

Individual entity policy details

Log filters provide filter criteria options for Start Time, End Time, Sync Type (Automatic, Full, Targeted), and Status (Log Changes, Done with Errors, Stopped).

Sync log filter criteria

Policy Sync properties

Entities with associated security policies are automatically given properties specifying policy id number and sync status.

These are internal properties that display in discover screen property panels.

Property Description Values

authorization.hdfs.policy.id

(Ranger only)

HDFS Policy ID

Example: 4278

authorization.hive.policy.id

Hive Policy ID

Example Ranger: 4277

Example Sentry:

Podium.XML_regression_src.OrganizationName

(<Podium>.<sourcename>.<entityname>)

authorization.policy.sync.status

Policy Sync Status

Example: UP_TO_DATE

System generated value options:

ENUM VALUES:

NEVER_SYNCED

UP_TO_DATE

FAILED

Policy deletion from Qlik Data Catalyst user interface

These policies can be deleted by deleting the corresponding object in Qlik Data Catalyst.

When a user deletes an entity in Qlik Data Catalyst, they are given options to:

  • Delete Entity
  • Delete File System data
  • Drop Table Structure
Policy deletion

If the security policy engine is Ranger, the corresponding Hive policy can only be deleted by dropping the Hive structure. Similarly, the HDFS policy can only be deleted if the HDFS data is deleted.

If the cluster security policy engine is Sentry, the corresponding Hive policy can only be deleted by dropping the Hive structure. As no HDFS policy is created in Sentry for Qlik Data Catalyst entities, deleting HDFS data will not affect Sentry policies.