IBM Cloud Docs
Enabling Apache Ranger policy for resources

Enabling Apache Ranger policy for resources

IBM watsonx.data now supports Apache Ranger policies to allow comprehensive data security on integrating with multiple governance tools and engines.

Before you begin

Ensure you have the following details:

  • IBM watsonx.data instance.
  • Apache Ranger is provisioned.
  • The Presto (Java) JDBC URL and credentials in watsonx.data.
  • Administrator must add users and groups manually.
  • You can only integrate with one of the following policy engines starting with watsonx.data version 2.1.
    • Apache Ranger
    • IBM Knowledge Catalog

Creating policies for Presto and Spark in Ranger

IBM watsonx.data uses the policies defined under the following service types in Ranger to allow data security on catalogs(Iceberg, Hive and Hudi), buckets, schemas and tables.

  • Presto : Create resource policies in this Ranger service type to enforce security on catalogs(Iceberg, Hive and Hudi), buckets, schemas and tables used by Presto engine in watsonx.data.
  • and Hadoop SQL : Create resource policies in this Ranger service type to enforce security on catalogs(Iceberg, Hive and Hudi), buckets, schemas and tables used by Spark engine in watsonx.data.

Complete the following steps to create a service in the Ranger.

  1. Log in to Apache Ranger by using the username and password.

  2. The Service Manager page lists all the resources and available services under them. For more information about the different resources, see Service Manager.

  3. Click Resource tab and select one of the following resources depending on your use case.

    • PRESTO : Create policies for Presto engine in watsonx.data.
    • Hadoop SQL : Create policies for Spark engine in watsonx.data.

  4. Click the Add New Service (+) icon against the required service type and create a new service to define policies. For more information about the different resources, see Service Manager.

    You can also select an existing service to define policies. To define Ranger policies for Presto, you must create a service under PRESTO section and to define Ranger policies for Spark, you must create a service under Hadoop SQL section.

  5. Create policy against the new (or existing) service. To do that, see Policy Manager.

The service is successfully added in the respective resource list. Click the service name to verify that the default policies are added.

Associating Ranger policies for Presto and Spark in watsonx.data

Complete the following steps to enable and configure Apache Ranger in watsonx.data.

  1. Log in to watsonx.data console.

  2. From the navigation menu, select Access control.

  3. Click the Integrations tab.

  4. Click Integrate service. The Integrate service window opens.

  5. In the Integrate service window, provide the following details:

    Integrate service
    Field Description
    Service Select Apache Ranger.
    URL The URL of Apache Ranger.
    Username The admin credentials.
    Password The admin credentials.
    List resources Click the link to load the resources that are available in the Apache Ranger server.
    Resources Select the resource for which the Apache Ranger policy must be enabled.
    Policy Cache Time Configuration The time taken to refresh the newly defined Ranger policies.
    Enable data policy within watsonx.data Select the checkbox to enable data policy along with Apache Ranger policy.

  6. Click Integrate. The Apache Ranger policy is integrated and listed in the Access Control page.

Verify the integration

Complete the following steps to verify access control :

  1. Log in to watsonx.data instance.
  2. From the navigation menu, click Query workspace.
  3. Execute a simple query. The access denied error appears as currently no policies are defined in the Ranger for the user.

Granting permission to users

Complete the following steps to grant permissions to the user:

  1. Log in to Apache Ranger.

  2. Grant the required permission to the test user.

  3. Scroll down to the bottom, click the Save button.

  4. Log in to watsonx.data instance and execute a query again. The access is allowed for the user after adding policies in the Ranger.

Limitations

  • In Apache Iceberg catalog, an error occurs if a policy is not defined for the snapshots views related to the tables in Ranger. You must manually define policies in Apache Ranger to eliminate the error.
  • watsonx.data supports only access control feature for Apache Ranger integration in 2.0.0 release.