Versions Compared

Old Version 4

changes.mady.by.user Sarabjeet Kaur

Saved on

compared with

New Version Current

changes.mady.by.user Sarabjeet Kaur

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Applies to: Image Removed Kyvos Enterprise   Image Removed Kyvos Cloud (Managed Services on AWS)     Image Removed Kyvos Azure Marketplace

Image Removed Kyvos AWS Marketplace    Image Removed Kyvos Single Node Installation (Kyvos SNI)   Image Removed Kyvos Free ( Limited offering for AWS)

You can use a data connection to connect to a single Amazon Redshift database. You can create multiple connections if needed, each going to a separate Redshift database.

Info
titleInfo
  • Transformations are not supported. 
  • Currently, Kyvos supports only MOLAP semantic models for Amazon Redshift, and ROLAP support is not available.

Prerequisites

You must complete the following: 

...

Info
titleInfo
  • Kyvos resources and Redshift services should be in the same VPC.
  • If the Kyvos resources and Redshift service are in different VPCs, then ensure that the Redshift service is publicly accessible. Else, refer to point 3.

Complete the following configuration for the Spark Unload mechanism.

...

Attach an IAM Role to the Redshift cluster that has the rights to write on the Kyvos S3 location.

...

Copy the ARN of the IAM role attached to Redshift.

Add the below policy statement to the Kyvos S3 bucket policy. Refer to AWS documentation for details.

...

Applies to: Image Added Kyvos Enterprise   Image Added Kyvos Cloud (Managed Services on AWS)     Image Added Kyvos Azure Marketplace

Image Added Kyvos AWS Marketplace    Image Added Kyvos Single Node Installation (Kyvos SNI)   Image Added Kyvos Free ( Limited offering for AWS)

...

You can use a data connection to connect to a single Amazon Redshift database. You can create multiple connections if needed, each going to a separate Redshift database.

Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

  • Transformations are not supported. 

  • Currently, Kyvos supports only MOLAP semantic models for Amazon Redshift, and ROLAP support is not available.

Prerequisites

You must complete the following: 

  1. Create the following VPC Endpoints to use the Redshift connection.

    com.amazonaws.<region>.redshift
    com.amazonaws.<region>.redshift-data

Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

  • Kyvos resources and Redshift services should be in the same VPC.

  • If the Kyvos resources and Redshift service are in different VPCs, then ensure that the Redshift service is publicly accessible. Else, refer to point 3.

  1. Complete the following configuration for the Spark Unload mechanism.

    1. Provide Redshift IAM Role access rights on the Kyvos S3 bucket to avoid AccessDenied exception. This is required for Redshift unloading data to Amazon S3. 

    2. Attach an IAM Role to the Redshift cluster that has the rights to write on the Kyvos S3 location.

    3. Copy the ARN of the IAM role attached to Redshift.

    4. Add the below policy statement to the Kyvos S3 bucket policy. Refer to AWS documentation for details.

      Code Block
      "Sid": "Redshift-role-access",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<ARN of the IAM role>"
                }
                "Action": [
                    "s3:PutAnalyticsConfiguration",
                    "s3:GetObjectVersionTagging",
                    "s3:ReplicateObject",
                    "s3:GetObjectAcl",
                    "s3:GetBucketObjectLockConfiguration",
                    "s3:DeleteBucketWebsite",
                    "s3:PutLifecycleConfiguration",
                    "s3:GetObjectVersionAcl",
                    "

...

    1. s3:DeleteObject",

...

    1.   "s3:

...

    1. GetBucketPolicyStatus",
                    "

...

    1. s3:GetObjectRetention",
                    "s3:GetBucketWebsite",

...

    1.                  "

...

    1. s3:PutReplicationConfiguration"

...

    1. ,

...

    1.                     "s3:

...

    1. PutObjectLegalHold",
                    "s3:

...

    1. GetObjectLegalHold",
                    "s3:

...

    1. GetBucketNotification",
                    "s3:

...

    1. PutBucketCORS",
                    "s3:

...

    1. GetReplicationConfiguration",
                    "s3:

...

    1. ListMultipartUploadParts",
                    "s3:

...

    1. PutObject",
                    "s3:

...

    1. GetObject",
                    "s3:

...

    1. PutBucketNotification",
                    "s3:

...

    1. PutBucketLogging",
                    "s3:

...

    1. GetAnalyticsConfiguration",
                    "s3:

...

    1. PutBucketObjectLockConfiguration",
                    "s3:

...

    1. GetObjectVersionForReplication",
                    "s3:

...

    1. GetLifecycleConfiguration",
                    "s3:

...

    1. GetInventoryConfiguration",
                    "s3:

...

    1. GetBucketTagging",
                    "s3:

...

    1. PutAccelerateConfiguration",
                    "s3:

...

    1. DeleteObjectVersion",
                    "s3:

...

    1. GetBucketLogging",
                    "s3:

...

    1. ListBucketVersions",
                    "s3:

...

    1. RestoreObject",
                    "s3:

...

    1. ListBucket",
                    "s3:

...

    1. GetAccelerateConfiguration",
                    "s3:

...

    1. GetBucketPolicy",
                    "s3:

...

    1. PutEncryptionConfiguration",
                    "s3:

...

    1. GetEncryptionConfiguration",
                    "s3:

...

    1. GetObjectVersionTorrent",
                    "s3:

...

    1. AbortMultipartUpload",
                    "s3:

...

    1. GetBucketRequestPayment",
                    "s3:

...

    1. GetObjectTagging",
                    "s3:

...

    1. GetMetricsConfiguration",
                    "s3:

...

    1. DeleteBucket",
                    "s3:

...

    1. PutBucketVersioning",
                    "s3:

...

    1. GetBucketPublicAccessBlock",
                    "s3:

...

    1. ListBucketMultipartUploads",
                    "s3:

...

    1. PutMetricsConfiguration",
                    "s3:

...

    1. GetBucketVersioning",
                    "s3:

...

    1. GetBucketAcl",
                    "s3:

...

    1. PutInventoryConfiguration",
                    "s3:

...

    1. GetObjectTorrent",
                    "s3:

...

    1. PutBucketWebsite",
                    "s3:

...

    1. PutBucketRequestPayment",
                    "s3:

...

    1. PutObjectRetention",
                    "s3:

...

    1. GetBucketCORS",
                    "s3:

...

    1. PutBucketAcl",
                    "s3:

...

    1. GetBucketLocation",
                    "s3:

...

    1. ReplicateDelete",
                    "s3:

...

    1. GetObjectVersion",
                    "s3:

...

    1. PutBucketTagging"

...

    1.

...

    1. ],

...

    1. "Resource": [
                    "arn:aws:s3

...

    1. :::<kyvos S3 bucket name>/_kyvos_app_intermediate_dir_/_kyvos_app_load_/*",
                    "

...

    1. arn:aws:s3:::<kyvos S3 bucket name>"

...

    1.             ]

...

    1.

...

Change bucket ownership of Kyvos S3 bucket to Bucket Owner Enforced in case of existing Kyvos deployment. Refer to AWS Documentation for details. 

...

  • Using Redshift-managed VPC endpoints
  • Managing Redshift-managed VPC endpoints using the Amazon Redshift console
  • Granting access to a cluster
  • Creating a Redshift-managed VPC endpoint

Considerations when using Redshift-managed VPC endpoints

Before creating a Redshift-managed VPC endpoint (Points to be shared with Client), ensure the following: 

  • The cluster to access is an RA3 node type.
  • The cluster to access has cluster relocation turned on. For information about requirements to turn on cluster relocation, see Managing cluster relocation in Amazon Redshift .
  • The cluster to access is available through port 5439.
  • Modify the VPC security groups associated with an existing Redshift-managed VPC endpoint, if needed. 
    To modify other settings, delete the current Redshift-managed VPC endpoint and create a new one.
  • The number of Redshift-managed VPC endpoints that you can create is limited to your VPC endpoint quota.
  • The Redshift-managed VPC endpoints aren't accessible from the internet.
    A Redshift-managed VPC endpoint is accessible only within the VPC where the endpoint is provisioned.
     or
     Any VPCs peered with the VPC where the endpoint is provisioned as permitted by the route tables and security groups.
  • You can't use the Amazon VPC console to manage Redshift-managed VPC endpoints.

Managing Redshift-managed VPC endpoints using the Amazon Redshift console

You can configure the use of Redshift-managed VPC endpoints by using the Amazon Redshift console.

Granting access to a cluster

Ensure that the Client (Account A) performs the following steps on the Redshift Cluster:

To allow a VPC in another AWS account to have access to your cluster, perform the following steps: 

  1. Sign in to the AWS Management Console and open the Amazon Redshift console.
  2. On the navigation menu, click Clusters.
  3. For the cluster that you want to allow access to, view the cluster details by choosing the cluster name. Click the Properties tab of the cluster.
    The Granted accounts section displays the accounts and corresponding VPCs that have access to your cluster.
  4. Click Grant access to display a form to enter Grantee information to add an account.
  5. For AWS account ID, enter the ID of the account you are granting access. You can grant access to specific VPCs or all VPCs in the specified account.
  6. Click Grant access to grant access.

Creating a Redshift-managed VPC endpoint

Ensure that the Kyvos team (Account B) performs the following steps on the Redshift AWS console. 

  1. Sign in to the AWS Management Console and open the Amazon Redshift console.
  2. On the navigation menu, click Configurations.
    The Configuration page displays the Redshift-managed VPC endpoints that have been created.
  3. To view details for an endpoint, select its name.
  4. Click Create endpoint to display a form to enter information about the endpoint to add.
  5. Enter values for Endpoint name, AWS account ID, Cluster identifier, Virtual private cloud (VPC), Subnet group, and other properties of the endpoint.
    The subnet group in the Subnet group defines the subnets and IP addresses where Amazon Redshift deploys the endpoint.
    Amazon Redshift chooses a subnet that has IP addresses available for the network interface associated with the endpoint.
    The optional security group in the Security group defines the ports, protocols, and sources for inbound traffic that you are authorizing for your endpoint. Commonly, you allow access to port 5439 to the security group or the CIDR range where your workloads run.
  6. Click Create endpoint to create the endpoint.

After your endpoint is created, you can access the cluster through the URL shown in the Endpoint URL in the configuration settings for your Redshift-managed VPC endpoint.

Policy definition

The policy gives rights to the Redshift resource. To restrict the resource, replace * with these resource details:

Code Block
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials",
"redshift:JoinGroup",
"redshift:CreateClusterUser"
],
"Resource": "arn:aws:redshift:region:account-id:cluster:cluster-name"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
}
]
}

Set up or view Redshift connection

You can set up a Redshift connection using a user name and password or IAM Instance Profile Credentials. For both connection types, you need to:

  • Provide the iam_role
  • Set the  LoginTimeout value

To set up or view a Redshift warehouse connection, perform the following steps. 

...

    1. }

  2. Change bucket ownership of Kyvos S3 bucket to Bucket Owner Enforced in case of existing Kyvos deployment. Refer to AWS Documentation for details. 

  3. If Redshift and Kyvos resources are in different VPCs, and Redshift is not publicly accessible, do the following:

  • Using Redshift-managed VPC endpoints

  • Managing Redshift-managed VPC endpoints using the Amazon Redshift console

  • Granting access to a cluster

  • Creating a Redshift-managed VPC endpoint

Considerations when using Redshift-managed VPC endpoints

Before creating a Redshift-managed VPC endpoint (Points to be shared with Client), ensure the following: 

  • The cluster to access is an RA3 node type.

  • The cluster to access has cluster relocation turned on. For information about requirements to turn on cluster relocation, see Managing cluster relocation in Amazon Redshift .

  • The cluster to access is available through port 5439.

  • Modify the VPC security groups associated with an existing Redshift-managed VPC endpoint, if needed. 
    To modify other settings, delete the current Redshift-managed VPC endpoint and create a new one.

  • The number of Redshift-managed VPC endpoints that you can create is limited to your VPC endpoint quota.

  • The Redshift-managed VPC endpoints aren't accessible from the internet.
    A Redshift-managed VPC endpoint is accessible only within the VPC where the endpoint is provisioned.
     or
     Any VPCs peered with the VPC where the endpoint is provisioned as permitted by the route tables and security groups.

  • You can't use the Amazon VPC console to manage Redshift-managed VPC endpoints.

Managing Redshift-managed VPC endpoints using the Amazon Redshift console

You can configure the use of Redshift-managed VPC endpoints by using the Amazon Redshift console.

Granting access to a cluster

Ensure that the Client (Account A) performs the following steps on the Redshift Cluster:

To allow a VPC in another AWS account to have access to your cluster, perform the following steps: 

  1. Sign in to the AWS Management Console and open the Amazon Redshift console.

  2. On the navigation menu, click Clusters.

  3. For the cluster that you want to allow access to, view the cluster details by choosing the cluster name. Click the Properties tab of the cluster.
    The Granted accounts section displays the accounts and corresponding VPCs that have access to your cluster.

  4. Click Grant access to display a form to enter Grantee information to add an account.

  5. For AWS account ID, enter the ID of the account you are granting access. You can grant access to specific VPCs or all VPCs in the specified account.

  6. Click Grant access to grant access.

Creating a Redshift-managed VPC endpoint

Ensure that the Kyvos team (Account B) performs the following steps on the Redshift AWS console. 

  1. Sign in to the AWS Management Console and open the Amazon Redshift console.

  2. On the navigation menu, click Configurations.
    The Configuration page displays the Redshift-managed VPC endpoints that have been created.

  3. To view details for an endpoint, select its name.

  4. Click Create endpoint to display a form to enter information about the endpoint to add.

  5. Enter values for Endpoint name, AWS account ID, Cluster identifier, Virtual private cloud (VPC), Subnet group, and other properties of the endpoint.
    The subnet group in the Subnet group defines the subnets and IP addresses where Amazon Redshift deploys the endpoint.
    Amazon Redshift chooses a subnet that has IP addresses available for the network interface associated with the endpoint.
    The optional security group in the Security group defines the ports, protocols, and sources for inbound traffic that you are authorizing for your endpoint. Commonly, you allow access to port 5439 to the security group or the CIDR range where your workloads run.

  6. Click Create endpoint to create the endpoint.

After your endpoint is created, you can access the cluster through the URL shown in the Endpoint URL in the configuration settings for your Redshift-managed VPC endpoint.

Policy definition

The policy gives rights to the Redshift resource. To restrict the resource, replace * with these resource details:

Code Block
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials",
"redshift:JoinGroup",
"redshift:CreateClusterUser"
],
"Resource": "arn:aws:redshift:region:account-id:cluster:cluster-name"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
}
]
}

Set up or view Redshift connection

You can set up a Redshift connection using a user name and password or IAM Instance Profile Credentials. For both connection types, you need to:

  • Provide the iam_role

  • Set the  LoginTimeout value

To set up or view a Redshift warehouse connection, perform the following steps. 

  1. From the Toolbox, click Setup, then Connections.

  2. From the Actions menu (  ⋮  ) click Add Connection.

  3. Enter a name or select it from the Connection list.

  4. After you finish configuring the settings using the table shown below the screenshot, click the Test button from the top left to validate the connection settings.

  5. If the connection is valid, click the Save button.

  6. To refresh connections, click the Actions menu (    ) at the top of the Connections column and select Refresh.

Aura tab collection
paramsJTdCJTIyZ2VuZXJhbCUyMiUzQSU3QiUyMnRhYlNwYWNpbmclMjIlM0EwJTJDJTIydGFiV2lkdGglMjIlM0ExMDAlMkMlMjJ0YWJIZWlnaHQlMjIlM0E1MCUyQyUyMmRpcmVjdGlvbiUyMiUzQSUyMmhvcml6b250YWwlMjIlN0QlMkMlMjJjb250ZW50JTIyJTNBJTdCJTIyYmFja2dyb3VuZENvbG9yJTIyJTNBJTdCJTIyY29sb3IlMjIlM0ElMjIlMjNmZmYlMjIlN0QlMkMlMjJib3JkZXIlMjIlM0ElN0IlMjJzdHlsZSUyMiUzQSUyMnNvbGlkJTIyJTJDJTIyd2lkdGglMjIlM0ExJTJDJTIydG9wJTIyJTNBdHJ1ZSUyQyUyMmJvdHRvbSUyMiUzQXRydWUlMkMlMjJsZWZ0JTIyJTNBdHJ1ZSUyQyUyMnJpZ2h0JTIyJTNBdHJ1ZSUyQyUyMmNvbG9yJTIyJTNBJTdCJTIybGlnaHQlMjIlM0ElMjIlMjNjY2NlY2YlMjIlN0QlN0QlMkMlMjJwYWRkaW5nJTIyJTNBJTdCJTIydG9wJTIyJTNBMTAlMkMlMjJyaWdodCUyMiUzQTEwJTJDJTIyYm90dG9tJTIyJTNBMTAlMkMlMjJsZWZ0JTIyJTNBMTAlN0QlN0QlMkMlMjJhY3RpdmUlMjIlM0ElN0IlMjJiYWNrZ3JvdW5kQ29sb3IlMjIlM0ElN0IlMjJjb2xvciUyMiUzQSU3QiUyMmxpZ2h0JTIyJTNBJTIyJTIzZjU4MjI3JTIyJTdEJTdEJTJDJTIydGV4dCUyMiUzQSU3QiUyMmZvbnRTaXplJTIyJTNBMTYlMkMlMjJjb2xvciUyMiUzQSU3QiUyMmxpZ2h0JTIyJTNBJTIyJTIzMDAwMDAwJTIyJTdEJTJDJTIydGV4dEFsaWduJTIyJTNBJTIybGVmdCUyMiUyQyUyMmZvbnRXZWlnaHQlMjIlM0ElMjJib2xkJTIyJTdEJTdEJTJDJTIyaG92ZXIlMjIlM0ElN0IlMjJiYWNrZ3JvdW5kQ29sb3IlMjIlM0ElN0IlMjJjb2xvciUyMiUzQSUyMiUyM2RmZTFlNiUyMiU3RCUyQyUyMnRleHQlMjIlM0ElN0IlMjJmb250U2l6ZSUyMiUzQTE4JTJDJTIyY29sb3IlMjIlM0ElMjIlMjM1ZTZjODQlMjIlMkMlMjJ0ZXh0QWxpZ24lMjIlM0ElMjJsZWZ0JTIyJTJDJTIyZm9udFdlaWdodCUyMiUzQSUyMmxpZ2h0ZXIlMjIlN0QlN0QlMkMlMjJpbmFjdGl2ZSUyMiUzQSU3QiUyMmJhY2tncm91bmRDb2xvciUyMiUzQSU3QiUyMmNvbG9yJTIyJTNBJTIyJTIzZjRmNWY3JTIyJTdEJTJDJTIydGV4dCUyMiUzQSU3QiUyMmZvbnRTaXplJTIyJTNBMTYlMkMlMjJjb2xvciUyMiUzQSUyMiUyMzVlNmM4NCUyMiUyQyUyMnRleHRBbGlnbiUyMiUzQSUyMmxlZnQlMjIlMkMlMjJmb250V2VpZ2h0JTIyJTNBJTIybGlnaHRlciUyMiU3RCU3RCU3RA==
Aura tab
summaryAuthentication Type: User Name and Password
paramsJTdCJTIydGl0bGUlMjIlM0ElMjJBdXRoZW50aWNhdGlvbiUyMFR5cGUlM0ElMjBVc2VyJTIwTmFtZSUyMGFuZCUyMFBhc3N3b3JkJTIyJTdE

  1. Select Warehouse from the Category List.
    There may be more than one warehouse connection.

  2. For Providers, select Redshift.

  3. For Authentication Type choose one of the following User Name and Password.

  4. Enter the URL, Redshift user name, and password for Kyvos to connect to Redshift.

  5. Click the SSL checkbox to configure the driver to use a non-validating SSL factor. Use this setting if the server you are connecting to uses SSL but does not require identity verification. 

  6. Click Properties to configure advanced settings or set JDBC-specific properties. All non-Kyvos properties are passed to the JDBC API. 

  7. In the Miscellaneous Properties section, provide the iam_role and the LoginTimeout value. The recommended value is 10.

  8. Click Save.

Image Added
Aura tab
summaryAuthentication Type: IAM Instance Profile Credentials
paramsJTdCJTIydGl0bGUlMjIlM0ElMjJBdXRoZW50aWNhdGlvbiUyMFR5cGUlM0ElMjBJQU0lMjBJbnN0YW5jZSUyMFByb2ZpbGUlMjBDcmVkZW50aWFscyUyMiU3RA==

  1. Select Warehouse from the Category List.
    There may be more than one warehouse connection.

  2. For Providers, select Redshift.

  3. For Authentication Type choose IAM Instance Profile Credentials to configure the IAM role attached to the BI server.

  4. Enter the URL, Redshift User, and Redshift groups to map to the IAM role. 

  5. The JDBC URL can be fetched from AWS Redshift Console and has the following format: jdbc:redshift:iam://examplecluster.abc123xyz789.us-west-2.redshift.amazonaws.com:5439/dev

  6. Click Auto Create DB User to create the user at runtime. That user is assigned to a group that is specified at the connection screen. The group must already exist. If a group is not specified, then the user is assigned to the PUBLIC group.

  7. Click Properties to configure advanced settings or set JDBC-specific properties. All non-Kyvos properties are passed to the JDBC API.

  8. In the Miscellaneous Properties section, provide the Redshift iam_role and the LoginTimeout value. The recommended value is 10.

  9. Click Save.

  10. To refresh connections, click the menu ( ⋮ ) at the top of the Connections column and select Refresh.

  11. Optionally, select the SSL check box to enable SSL in a Redshift connection.

    Image Added