Document toolboxDocument toolbox

Custom Data Security Configurations

Applies to: Kyvos Enterprise  Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace   Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)


The custom Data Security configurations allow you to limit access to the semantic model data by defining custom row-level security, column-level security, and custom JDBC security for your Kyvos cluster.

You can define callback code to provide custom data security configurations depending on your business requirements.

Note

From Kyvos 2023.3 onwards, you can see the last performed data security configurations operation details, including progress status and start time, by clicking the i icon located next to the Revert button . To view more comprehensive details, simply click the  View Details link, which will take you to the Operations page, where you can view the operation information in detail. 

To configure custom security, click Security > Data Security on the navigation pane .

You can specify Kyvos User preferences for Hadoop access as either Keytab Principal User with administrative rights or Kyvos Logged in User with specific access rights to perform activities as per the user's privileges. This user is used for all activities requiring Hadoop access by Kyvos such as semantic model process.

Custom Row-level Security

Prerequisites

For this, perform the following steps.

  1. Upload the Custom RLS JAR from the Upload External Libraries page.

  2. Add classpath such as com.kyvos.ClassName and provide an alias name, which will be visible on the Kyvos UI at the time of selecting Custom RLS Jar.

  3. Restart the services after adding the JAR

Here's a code sample for your reference.

Note: You can modify this code to create multiple types of Custom RLS per your business requirements. You can also upload a properties/JSON/CSV file by modifying the code and providing a path of the file, which is accessible to JAR on the BI Server node containing details related to Custom RLS.

@Override public Filters getRLSFilter(String cubeID, String folderName, String cubeName, String userName, List<String> groupName, List<IQueriedFieldDetails> queriedFields, Map<String, ICubeFieldDetails> fieldNameToICubeFieldDetailsMap) throws RowLevelSecurityException { JSONArray jsonArr = new JSONArray(); JSONObject jsonObj = new JSONObject(); //Creating JSON for applying RLS json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_DATA_TYPE,fieldNameToIRLSDetailsMap.get(fieldName).getFieldDataType()); json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_RELATION,"OR"); json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_DISPLAY_NAME,fieldNameToIRLSDetailsMap.get(fieldName).getFieldName()); json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_NAME,fieldNameToIRLSDetailsMap.get(fieldName).getFieldUniqueName()); json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_OPERATION,filtertype); json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_VALUE,fieldValue); //Creating JSONArray from JSONObject jsonArr.add(jsonObj); clonedRLSFilters = RLSUtility.getRLSFiltersFromJSONArray(jsonArray, cubeID); return clonedRLSFilters; }

Specify custom row-level security.

To specify custom row-level security, perform the following steps.

  1. Select the Enable Custom Row Level Security checkbox on the Data Security page.

  2. Use the Callback Jar field to upload the jar files containing a class that implements the RLS Provider interface for custom row-level security. You can upload multiple callback jar files.

  3. In the Callback Class Name field, provide a fully qualified class name, including the package name. 

  4. In the Alias field, provide an alias that will be displayed at the semantic model level in the Data Security section.

  5. Click Save

Custom Column-Level Security

To specify custom column-level security, perform the following steps.

Note

You can configure custom column-level security ONLY if SENTRY is configured as Hadoop Authorization.

  1. Select the Enable Column  Level Security checkbox on the Data Security page to integrate externally configured column-level security into Kyvos.

  2. From the Implementation Type drop-down, select any of the following:

    1. Default: Select this option to use the Kyvos defined column-level security implementation.

    2. Custom: Select this option to integrate externally configured column-level security.

  3. Use the Callback Jar field to upload the jar files containing a class for an externally implemented column-level security interface . You can upload multiple callback jar files.

  4. In the Callback Class Name field, provide the class name, including the package name and implementing interface. 

  5. Click Save.  

Custom JDBC Security

To specify custom JDBC security, perform the following steps.

Note

You can configure custom JDBC security ONLY if Hive is configured.

  1. Select the Enable Custom JDBC Security checkbox on the Data Security page to define a custom JDBC security layer on your cluster.

  2. Use the Callback Jar field to upload the jar file containing a class for externally implemented JDBC security .

  3. In the Callback Class Name field, provide the full name of the custom implementation class (including its package name) that implements the JDBC interface. 

  4. Click Save

Copyright Kyvos, Inc. All rights reserved.