Custom Data Security Configurations
Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace
Kyvos Azure Marketplace  Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)
The custom Data Security configurations allow you to limit access to the semantic model data by defining custom row-level security, column-level security, and custom JDBC security for your Kyvos cluster.
You can define callback code to provide custom data security configurations depending on your business requirements.
Note
From Kyvos 2023.3 onwards, you can see the last performed data security configurations operation details, including progress status and start time, by clicking the i icon located next to the Revert button . To view more comprehensive details, simply click the View Details link, which will take you to the Operations page, where you can view the operation information in detail.Â
To configure custom security, click Security > Data Security on the navigation pane .
You can specify Kyvos User preferences for Hadoop access as either Keytab Principal User with administrative rights or Kyvos Logged in User with specific access rights to perform activities as per the user's privileges. This user is used for all activities requiring Hadoop access by Kyvos, such as semantic model process.
Custom Row-level Security
Prerequisites
For this, perform the following steps.
Upload the Custom RLS JAR from the Upload External Libraries page.
Add classpath such as com.kyvos.ClassName and provide an alias name, which will be visible on the Kyvos UI at the time of selecting Custom RLS Jar.
Restart the services after adding the JAR
Here's a code sample for your reference.
Note: You can modify this code to create multiple types of Custom RLS per your business requirements. You can also upload a properties/JSON/CSV file by modifying the code and providing a path of the file, which is accessible to JAR on the BI Server node containing details related to Custom RLS.
@Override
public Filters getRLSFilter(String cubeID, String folderName, String cubeName, String userName,
List<String> groupName, List<IQueriedFieldDetails> queriedFields,
Map<String, ICubeFieldDetails> fieldNameToICubeFieldDetailsMap) throws RowLevelSecurityException {
JSONArray jsonArr = new JSONArray();
JSONObject jsonObj = new JSONObject();
//Creating JSON for applying RLS
json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_DATA_TYPE,fieldNameToIRLSDetailsMap.get(fieldName).getFieldDataType());
json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_RELATION,"OR");
json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_DISPLAY_NAME,fieldNameToIRLSDetailsMap.get(fieldName).getFieldName());
json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_NAME,fieldNameToIRLSDetailsMap.get(fieldName).getFieldUniqueName());
json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_OPERATION,filtertype);
json.put(EnumsRLSFilterPlugin.RLSJsonKeys.FIELD_VALUE,fieldValue);
//Creating JSONArray from JSONObject
jsonArr.add(jsonObj);
clonedRLSFilters = RLSUtility.getRLSFiltersFromJSONArray(jsonArray, cubeID);
return clonedRLSFilters;
}
Specify custom row-level security.
To specify custom row-level security, perform the following steps.
Select the Enable Custom Row Level Security checkbox on the Data Security page.
Use the Callback Jar field to upload the jar files containing a class that implements the RLS Provider interface for custom row-level security. You can upload multiple callback jar files.
In the Callback Class Name field, provide a fully qualified class name, including the package name.Â
In the Alias field, provide an alias that will be displayed at the semantic model level in the Data Security section.
Click Save.Â
Custom Column-Level Security
To specify custom column-level security, perform the following steps.
Note
You can configure custom column-level security ONLY if SENTRY is configured as Hadoop Authorization.
Select the Enable Column Level Security checkbox on the Data Security page to integrate externally configured column-level security into Kyvos.
From the Implementation Type drop-down, select any of the following:
Default:Â Select this option to use the Kyvos defined column-level security implementation.
Custom: Select this option to integrate externally configured column-level security.
Use the Callback Jar field to upload the jar files containing a class for an externally implemented column-level security interface . You can upload multiple callback jar files.
In the Callback Class Name field, provide the class name, including the package name and implementing interface.Â
Click Save. Â
Custom JDBC Security
To specify custom JDBC security, perform the following steps.
Note
You can configure custom JDBC security ONLY if Hive is configured.
Select the Enable Custom JDBC Security checkbox on the Data Security page to define a custom JDBC security layer on your cluster.
Use the Callback Jar field to upload the jar file containing a class for externally implemented JDBC security .
In the Callback Class Name field, provide the full name of the custom implementation class (including its package name) that implements the JDBC interface.Â
Click Save.Â
Enable Custom Filter
Kyvos has introduced a new function in the MDX query named CUSTOMKYVOSFILTER for handling large cohorts in Kyvos. To enable this custom filter, you must have the Java class that you created, which needs to be packaged in a JAR file. This JAR file needs to be uploaded, and along with it, you must configure the name of the class (fully qualified name, including the package name). For more information, refer to the Working with Large List of Filters in Kyvos section.
To enable the custom filter, perform the following steps.
On the Data Security page, select the Enable Custom Filter checkbox to enable the CUSTOMKYVOSFILTER filter in Kyvos to handle a large list of filter values.
Upload the Custom Filter Callback JAR file.Â
Specify the Callback JAVA Class name, providing the fully qualified class name, including the package name.Â
Click Save.
Restart the BI Server.
Copyright Kyvos, Inc. All rights reserved.