02-17-2017 07:58 AM
I have a few questions on Navigator.
1. Can you do Role-based access control (RBAC) in navigator? Use-case user A can only see finance tables/linage and no audit logs. Use B can see only cusomer tables.
2. Is there a way to link in nagios into the audit logs for reporting, without writing custom code that uses the API? If you need to write code, does Cloudera have examples of this (why reinvite the wheel).
02-21-2017 01:23 PM - edited 02-21-2017 01:25 PM
1) You can do role based access control in navigator at table level and also for given table you can have RBAC at column level.
2) Navigator Audit APIs could be leveraged to do reporting. For ex , follwoing account "https://github.com/mjaykumar/Navigator_audit_API" has sample script for reporting some metrics like "no of grants/revoke" command being fired in last 24 hours. Similarly Audit logs events could be published to kafka and syslog for consumption. refer "https://www.cloudera.com/documentation/enterprise/5-5-x/topics/datamgmt_audit_publish.html" for details.
02-21-2017 01:26 PM
Can you point me to the docs on this: "1) You can do role based access control in navigator at table level and also for given table you can have RBAC at column level."
02-21-2017 01:30 PM
Role based access control for column "https://www.cloudera.com/documentation/enterprise/5-8-x/topics/sg_hive_sql.html". Probably you would follow "https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cm_sg_sentry_service.html" for concepts.
02-21-2017 01:39 PM
Sentry currently works out of the box with Apache Hive, Hive Metastore/HCatalog, Apache Solr, Impala, and HDFS (limited to Hive table data). Refer this for details "https://www.cloudera.com/documentation/enterprise/5-8-x/topics/sg_sentry_overview.html#sentry_overvi..."
02-21-2017 01:51 PM
As Sentry administrator, you would set authorization policies in terms of mapping between various roles/groups and roles/privileges for various objects(tables,db,server,collection, files etc). Once set, the authorization policies rules will be enforced when any user would try to access the objects and all the actions will be logged and consolidated into centralized databases. We could analyze all such events via reports thorugh navigator UI. The reports couls also be extraced via calling REST APIs endpoints or JAVA navigator SDK. Majority of times calling REST APIs would meet the requirement. We also navigator SDK as well. refer "https://github.com/cloudera/navigator-sdk".