Data Access Control – Apache Ranger

The Data-centric organization’s ecosystem depends on multiple, heterogeneous Data provisioning systems. Data access requests in most cases are performed by  IT change request systems that follow specific change request process lifecycles. Such a process is time-consuming, labor-intensive, leading to loss of time and productivity and reduced business value as the user must wait for access.

The integration extends to Apache Ranger, a robust data security and access control framework, which enforces and manages data access policies for (e.g., Trino, Hive, HDFS, HBase, Kafka, Elastic, etc.) data sources. The synchronization between Collibra and Apache Ranger ensures that any updates made to governance policies in Collibra are promptly reflected in the access control policies enforced by Apache Ranger. This synergy between data harvesting, Collibra integration, and policy enforcement through Apache Ranger creates a cohesive approach to data governance and security. It not only enhances data protection by controlling access to the (e.g., Trino, Hive, HDFS, HBase, Kafka, Elastic, etc.) data source but also facilitates audit and monitoring through Ranger, enabling organizations to track and review data access for compliance and governance purposes. In summary, this integrated system establishes a secure and compliant environment, ensuring that data usage aligns with defined policies and regulations

Following business and functional challenges are typically encountered in provisioning access to big-data data sources:

• Lack of a centralized governance platform that controls access to multiple big-data data sources (e.g., Trino, Hive, HDFS, HBase, Kafka, Elastic, etc.)
• Non-homogenous data-access sharing methods with different rules, sharing agreements and ownership.
• Lack of clarity for data consumers on access request mechanisms
• Data discovery challenges due to multiple metadata platforms and non-uniform discovery features
• Lack of a uniform and automated dataset checkout mechanism
• Automated security checks on data (e.g., PII, SDE elements) are usually not present during data checkout and provisioning

The Data Access Control – Ranger (DAC) framework, which is built around Lorang Technology’s proprietary Metadata Integration Framework (MIF) addresses above challenges in data access governance and provisioning.

It provides a simplified and effective governance mechanism with automated data-access provisioning by orchestrating data sources (e.g., Trino, Hive, HDFS, HBase, Kafka, Elastic, etc.), role and policy-based access (Collibra) and policy enforcement /access provisioning (Apache Ranger) for reduced manual intervention.

Integration with ServiceNow is also available as an additional package to handle access requests for traditional applications without APIs.  The Collibra Data Intelligence platform provides a Catalog of all the Data resources and the capability to request Data access. The policy enforcement /access provisioning (Apache Ranger) determines which enforcement mechanism will be triggered and enforces polices in the target data source automatically with the help of plugins. DAC finds the optimal way to grant access to the systems that provide RESTful services while automatically applying and enforcing policy and security policies that are predefined by the Policy Admin Info Security.

DAC- Ranger Features:

• Provides unified access policy management platform for multiple big-data data sources (HDFS, Hive, HBase, Kafka, Elastic Search, etc.).
• A unified Collibra Operating Model maps to the policy structure of target access control framework (Apache Ranger).
• Detects and synchronizes policy changes between Collibra and target policy frameworks (Apache Ranger) using the respective REST APIs.
• Converts policy formats between Collibra and target policy frameworks.
• Provides auto-notification of access grants.
• Enables inheritance of access tags (PII, PCI, etc.) from the business taxonomy/ data classifications to the physical data elements.
• Provides recommendation of access policies based on toxic combinations of given data sets.
• Streamlines data shopping experience for the user, hiding the complexity of roles, access policies, permissions, etc.
• Seamlessly integrates with the ServiceNow ticketing system.