I would like to know how to create different (multiple) repositories in Pentaho Enterprise version.
Below are some points which I would like to add.
1. Different repositories for different users, so one user cant access the other users transformations and jobs.
2. One user cant access the DB connections of other users in different repositories.
My main concern is I want logic here is for security reasons. One user cant access or update other users created transformation.
Is this possible? Please help me on this.
Thanks for all in advance.
This is exactly how my repos are set up. I use database repos on PostgreSQL for all my users. To create a new repo, just click the green + button at the top right of the Repository Connection dialog.
To keep users out of each others sandboxes, I create a different schema for each user and assign DB permissions accordingly. Note, the schema has to be created before you create the repo. Of course I'm DB superuser so I can get into all their repos.
When you create a connection for a repo, go to the advanced tab and specify that user's schema in the 'Preferred schema name' box. Note, this connection will not appear in your list of connections stored in the repo; it's in the repositories.xml file in the .kettle directory. I also created a template xml file that I can tweak give out to anyone who comes on board as a developer. That way they only see their repo in the connection dialog, but my repositories.xml has all of their repos.
You can do this with file based repos as well, but of course you'd handle permissions through the file system rather than the DB.
It's also true that repos can have multiple users. I use this feature when members of the same group need to share transforms. For example the Data Warehouse group is all in one repo, but each has their own directory; the other group has their own repo, etc.
I am not sure ,that you can create multiple instatnce of same repository , but
i sugest you can use single repository with different user and with
different user level permissions
You concerns can be re-solved based on user level permission on repo
Related
I'm new to Hortonworks HDP; I have the following questions:
There are some users that if I don't create them, then even admin can't perform. For example, unless I create a user called hdfs in ambari, I won't be able to do a lot of the file/folder operations on HDFS. Should I create such users? Is this how others manage the cluster?
In Hive interface, I have to click on the 'Execute' button each time I want the query to be executed. Is there a keyboard shortcut for execute? For example in Oracle SQL developer, you press Ctrl+Enter to execute the query. That's what I'm looking for.
Ambari creates required users automatically. But you can set up LDAP if you have such need.
Ranger is also available in hortonworks, Using the Apache Ranger console, security can easily manage using policies for access to files, folders, databases, tables, or column. These policies can be set for individual users or groups and then enforced consistently across HDP stack.
It seems the only way to share a dataset so that another person can run queries on the tables from the dataset is to make that person a Project user. See permissions
This means that the user would have access to all the datasets on the project. This seems to me that is is highly inconvenient. Am I missing something?
For user to run query - user need to have bigquery.jobs.create permission
If your user already has this permission in any other project - you can just simply share your dataset with this user with Can View Access Level
If user is new and does not have yet bigquery.jobs.create in any other project - you can just add this user to your project with this permission only.
And still you need add this user to ACL for that
specific dataset
Important: Please also note - if you give user permission to create jobs in your project - you will be billed for respective queries.
If user has its "own" project and only has view access to you data - in this case bill goes to user's project
I'm trying to setup customer access to some of my BigQuery data. I'll start off with my requirements, then what I think the solution needs to be, though I'm not sure how to execute.
Requirements
Separate billing per customer for queries
I don't want to make my dataset public
Read only access to specific datasets
Accessible via Excel connector
No access rights to my main project
They manage their own access privileges, I don't want to have to add and remove individual users from direct dataset access on behalf of all our clients.
Nice to have - Web UI access
What I've Done
Created a new Google Developer Project
Added a view-only user on that project
Added a service account
Granted access to my BigQuery dataset to the service account
Here are the options for granting dataset access from the documentation:
I imagine that I need to setup some sort of special group, but I can't figure out how to do it.
Thanks in advance!
In BigQuery there are two different concepts:
The first one is billing (for queries and any other billable
activity) that is linked with a Google Cloud Project.
The second one is access to a dataset.
Having said that, to fulfil your requirements you'd create a separate project for each of the customers, and grant access to the datasets in the granularity that you would want.
That way you would have the costs for each of the projects separated but billed to you. Be careful to give them only read access to the project, unless you want them to be able to create other services like VM or deploy GAE apps, as they'd be billed to you as well.
For example dataset [MyDatasetA] to users X and Y in projects Project1 and Project2, but access to [MyDatasetB] to users Y and Z in projects Project2 and Project3.
Thus, each project is accountable for the queries their users run, and you have your access control on each dataset without it being public.
Separate billing per customer for queries. Done with the independent projects.
I don't want to make my dataset public. Done with fine grained control access.
Read only access to specific datasets. Same as above.
Accessible via Excel connector. It should work without problems as they'd be first class BQ users.
No access rights to my main project. Again possible if they are restricted to their own projects.
They manage their own access privileges. This is trickier. I think they'd need more than read access to the datasets or more than read access to the projects to be able to add new users, if you use the project groups as access control.
Nice to have - Web UI access. Check out https://bigquery.cloud.google.com/
The project groups are groups that allow to select members with Viewer, Developer or Owner roles in one click, without the hassle of adding each member manually.
You get already three groups set-up for you to use: Viewers, Editors and Owners of the original project.
But you may create your own Google Groups and give those groups the permission you want.
The hint when doing so, is that new users will usually need to Display your project so that it appears in the BQ online browser. This is done by clicking on the arrow to the side of the project name in the BQ online browser followed by Switch to project then Display project with the project name that the Dataset belongs to.
Edit: Improved the explanation about Group access
I'm working on a DB2 for i database (aka DB2/400), on a schema (library) named S.
Inside schema S, I create database tables, procedures etc. with user A. I need that also user B has all privileges on such new objects. So I granted all privileges to users A and B on schema S. But new objects don't inherit them!
So I tried many configurations: on System i Navigator I played with authorization lists, "New Objects" button on permissions dialog for schema S... but nothing worked.
How can I set kind of default permissions to be automatically inherited by new objects created in my schema?
The only working alternative I know is remembering to grant privileges to user B every time I create an object. Not so smart...
Security is a large topic. It's normally handled by an administrator; someone who is aware of the larger ramifications of altering permissions to libraries.
There are several related settings to consider. Since you're trying to secure individual objects, you probably have restricted public authority either by setting QSECURITY to *EXCLUDE, or changing the library's CRTAUT to *EXCLUDE.
If we want ALL newly created objects in this library to have the same authority, consider an authorization list. I know that you said you played wuth authorization lists, but you didn't specify what you did.
Create an authorization list. Authorise user A and B to the authorization list. CHGLIB myschema CRTAUT(myautl). Now each object in myschema will have the same authority.
I have IBM i 7.1.
If I create table using 5250 emulator, inside STRSQL, it works, inheriting schema authorization list.
If I create table using iSeries Navigator V5R4M0 (neither with right click on Tables > New > Table, nor with cwbundbs.exe), it doesn't work. Authorization list is not inherited...
So it seems to be a bug in iSeries Navigator. Maybe someone with a newer version of it could confirm us if this has been fixed.
Full details in the chat with #BuckCalabro.
I am trying to add users to the Report Servers dbo.Users Table. I see a 36 character USERID. Does anyone know how this is generated? How do i get users to show up in this table?
I do not think you should directly modify/add data in ReportServer database.
To add a new user, go to your Report Manager web page.
For a default installation, it is http://[computer-name]/Reports
For a named instance suppose the instance is sql01, it is http://[computer-name]/Reports_sql01
Next, click on Properties tab. In Security, choose New Role Assignment.
There you can add users that exist on your Local machine, or on your company domain.
This user will show up in the Users table. But again, SQL Documentation advises not to directly manipulate data there. Good luck!