mirror of
https://github.com/datahub-project/datahub.git
synced 2025-08-30 12:06:00 +00:00
1 line
16 KiB
JavaScript
1 line
16 KiB
JavaScript
"use strict";(self.webpackChunkdocs_website=self.webpackChunkdocs_website||[]).push([[32223],{7653:(e,a,t)=>{t.d(a,{A:()=>n});const n={icon:{tag:"svg",attrs:{"fill-rule":"evenodd",viewBox:"64 64 896 896",focusable:"false"},children:[{tag:"path",attrs:{d:"M512 64c247.4 0 448 200.6 448 448S759.4 960 512 960 64 759.4 64 512 264.6 64 512 64zm127.98 274.82h-.04l-.08.06L512 466.75 384.14 338.88c-.04-.05-.06-.06-.08-.06a.12.12 0 00-.07 0c-.03 0-.05.01-.09.05l-45.02 45.02a.2.2 0 00-.05.09.12.12 0 000 .07v.02a.27.27 0 00.06.06L466.75 512 338.88 639.86c-.05.04-.06.06-.06.08a.12.12 0 000 .07c0 .03.01.05.05.09l45.02 45.02a.2.2 0 00.09.05.12.12 0 00.07 0c.02 0 .04-.01.08-.05L512 557.25l127.86 127.87c.04.04.06.05.08.05a.12.12 0 00.07 0c.03 0 .05-.01.09-.05l45.02-45.02a.2.2 0 00.05-.09.12.12 0 000-.07v-.02a.27.27 0 00-.05-.06L557.25 512l127.87-127.86c.04-.04.05-.06.05-.08a.12.12 0 000-.07c0-.03-.01-.05-.05-.09l-45.02-45.02a.2.2 0 00-.09-.05.12.12 0 00-.07 0z"}}]},name:"close-circle",theme:"filled"}},4732:(e,a,t)=>{t.d(a,{A:()=>i});var n=t(89379),s=t(96540),r=t(7653),o=t(89990),l=function(e,a){return s.createElement(o.A,(0,n.A)((0,n.A)({},e),{},{ref:a,icon:r.A}))};const i=s.forwardRef(l)},43655:(e,a,t)=>{t.d(a,{A:()=>b});var n=t(96540),s=t(20053);const r="availabilityCard_P5od",o="managedIcon_AxXO",l="platform_wqXv",i="platformAvailable_Y8lN";var c=t(4732),u=t(89379);const m={icon:{tag:"svg",attrs:{viewBox:"64 64 896 896",focusable:"false"},children:[{tag:"path",attrs:{d:"M512 64C264.6 64 64 264.6 64 512s200.6 448 448 448 448-200.6 448-448S759.4 64 512 64zm193.5 301.7l-210.6 292a31.8 31.8 0 01-51.7 0L318.5 484.9c-3.8-5.3 0-12.7 6.5-12.7h46.9c10.2 0 19.9 4.9 25.9 13.3l71.2 98.8 157.2-218c6-8.3 15.6-13.3 25.9-13.3H699c6.5 0 10.3 7.4 6.5 12.7z"}}]},name:"check-circle",theme:"filled"};var d=t(89990),p=function(e,a){return n.createElement(d.A,(0,u.A)((0,u.A)({},e),{},{ref:a,icon:m}))};const g=n.forwardRef(p);const h={icon:{tag:"svg",attrs:{viewBox:"64 64 896 896",focusable:"false"},children:[{tag:"path",attrs:{d:"M811.4 418.7C765.6 297.9 648.9 212 512.2 212S258.8 297.8 213 418.6C127.3 441.1 64 519.1 64 612c0 110.5 89.5 200 199.9 200h496.2C870.5 812 960 722.5 960 612c0-92.7-63.1-170.7-148.6-193.3zm36.3 281a123.07 123.07 0 01-87.6 36.3H263.9c-33.1 0-64.2-12.9-87.6-36.3A123.3 123.3 0 01140 612c0-28 9.1-54.3 26.2-76.3a125.7 125.7 0 0166.1-43.7l37.9-9.9 13.9-36.6c8.6-22.8 20.6-44.1 35.7-63.4a245.6 245.6 0 0152.4-49.9c41.1-28.9 89.5-44.2 140-44.2s98.9 15.3 140 44.2c19.9 14 37.5 30.8 52.4 49.9 15.1 19.3 27.1 40.7 35.7 63.4l13.8 36.5 37.8 10c54.3 14.5 92.1 63.8 92.1 120 0 33.1-12.9 64.3-36.3 87.7z"}}]},name:"cloud",theme:"outlined"};var y=function(e,a){return n.createElement(d.A,(0,u.A)((0,u.A)({},e),{},{ref:a,icon:h}))};const f=n.forwardRef(y),b=({saasOnly:e,ossOnly:a})=>n.createElement("div",{className:(0,s.A)(r,"card")},n.createElement("strong",null,"Feature Availability"),n.createElement("div",null,n.createElement("span",{className:(0,s.A)(l,!e&&i)},"Self-Hosted DataHub ",e?n.createElement(c.A,null):n.createElement(g,null))),n.createElement("div",null,n.createElement(f,{className:o}),n.createElement("span",{className:(0,s.A)(l,!a&&i)},"DataHub Cloud ",a?n.createElement(c.A,null):n.createElement(g,null))))},26319:(e,a,t)=>{t.r(a),t.d(a,{assets:()=>p,contentTitle:()=>m,default:()=>f,frontMatter:()=>u,metadata:()=>d,toc:()=>g});t(96540);var n=t(15680),s=t(43655),r=t(53720),o=t(5400);function l(e,a,t){return a in e?Object.defineProperty(e,a,{value:t,enumerable:!0,configurable:!0,writable:!0}):e[a]=t,e}function i(e,a){return a=null!=a?a:{},Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(a)):function(e,a){var t=Object.keys(e);if(Object.getOwnPropertySymbols){var n=Object.getOwnPropertySymbols(e);a&&(n=n.filter((function(a){return Object.getOwnPropertyDescriptor(e,a).enumerable}))),t.push.apply(t,n)}return t}(Object(a)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(a,t))})),e}function c(e,a){if(null==e)return{};var t,n,s=function(e,a){if(null==e)return{};var t,n,s={},r=Object.keys(e);for(n=0;n<r.length;n++)t=r[n],a.indexOf(t)>=0||(s[t]=e[t]);return s}(e,a);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);for(n=0;n<r.length;n++)t=r[n],a.indexOf(t)>=0||Object.prototype.propertyIsEnumerable.call(e,t)&&(s[t]=e[t])}return s}const u={title:"Access Management",slug:"/features/feature-guides/access-management",custom_edit_url:"https://github.com/datahub-project/datahub/blob/master/docs/features/feature-guides/access-management.md"},m="Access Management",d={unversionedId:"docs/features/feature-guides/access-management",id:"version-1.1.0/docs/features/feature-guides/access-management",title:"Access Management",description:"Introduction",source:"@site/versioned_docs/version-1.1.0/docs/features/feature-guides/access-management.md",sourceDirName:"docs/features/feature-guides",slug:"/features/feature-guides/access-management",permalink:"/docs/1.1.0/features/feature-guides/access-management",draft:!1,editUrl:"https://github.com/datahub-project/datahub/blob/master/docs/features/feature-guides/access-management.md",tags:[],version:"1.1.0",frontMatter:{title:"Access Management",slug:"/features/feature-guides/access-management",custom_edit_url:"https://github.com/datahub-project/datahub/blob/master/docs/features/feature-guides/access-management.md"},sidebar:"overviewSidebar",previous:{title:"Snowflake DMF Assertions [BETA]",permalink:"/docs/1.1.0/assertions/snowflake/snowflake_dmfs"},next:{title:"Documentation Propagation Automation",permalink:"/docs/1.1.0/automations/docs-propagation"}},p={},g=[{value:"Introduction",id:"introduction",level:2},{value:"Configuration",id:"configuration",level:2},{value:"Self-hosted DataHub",id:"self-hosted-datahub",level:3},{value:"DataHub Cloud",id:"datahub-cloud",level:3},{value:"UI Location",id:"ui-location",level:2},{value:"Data Model",id:"data-model",level:2},{value:"Managing Access Through DataHub",id:"managing-access-through-datahub",level:2},{value:"Creating External Roles",id:"creating-external-roles",level:3},{value:"Assigning Users to Roles (Optional)",id:"assigning-users-to-roles-optional",level:3},{value:"Assigning Roles to Datasets",id:"assigning-roles-to-datasets",level:3},{value:"Use Cases",id:"use-cases",level:2},{value:"Demo and Examples",id:"demo-and-examples",level:2},{value:"What's Next for Access Management",id:"whats-next-for-access-management",level:2}],h={toc:g},y="wrapper";function f(e){var{components:a}=e,t=c(e,["components"]);return(0,n.yg)(y,i(function(e){for(var a=1;a<arguments.length;a++){var t=null!=arguments[a]?arguments[a]:{},n=Object.keys(t);"function"==typeof Object.getOwnPropertySymbols&&(n=n.concat(Object.getOwnPropertySymbols(t).filter((function(e){return Object.getOwnPropertyDescriptor(t,e).enumerable})))),n.forEach((function(a){l(e,a,t[a])}))}return e}({},h,t),{components:a,mdxType:"MDXLayout"}),(0,n.yg)("h1",{id:"access-management"},"Access Management"),(0,n.yg)(s.A,{mdxType:"FeatureAvailability"}),(0,n.yg)("h2",{id:"introduction"},"Introduction"),(0,n.yg)("p",null,"DataHub's Access Management feature allows you to associate external roles from your source systems with your data assets in DataHub. This creates a unified view of access control across your data ecosystem, helping data consumers:"),(0,n.yg)("ol",null,(0,n.yg)("li",{parentName:"ol"},(0,n.yg)("strong",{parentName:"li"},"Discover available access")," - Find what roles are already provisioned for them across different data platforms"),(0,n.yg)("li",{parentName:"ol"},(0,n.yg)("strong",{parentName:"li"},"Request appropriate access")," - Easily identify and request to join the appropriate role for the access they need"),(0,n.yg)("li",{parentName:"ol"},(0,n.yg)("strong",{parentName:"li"},"Simplify governance")," - Streamline the access management process by centralizing role information in DataHub")),(0,n.yg)("p",null,"By integrating your external roles into DataHub, teams can reduce access request friction and ensure users have the right level of access to the data they need."),(0,n.yg)("h2",{id:"configuration"},"Configuration"),(0,n.yg)("h3",{id:"self-hosted-datahub"},"Self-hosted DataHub"),(0,n.yg)("p",null,"For self-hosted DataHub deployments, the Access Management feature is ",(0,n.yg)("em",{parentName:"p"},"disabled")," by default. To enable it,\nsimply set the ",(0,n.yg)("inlineCode",{parentName:"p"},"SHOW_ACCESS_MANAGEMENT")," environment variable for the ",(0,n.yg)("inlineCode",{parentName:"p"},"datahub-gms")," service container\nto ",(0,n.yg)("inlineCode",{parentName:"p"},"true"),". For example in your ",(0,n.yg)("inlineCode",{parentName:"p"},"docker/datahub-gms/docker.env"),", you'd configure:"),(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre"},"SHOW_ACCESS_MANAGEMENT=true\n")),(0,n.yg)("h3",{id:"datahub-cloud"},"DataHub Cloud"),(0,n.yg)("p",null,"If you're using DataHub Cloud, enabling the Access Management feature just requires contacting your DataHub Cloud CustomerSuccess representative. They can enable this feature for your environment without any configuration changes on your part."),(0,n.yg)("h2",{id:"ui-location"},"UI Location"),(0,n.yg)("p",null,'Under a dataset, the new tab "Access Management" should appear if configured correctly.'),(0,n.yg)("p",{align:"center"},(0,n.yg)("img",{width:"70%",src:"https://raw.githubusercontent.com/datahub-project/static-assets/main/imgs/roles/accessmanagement.png"})),(0,n.yg)("h2",{id:"data-model"},"Data Model"),(0,n.yg)("p",null,"Access management introduces a new entity in DataHub's metadata model called a Role.\nA Role is comprised of:"),(0,n.yg)("ul",null,(0,n.yg)("li",{parentName:"ul"},"A unique key (URN)"),(0,n.yg)("li",{parentName:"ul"},"Properties of the role (name, description, type, request URL)"),(0,n.yg)("li",{parentName:"ul"},"A list of users that have been provisioned the role")),(0,n.yg)("p",null,"This role must then be associated with datasets through a new aspect called access."),(0,n.yg)("admonition",{title:"Important Note",type:"note"},(0,n.yg)("p",{parentName:"admonition"},"Currently, only Dataset entities support Access Management.")),(0,n.yg)("admonition",{title:"Do not confuse role with datahubrole",type:"caution"},(0,n.yg)("p",{parentName:"admonition"},'The "role" entity refers to an external role definition that exists in your source systems (like Snowflake or BigQuery), while "datahubrole" is for the management of privileges within DataHub itself (i.e., the admin role can accept proposed metadata changes).')),(0,n.yg)("h2",{id:"managing-access-through-datahub"},"Managing Access Through DataHub"),(0,n.yg)("p",null,"You can set up Access Management through either the CLI or Python API. Here's how to complete the three main steps:"),(0,n.yg)("h3",{id:"creating-external-roles"},"Creating External Roles"),(0,n.yg)(r.A,{mdxType:"Tabs"},(0,n.yg)(o.A,{value:"cli",label:"CLI",mdxType:"TabItem"},(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre",className:"language-bash"},'datahub put --urn "urn:li:role:reader" --aspect roleProperties -d - <<-EOF\n{\n "name": "Snowflake Reader Role",\n "description": "Description for Snowflake Reader Role",\n "type": "READ",\n "requestUrl": "http://custom-url-for-redirection.com"\n}\nEOF\n'))),(0,n.yg)(o.A,{value:"python",label:"Python",mdxType:"TabItem"},(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre",className:"language-python"},'import datahub.emitter.mce_builder as builder\nfrom datahub.emitter.rest_emitter import DatahubRestEmitter\nfrom datahub.emitter.mcp import MetadataChangeProposalWrapper\nfrom datahub.metadata.schema_classes import RolePropertiesClass, ChangeTypeClass\n\n# Create a role properties aspect\nrole_properties = RolePropertiesClass(\n name="Snowflake Reader Role",\n description="Description for Snowflake Reader Role",\n type="READ",\n requestUrl="http://custom-url-for-redirection.com"\n)\n\n# Create a metadata change proposal\nmcp = MetadataChangeProposalWrapper(\n changeType=ChangeTypeClass.UPSERT,\n entityUrn="urn:li:role:reader",\n aspectName="roleProperties",\n aspect=role_properties\n)\n\n# Emit the metadata\nemitter = DatahubRestEmitter(gms_server="http://localhost:8080")\nemitter.emit(mcp)\n')))),(0,n.yg)("h3",{id:"assigning-users-to-roles-optional"},"Assigning Users to Roles (Optional)"),(0,n.yg)(r.A,{mdxType:"Tabs"},(0,n.yg)(o.A,{value:"cli",label:"CLI",mdxType:"TabItem"},(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre",className:"language-bash"},'datahub put --urn "urn:li:role:reader" --aspect actors -d - <<-EOF\n{\n "users": [\n {"user": "urn:li:corpuser:datahubuser"}\n ]\n}\nEOF\n'))),(0,n.yg)(o.A,{value:"python",label:"Python",mdxType:"TabItem"},(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre",className:"language-python"},'from datahub.metadata.schema_classes import ActorsClass, ActorClass\n\n# Create an actors aspect\nactors = ActorsClass(\n users=[\n ActorClass(user="urn:li:corpuser:datahubuser")\n ]\n)\n\n# Create a metadata change proposal\nmcp = MetadataChangeProposalWrapper(\n changeType=ChangeTypeClass.UPSERT,\n entityUrn="urn:li:role:reader",\n aspectName="actors",\n aspect=actors\n)\n\n# Emit the metadata\nemitter.emit(mcp)\n')))),(0,n.yg)("h3",{id:"assigning-roles-to-datasets"},"Assigning Roles to Datasets"),(0,n.yg)(r.A,{mdxType:"Tabs"},(0,n.yg)(o.A,{value:"cli",label:"CLI",mdxType:"TabItem"},(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre",className:"language-bash"},'datahub put --urn "urn:li:dataset:(urn:li:dataPlatform:hive,fct_users_created,PROD)" --aspect access -d - <<-EOF\n{\n "roles": [\n {"urn": "urn:li:role:reader"},\n {"urn": "urn:li:role:writer"}\n ]\n}\nEOF\n'))),(0,n.yg)(o.A,{value:"python",label:"Python",mdxType:"TabItem"},(0,n.yg)("pre",null,(0,n.yg)("code",{parentName:"pre",className:"language-python"},'from datahub.metadata.schema_classes import AccessClass, RoleAssociationClass\n\ndataset_urn = "urn:li:dataset:(urn:li:dataPlatform:hive,fct_users_created,PROD)"\n\n# Create an access aspect with multiple roles\naccess_aspect = AccessClass(\n roles=[\n RoleAssociationClass(urn="urn:li:role:reader"),\n RoleAssociationClass(urn="urn:li:role:writer")\n ]\n)\n\n# Create a metadata change proposal\nmcp = MetadataChangeProposalWrapper(\n changeType=ChangeTypeClass.UPSERT,\n entityUrn=dataset_urn,\n aspectName="access",\n aspect=access_aspect\n)\n\n# Emit the metadata\nemitter.emit(mcp)\n')))),(0,n.yg)("h2",{id:"use-cases"},"Use Cases"),(0,n.yg)("p",null,"Here are some common scenarios where integrating external roles into DataHub is valuable:"),(0,n.yg)("ol",null,(0,n.yg)("li",{parentName:"ol"},(0,n.yg)("strong",{parentName:"li"},"Unified Access View")," - Data engineers can see all users with access to sensitive data across multiple platforms from a single interface"),(0,n.yg)("li",{parentName:"ol"},(0,n.yg)("strong",{parentName:"li"},"Self-Service Access Requests")," - Analysts can discover what roles they need to access specific datasets and request them directly from DataHub"),(0,n.yg)("li",{parentName:"ol"},(0,n.yg)("strong",{parentName:"li"},"Access Auditing")," - Compliance teams can review who has access to which datasets through which roles"),(0,n.yg)("li",{parentName:"ol"},(0,n.yg)("strong",{parentName:"li"},"Onboarding Acceleration")," - New team members can quickly discover what access they need for their role")),(0,n.yg)("h2",{id:"demo-and-examples"},"Demo and Examples"),(0,n.yg)("p",null,"To see Access Management in action, check out our ",(0,n.yg)("a",{parentName:"p",href:"https://youtu.be/mXsn33tALCA?t=1333"},"DataHub Townhall demo")," where we showcase how to use this feature in a real-world scenario."),(0,n.yg)("h2",{id:"whats-next-for-access-management"},"What's Next for Access Management"),(0,n.yg)("p",null,"Future enhancements planned for Access Management include:"),(0,n.yg)("ul",null,(0,n.yg)("li",{parentName:"ul"},"Modeling external policies in addition to just roles"),(0,n.yg)("li",{parentName:"ul"},"Automatically extracting roles/policies from sources like BigQuery, Snowflake, etc."),(0,n.yg)("li",{parentName:"ul"},"Extending support to more entity types beyond datasets"),(0,n.yg)("li",{parentName:"ul"},"Advanced access request workflows with approvals")))}f.isMDXComponent=!0}}]); |