This topic describes how to configure access control for Redshift Spectrum PolicySync using Privacera Manager.
Privacera supports access control for Redshift Spectrum only on the following:
- Create Database
- Usage Schema
The following prerequisites must be met to use the Redshift Spectrum:
You will require an Amazon Redshift cluster and a SQL client connected to the cluster.
The AWS Region in which the Amazon Redshift cluster and Amazon S3 bucket are located must be the same.
Redshift Spectrum configuration is similar to Redshift configuration. For more information about Redshift configuration, see Redshift.
Redshift Spectrum supports the creation of external tables within Redshift cluster in four simple steps:
Major Security Concern
Redshift does not support Access control lists (ACLs) on
EXTERNAL TABLES; to gain access to the data (
EXTERNAL TABLES), you must provide
USAGE schema permission on the
The following are the limitations with Redshift Spectrum:
USAGEpermission is granted to
EXTERNAL SCHEMA, the user gains access to all of its tables.
Access to any of the external tables cannot be explicitly granted or revoked.
The creation of Redshift managed tables (not
EXTERNAL TABLES) is not permitted within an "EXTERNAL SCHEMA".
The creation of secure views is not permitted within an
Privacera has never managed external tables due to the limitations listed above. By default, we manage permissions for external schemas at the schema level.
Support for Row Level Filter and Column Masking on the basis of Secure Views on
EXTERNAL SCHEMA is possible, but only with the user's CONSENT, as the user will also have direct access to the
EXTERNAL TABLE If they query the table's data, neither the Row Level Filter nor the Column Masking will be applied.
We do not recommend this solution, but if you agree that users will not query the data directly (via external tables), we can enable it by adding a
REDSHIFT_ENABLE_EXTERNAL_SCHEMA_SUPPORT property (default behavior is set to false).
EXTERNAL TABLE, we supports Row Level Filter and Column Masking to a limited extent.
Instead of creating a table, we create a secure view with the
_securepostfix added to the schema name (as we cannot create Redshift views inside external schemas).
GRANTaccess to secure view, we must grant
USAGEpermission to the Source Schema because the secure view schema will be separated from the
EXTERNAL SCHEMA. As a result, permission is granted to the source (actual) table.
Only Select Permission to the
EXTERNAL TABLEis supported.
DataAdminpermission is ineffective because
EXTERNAL SCHEMAallows direct access to
Due to limitations,
EXTERNAL SCHEMA support for Row Level Filter and Column Masking is not recommended.
This following property should not be enabled without consent after reading the documentation.
||Set this property to
The values of the following properties must be left blank:
REDSHIFT_SECURE_VIEW_NAME_PREFIX: "" REDSHIFT_SECURE_VIEW_NAME_POSTFIX: ""
The values of the following properties must be set:
REDSHIFT_SECURE_VIEW_SCHEMA_NAME_PREFIX: "" REDSHIFT_SECURE_VIEW_SCHEMA_NAME_POSTFIX: "_secure"