Skip to content

Tags in PolicySync

Privacera's PolicySync synchronizes access policies across different data services, extending the capabilities of Apache Ranger to offer a unified policy enforcement mechanism. When it comes to managing Apache Ranger Tags, PolicySync provides a seamless way to ensure that tag-based policies are consistently applied across diverse environments, thereby enabling effective data governance and security.

sequenceDiagram
   participant D as Apache Ranger
   participant B as Privacera PolicySync
   participant E as Data Platforms

   B->>D: Fetch Tags and Mapping
   B->>D: Fetch Tag-Based Policies
   B->>E: Fetch Resources
   B->>B: Map Tags to Resources
   B->>E: Apply Native Policies

Overview of Apache Ranger Tags

Apache Ranger Tags are metadata labels assigned to resources, such as tables, columns, or files, which indicate their data sensitivity or classification. Tags make it easier to define and enforce policies across multiple resources without specifying each resource individually. By using tags, administrators can implement attribute-based access control (ABAC) and manage permissions based on the attributes of the data rather than hardcoding access for each individual data element.

How PolicySync Handles Apache Ranger Tags

Tag Retrieval and Policy Synchronization

Privacera's PolicySync integrates closely with Apache Ranger to retrieve the latest tags and the tag mapping to the resources from the Apache Ranger TagSync service. This service manages the tagging information for various resources within the ecosystem, ensuring the metadata stays current. PolicySync periodically synchronizes with Ranger to fetch the most recent tag information, including updates to tags or new tag assignments.

In addition to fetching tags, PolicySync also retrieves tag-based policies from Apache Ranger. These policies define the access controls for resources based on their assigned tags.

Tag-Based Policy Enforcement

Tag-based policies could involve access to the resource (e.g., tables or files), dynamic masking for columns in tables, or dynamic encryption for columns. Once tags are synchronized, PolicySync enforces these tag-based policies on all integrated services. For example, if a "Confidential" tag is assigned to certain resources, PolicySync will ensure that only users with the appropriate permissions can access those resources, regardless of which data platform or service they are using. This cross-platform enforcement is critical for maintaining consistent security standards in multi-cloud or hybrid environments.

Dynamic UDF

If the native data sources support dynamic User Defined Functions (UDFs), Privacera PolicySync will create the UDFs and apply them to the relevant columns for the user, groups, or roles. 

sequenceDiagram
participant U as User
participant P as Privacera PolicySync
participant DS as Data Source
P->>DS: Create UDF/Functions
P->>DS: Apply policies for UDFs and Columns
U->>DS: Query Table
DS->>U: Apply UDFs on Query

Secure Views

If the native data sources do not support dynamic UDFs, PolicySync will create Secure Views and ensure that the UDFs are applied when the user runs the query for the views. This approach provides flexibility in handling data protection based on the capabilities of the underlying data source.

sequenceDiagram
participant U as User
participant P as Privacera PolicySync
participant DS as Data Source
P->>DS: Create Secure Views
U->>DS: Query Secure Views
DS->>U: Apply UDFs within Secure Views for User

Changes to Tags, Tags Mapping and Tag Policies

PolicySync continuously monitors for changes in tag assignments and policy modifications. When a tag is updated, such as when a resource's classification changes from "Public" to "Sensitive," PolicySync quickly propagates these changes to all affected services, ensuring that policies are dynamically updated to reflect the new data classification. This feature reduces manual efforts and provides an extra layer of agility in enforcing compliance requirements.

Benefits of Using PolicySync for Ranger Tags

  • Centralized Management: For column masking, PolicySync enables centralized management of tag-based policies across multiple data services, reducing the need for administrators to handle each service individually.
  • Consistency: By synchronizing tags and enforcing policies in real time, PolicySync ensures that security policies are consistently applied across the entire data landscape.
  • Automation: PolicySync automates the entire tag synchronization process, reducing the risk of human error and minimizing administrative overhead.
  • Scalability: The integration supports growing data environments by dynamically adjusting policies as new tags are created or existing tags are modified.

Performance Considerations

For dynamic masking, the usage of native UDFs can introduce performance overheads, particularly when dealing with very large datasets or complex queries. The additional processing required for data masking, encryption, or applying UDFs can impact query response times, especially if the underlying data source does not natively support these operations efficiently. These performance overheads are inherent to the implementation of UDFs and secure views by the underlying data platforms and are not specific to PolicySync. It is recommended to manually evaluate the performance impact of dynamic masking and encryption on your specific use cases by running the query using the UDFs directly on the data source and compare the results with and without calling them.

Comments