Today we released the latest update to Okera Active Data Access Platform. In this post, we will take a look at some of the most significant enhancements in this release.
Interactive dashboards for governance and usage insight
In this update, we are introducing interactive reports for usage analytics that are built on top of updated, more detailed audit tables. The interactive reports can be aggregated by a variety of date ranges, and filtered by individual databases, and provide some really useful insights, such as the following:
- Number of queries over time
- Number of queries by client application
- Number of queries by dataset
- Most active users
You can click on any of these charts to drill down to the underlying SQL query for more fine-grained analysis and custom reporting.
Full support for Snowflake, Redshift, and relational database
ODAP 1.2 works with Snowflake, Redshift, and relational databases, whether they’re on-prem (e.g., Oracle, MySQL, PostgreSQL) or cloud-based (Redshift, Snowflake, RDS, and more). This means that all of Okera’s powerful features — unified cataloging, sophisticated access control including tokenization, redaction and row-level filtering, plus comprehensive auditing — are now available for any database that supports JDBC.
Dynamic, scalable access control policies
ODAP 1.2 makes it easy to define powerful access policies for column-level tokenization and row-level filtering using two new powerful, easy-to-use functions that can be put inside the access control view definitions:
- BOOLEAN has_access(STRING paths): returns true if the current user has access to all of the objects listed by the parameter (e.g.,”salesdb.sales_cal” or “salesdb,devdb.sales_data”)
- BOOLEAN has_roles(STRING roles): returns true if the current user is part of all of the roles listed by the parameter (e.g. “admin_role” or “dev,sales,sales_admin”)
These functions are evaluated at query planning time, so they not only have zero per-record performance overhead, but also vastly reduce the number of views that need to be created for compared to any other access control tool available on the market today.
Fine-grained administrative privileges
Okera 1.2 makes it easy to enable distributed data stewardship through four new access control privileges: SHOW, INSERT, CREATE, and ALTER. These new privileges let you delegate specific stewardship responsibilities to individuals without having to depend on centralized teams that can become bottlenecks, while preserving the principle of least privilege.
These new privileges, which are in addition to the current access control privileges of ALL and SELECT, are described below.
- SHOW: This privilege lets users view the metadata for a particular data set without viewing the contents of the data set — for example, with this privilege, a user can run DESCRIBE on a table and view the schema of that table, but still won’t be able to view the contents of the table without the SELECT privilege. This privilege can be granted on catalog, database, and table.
- INSERT: This privilege gives users write access to the object, and does not include read access. It can be granted on catalog, database, table, and columns.
- CREATE: This privilege lets users create new datasets (e.g., create table and views). This privilege can be granted on catalog and database.
- ALTER: This privilege lets users alter the schema of datasets. This privilege can be granted on catalog, database, and table.
Plus lots of other improvements
There’s a lot more in this release, too, including support for Spark 2.3 and Presto for EMR 5.16. Plus, we’ve made a bunch of performance enhancements, including updates to our native Python library, PyOkera, and performance safeguards for large data sets that have lots of partitions. We’ve also made some significant improvements to our REST API and how we handle Hive UDFs.
As always, we have a lot more in store in the next update that we’re already hard at work on, so stay tuned!