Skip to content

OkeraEnsemble Overview (Preview Feature)

Big data environments separate storage and computations and allow users to access the data stored in cloud object stores via computation frameworks, SQL query engines, or directly as files. Okera supports authorization for data access for both structured data (tabular) and unstructured data (files or directories). This section describes Okera's file access control, or OkeraEnsemble.

OkeraEnsemble extends Okera’s access control to files and directories (URIs) in cloud object stores, such as Amazon S3. Administrators can grant team members access to create, modify, copy, or delete objects under a URI.

The advantages to this are numerous.

  • It removes the need to manage multiple per-user IAM accounts required for object storage access. File operations are authorized by Okera roles and permissions, instead of an IAM JSON policy file.

  • It significantly simplifies data access management. Because the data accessible via SQL queries is stored in files, controlling consistent data access for tables and files separately is extremely difficult and inefficient. Instead, OkeraEnsemble provides a centralized mechanism for controlling access to file data.

  • OkeraEnsemble supports various native mechanisms that end users can use to access file data. For example, for Amazon S3, Okera supports access through the CLI, REST endpoints, and Spark file APIs.

  • OkeraEnsemble allows a user to perform read and write operations to data in object storage, based on their Okera permissions to perform these operations, even if the user does not have access to the underlying object storage.

The ability to access underlying files introduces the need to control:

  • Who should be able to perform operations on files and objects
  • What operations should be allowed.

Using the Okera UI, you can register unstructured data with Okera, tag it, and apply Okera's fine-grained access control to your unstructured data files and directories. See Unstructured Data Support in the UI.

OkeraEnsemble is supported in the following environments: