OkeraFS - File Access Control Overview (Preview Feature)¶
Big data environments separate storage and computations and allow users to access the data stored in cloud object stores via computation frameworks, SQL query engines, or directly as files. Okera supports authorization for data access for both SQL and files. This section describes Okera file access control, or OkeraFS.
Okera file access control (OkeraFS) extends Okera’s access control to files and objects in cloud object stores, such as AWS S3. Administrators can grant team members access to create, modify, copy, or delete objects under a URI.
The advantages to this are numerous.
It removes the need to manage multiple per-user IAM accounts required for object storage access. File operations are authorized by Okera roles and permissions, instead of an IAM JSON policy file.
It significantly simplifies data access management. Because the data accessible via SQL queries is stored in files, controlling consistent data access for tables and files separately is extremely difficult and inefficient. Instead, OkeraFS provides a centralized mechanism for controlling access to file data.
OkeraFS supports various native mechanisms that end users can use to access file data. For example, for AWS S3, Okera supports access through the CLI, REST endpoints, and Spark file APIs.
OkeraFS allows a user to perform read and write operations to data in object storage, based on their Okera permissions to perform these operations, even if the user does not have access to the underlying object storage.
The ability to access underlying files introduces the need to control:
- Who should be able to perform operations on files and objects
- What operations should be allowed.
OkeraFS is supported in the following environments: