Audience: System Administrators, Data Governors, and Data Owners
Content Summary: This page provides an overview of the Redshift integration in Immuta.
For a tutorial detailing how to enable this integration, see the installation guide.
Redshift is a policy push integration that allows Immuta to apply policies directly in Redshift. This allows data analysts to query Redshift views directly instead of going through a proxy and have per-user policies dynamically applied at query time.
The Redshift integration will create views from the tables within the database specified when configured.
Then, the user can choose the name for the schema where all the Immuta generated views will reside.
Immuta will also create the schemas
immuta_procedures to contain
the tables, views, UDFs, and stored procedures that support the integration.
SQL statements are used to create all views, including a join to the secure view:
This secure view is a select from the
immuta_system.profile table (which contains all Immuta users and their
current groups, attributes, projects, and a list of valid tables they have access to) with a constraint
immuta__userid = current_user() to ensure it only contains the profile row for the current user. The
immuta_system.user_profile view is readable by all users, but will only display the data that corresponds
to the user executing the query.
The Redshift integration uses webhooks to keep views up-to-date with Immuta data sources.
When a data source or policy is created, updated, or disabled, a webhook will be called that will create,
modify, or delete the dynamic view.
immuta_system.profile table is updated through webhooks when a user's groups or attributes change,
they switch projects, they acknowledge a purpose, or when their data source access is approved or revoked.
The profile table can only be read and updated by the Immuta system account.
- An Immuta Application Administrator configures the Redshift integration and registers Redshift warehouse and databases with Immuta.
- Immuta creates a database inside the configured Redshift ecosystem that contains Immuta policy definitions and user entitlements.
- A Data Owner registers Redshift tables in Immuta as data sources.
- A Data Owner, Data Governor, or Administrator creates or changes a policy or user in Immuta.
- Data source metadata, tags, user metadata, and policy definitions are stored in Immuta's Metadata Database.
- The Immuta Web Service calls a stored procedure that modifies the user entitlements or policies.
- A Redshift user who is subscribed to the data source in Immuta queries the corresponding table directly in Redshift through the immuta database and sees policy-enforced data.