Audience: Application Admins and Governors
Content Summary: This page outlines prerequisites, an overview of the installation process, limitations, and external documentation for external catalog requirements. For a tutorial on connecting an external catalog, see the Configure External Catalog page.
Immuta supports the following external catalogs:
Users who want to use tagging capabilities outside of Immuta and pull tags from external table schemas can connect Collibra or Alation as an external catalog. Once they have been connected, Immuta will ingest a data dictionary from the catalog that will apply data source and column tags directly onto data sources. These tags can then be used to write and drive policies.
If users have another catalog, or have customized their Collibra or Alation integrations, they can connection through the REST Catalog using the Immuta API.
Users can also connect a Snowflake account to allow Immuta to ingest Snowflake tags onto Snowflake data sources.
Best Practice: External Catalog
Use a single catalog; having more than one can lead to multiple truths and data leaks.
A catalog with tags that correspond to your Immuta data sources
When changes are made to the external catalog, refresh external tags
A physical Data Dictionary with assets that correspond to your Immuta data sources
The username and password of a user with the Global role: Catalog or Catalog Author.
When changes are made to the external catalog, refresh external tags
For more details about using a custom REST catalog with Immuta, see the Custom REST Catalog Interface Introduction.
A catalog with tags that correspond to your Immuta data sources
The Immuta API
When changes are made to the external catalog, refresh external tags
A Snowflake user who has, at minimum, the ability to set the following permissions:
GRANT IMPORTED PRIVILEGES ON DATABASE snowflake
GRANT APPLY TAG ON ACCOUNT
Snowflake Enterprise Edition or higher
When changes are made to the tags in Snowflake, refresh external tags
Tags ingested from external catalogs cannot be edited within Immuta. To edit, delete, or add a tag from an external catalog to a data source or column, make the change in the external catalog.
You can configure multiple external catalogs within a single tenant of Immuta, but only one external catalog can be linked to a data source.
The diagram below contrasts Immuta's provided catalog integration architecture with this Customer REST Catalog interface - which gives the customer tremendous control over the metadata being provided to Immuta.
The custom-developed service must be built to receive and handle calls to the REST endpoints specified below. Immuta will call these endpoints as detailed below when certain events occur and at various intervals. The required responses to complete the connection are also detailed.
Tags are attributes applied to data - either at the top, data source, level or at the individual column level.
Tags in Immuta take the form of a nested tree structure. There are "parents", "children", "grand-children", etc.:
The REST Catalog interface interprets a tag's relationship mapping from a string based on a standard "dot" (.
) notation, like:
Tags returned must meet the following constraints:
They must be no longer than 500 characters. Longer tags will not throw an error but will be truncated silently at 500 characters.
They must be composed of letters, digits, underscores, dashes, and whitespace characters. A period (.
) is used as a separator as described above. Other special characters are not supported.
A tag object has a single id
property, which is used to uniquely identify the tag within the catalog. This id
may be of either a string or integer type, and its value is completely up to the designer of the REST Catalog service. Common examples include: a standard integer value, a UUID, or perhaps a hash of the tag's string value (if it is unique within the system).
For this Customer REST Catalog interface, tags are represented in JSON like:
For example, the object below specifies 3 different tags:
For more information on tags and how they are created, managed, and displayed within Immuta, see our tag documentation.
Descriptions are strings that, like tags, can be applied to either a data source or an individual column. These strings support UTF-8, including special and various language characters.
Immuta can make requests to your REST Catalog service using any of the following authentication methods:
Username and password: Immuta requires basic authentication and will send requests with a username and a password in the Authorization HTTP header. In this case, the custom REST service will need to be able to parse a Basic Authorization Header and validate the credentials sent with it.
PKI Certificate: In addition to basic authentication, Immuta can also send requests using a CA certificate, a certificate, and a key. This allows client-side certificate validation for increased security.
Authentication and specific endpoints
When accessing the /dataSource
and /tags
endpoints, Immuta will use the configured username and password. If you choose to also protect the human-readable pages with authentication, users will be prompted to authenticate when they first visit those pages.
/tags
The /tags
endpoint is used to collect ALL the tags the catalog can provide. It is used by Immuta to populate Immuta's tags list in the Governance section. These tags can then be used for policy creation ahead of actual data sources being created that make use of them. This enables policies to immediately apply when data sources are registered with Immuta.
As with all external catalogs, tags ingested by Immuta from the REST catalog interface are not able to be modified locally within Immuta as this catalog becomes the "source of truth" for them. This results in the tags showing in Immuta with either a lock icon next to them, or without the delete button that would allow a user to manually remove them from an assigned data source or column.
The /tags
endpoint receives a simple GET request from Immuta. No payload nor query parameters are required.
Example Request
The Custom REST service must respond with an object that maps all tag name strings to associated id
s. The tag name string fully-qualifies the location of the tag in the tree structure as detailed previously, and the id
is a globally unique identifier assigned by the REST catalog to that tag.
The JSON format for this response object is:
Example Response
/dataSource
The /dataSource
endpoint does the vast majority of the work. It receives a POST
request from Immuta, and returns the mapping of a data source and its columns to the applied tags and descriptions.
Immuta will try to fetch metadata for a data source in the system at various times:
During data source creation. During data source creation, Immuta will send metadata to the REST Catalog service, most notably the connection details of the data source, which includes the schema and table name. It is important that the Custom REST service implemented can parse this information and search its records for an appropriate record to return with an ID unique to this data source in its catalogMetadata
object.
When a user manually links the data source. Data sources that either fail to auto-link, or that were created prior to the Custom REST catalog being configured, can still be manually linked. To do so, a data source owner can provide the ID of the asset as defined by the Custom REST Catalog via the Immuta UI. In order for this to work, the Custom REST Catalog service must support matching data source assets by unique ID.
During various refreshes. Once linked, Immuta will periodically call the /dataSource
endpoint to ensure information is up to date.
Immuta's POST requests to the /dataSource
endpoint will consist of a payload containing many of the elements outlined below:
This object must be parsed by the in Custom REST Catalog order to determine the specific data source metadata being requested.
For the most part, Immuta will provide the id
of the data source as part of the catalogMetadata
. This should be used as the primary metadata lookup value.
When a data source is being created, such an id
will not yet be known to Immuta. Immuta will instead send handlerInfo
information as part of the request.
When an id
is not specified, the schema
and table
name elements should be parsed in an attempt to identify the desired catalog entry and provide an appropriate id
. If such a lookup is successful and an id
is returned to Immuta in the catalogMetadata
section, Immuta will establish an automatic link between the the new data source and the catalog entry, and future references will use that id
.
Example Request
The schema for the /dataSource
response uses the same tag object structure from the /tags
response, along with the following set of metadata keys for both data sources and columns.
The returned JSON object should have a format very similar to