This document details how to externally generate native views for databases that are currently not supported as integrations in Immuta using the Immuta API, equalized projects, and webhooks.
Immuta supports several integrations that allow users to interact directly with their systems without going through a proxy. For systems that Immuta does not currently support as an integration, users can generate native views for these systems using
Global webhooks, and the
Immuta API.
The implementation of generating native views will vary based on internal business requirements; however, the general workflow and interaction with the Immuta API and webhooks are outlined below.
A number of webhooks ensure native views represent the current state of the policies enforced. The table below describes each of these notification types.
To receive webhook notifications, you must register for the notifications as a user with the APPLICATION_ADMIN permission to create a global webhook. Unlike a regular webhook, a global webhook ensures that you receive all notifications, even if they don’t pertain to the particular user who registered the hook. Note: You should only register the hook once.
All user-configured webhook integrations must respond within 10 seconds of receiving the webhook request payload. If the webhook integration takes longer to respond, the request will timeout.
Before registering a webhook, check if the webhook already exists by comparing it to the names and URLs of existing webhooks. If there is already a webhook with the name and url of the one you want to register, it already exists and you don't need to register it. Completing this process whenever your service starts up will ensure that you never miss notifications.
Use the request and example response provided below for guidance:
After you have determined that the webhook does not exist, register it with the four notification types outlined in the payload example below.
Once a notification is received, additional calls need to be made to the Immuta API to ensure the native views reflect the current state of policies, data sources, and projects. These calls depend on the notification received, so the calls required for each are outlined by notification type throughout this section.
Use the tabs below for guidance when you receive the dataSourceUpdated
notification.
When the dataSourceUpdated
notification is triggered, the columns, credentials, or even the backing query of a data source may have changed or the data source may have been disabled or enabled. When a dataSourceUpdated
notification is received,
Get the data source metadata to verify that the updated data source belongs to an equalized project. (See the 1. Get Data Source Metadata tab.)
Note: Notifications are not filtered by blobHandlerType
, so you may receive notifications for irrelevant data source types. Whenever you receive this notification, check the returned blobHandlerType
when you call the data source endpoint.
Get a list of equalized projects that contain this data source. (See the 2. Get a List of Relevant Projects tab.)
Regenerate the view for each of those projects by calling the view SQL endpoint:
Remove the view if the source is disabled.
Create the view (if the data source was disabled but has now been enabled).
Update the view (if some other update caused the view to change).
dataSourceUpdated
Notification