Starburst developer blog

The latest news from our users, engineers, writers, and product folks for all our peers and friends out there.

Want even more updates and information? Go to the Starburst company blog.

Simplifying policy enforcement for your data mesh with Starburst Enterprise and Immuta

This blog was co-authored by Sumit Sarkar, Sr. Director, Product Marketing at Immuta.

In today’s global economy, it’s impossible to understate the importance of being able to access data efficiently and securely, regardless of where it resides. As external data sharing becomes increasingly common, data use agreements and regulatory requirements, including data localization laws, make it difficult for data platform teams to keep up and manage a compliant system.

Starburst and Immuta minimize complexity so the right people are able to access the right data at the right time, no matter where the data lives. As a federated query engine, Starburst Enterprise acts as a single access point across even the most complex data architectures. Immuta, the leader in automated data access control, centralizes data access policy management and enforcement so that policies are dynamically and consistently applied at query time. The latest release of Starburst Enterprise ships with Immuta, making it easier than ever to provide rapid, controlled access to data across data mesh architectures.

Starburst adds support for data access control with Immuta

Starburst is the analytics engine built for data mesh, allowing organizations to use data from multiple data warehouses, which in turn enables domain-driven data ownership and architecture. This core data mesh principle reduces pipeline complexity and makes data infrastructure more flexible and agile. However, the decentralized nature of data mesh architectures can make consistent data access control and policy enforcement difficult to manage at scale.

Read more about SQL is your data mesh API

To proactively solve this issue and avoid unauthorized data access, Starburst has added simplified, built-in support for Immuta SaaS and self-managed deployment methods. Starburst users can now seamlessly get up and running with automated data access control across their data mesh, with minimal overhead or maintenance required. As a result, users across any domain can query data from any platform through Starburst Enterprise, and Immuta acts as an invisible layer that enforces data access policies at runtime.

Immuta and Starburst Enterprise separate policy and data platform. As a result users can access data more quickly, while enforcing business and regulatory policies with the most comprehensive and easy-to-use access controls in place. This allows data teams to maximize the power and flexibility of data mesh without losing time or data security.

How is this done? When plugged into Starburst Enterprise, Immuta enables users with:

  • Sensitive data discovery and classification, which includes more than 60 prebuilt classifiers, as well as the ability to build custom tags. Tags can also map to specific data privacy laws and be implemented through global starter policies. This streamlines certification workflows by making it easy for stakeholders across functions to inspect and approve tags.

  • Scalable attribute-based access control (ABAC), which leverages metadata and user/subject attributes to make context-based access decisions at query time. Data teams can author policies in plain English so stakeholders have visibility into how data is being protected without requiring SQL expertise or additional data engineering resources.

  • Advanced policy building and dynamic data masking through techniques like privacy-enhancing technologies (PETs), including differential privacy, conditional masking, and k-anonymization, as well as the ability to easily limit data use for specific purposes to ensure secure data collaboration. Immuta allows users to implement both global and local policies, so that data owners and data platform owners can control access to data.

  • Data policy enforcement and auditing, which automates access control implementation at query time with no impact to user workflows, and provides unified data access logs that show how data is requested, accessed, and used. Immuta also allows organizations using service accounts from BI dashboards to impersonate end users in order to restrict access with no impact to the user or risk of a data leak.

Together, these capabilities allow Starburst Enterprise users to scale policy management through automation, increase agility across teams by empowering more stakeholders to manage policy, and easily prove compliant data use at any time.

Let’s take a closer look at how to get up and running with Starburst Enterprise and Immuta.

Implementing Immuta access control with Starburst Enterprise

The built-in access control of Starburst Enterprise is role-based and provides a baseline for data security and privacy management. For organizations scaling data use or leveraging sensitive data, particularly for data sharing, Immuta adds a robust layer of advanced protection and control.

To get started, Starburst Enterprise users need an active Immuta account and API key. Immuta manages access control for existing users and groups, regardless of the type of user authentication used with Starburst Enterprise.

Once Starburst Enterprise is registered as a data source in Immuta, you’re able to perform the following tasks

  • Configure catalogs for your cluster’s data sources with no process changes.
  • Configure a catalog for an Immuta connector.
  • Create an entry for each schema that is managed by Immuta. Immuta creates a view to represent the schema in its domain.
  • Configure an Immuta event listener in Starburst Enterprise.
  • Configure file-based access control in Starburst Enterprise.

These steps ensure that queries are validated by Immuta’s dynamic access control, then passed back to Starburst Enterprise for analysis and query processing. Let’s take a closer look at how it works in practice.

Query changes

When adding schemas to Immuta, it’s important to differentiate between the Immuta schema names and the underlying Starburst Enterprise schema names. Similarly, tables that exist in multiple Starburst Enterprise catalogs should each have a unique name to make it easy to distinguish which are under Immuta’s control.

Integrating Immuta with Starburst Enterprise allows you to run the same SQL queries you run directly with Starburst Enterprise. However, you must use the catalog name immuta and the schema names recognized by Immuta to ensure the Immuta policies are taken into account. For instance, you can use the Starburst Enterprise query editor to browse the immuta catalog and identify specific schemas and tables, with no change to the catalog.schema.table hierarchy. An example query for a table labeled customers might look like this:

SELECT *
FROM myimmuta.orcl_accounting.customers
LIMIT 100;

Admin users are able to see the underlying schema names and reach the same table with the following query:

SELECT *
FROM oracle.accounting.customers
LIMIT 100;

Configuring an Immuta catalog

Immuta now ships with Starburst Enterprise. To configure the Immuta connector and activate the plugin, you must create a configuration file in your cluster’s etc/catalog folder. This catalog properties file name myimmuta.properties determines the name of the catalog to use for querying data via Immuta. In the preceding example query the name myimmuta is used. The file needs to specify usage of the immuta connector with connector-name property and include the URL of your Immuta server and the API key:

connector-name=immuta
immuta-endpoint=your-Immuta-site's-URL
immuta-apikey=your-API-key

For example:

connector-name=immuta
immuta-endpoint=https://www.immuta.example.com/
immuta-apikey=e16456a3395d42988c2da6f06ccf1f58

Configuring an Immuta event listener

Immuta audit event listeners enable you to audit queries on your Starburst Enterprise cluster so you can see what data is used and prove compliance with internal and external rules and regulations. Event listeners must be configured in a file named event-listener.properties in the etc folder and the immuta-catalogs value must match the name of the catalog.

event.listener.name=immuta-event-listener
immuta-endpoint=https://www.immuta.example.com/
immuta-apikey=e16456a3395d42988c2da6f06ccf1f58
immuta.catalogs=myimmuta

Managing system access control

There are two processes that fall outside of Immuta’s control, and are controlled in Starburst Enterprise:

  • Prevent direct access to catalogs for standard users trying to bypass Immuta.
  • Protecting Immuta-managed tables from inadvertent secrets disclosure.

You can control these with the file-based access control and a JSON rules file in Starburst Enterprise:

The first step here is adding a configuration file called access-control.properties to the etc folder with the following two lines:

access-control.name=file
security.config-file=etc/access-rules.json

Below shows a starting point for an access-rules.json file:

{
  "catalogs": [
    {
      "user": "super_admin",
      "catalog": "immuta|postgres|redshift|mysql|oracle|system",
      "allow": "all"
    },
    {
      "role": "IT",
      "catalog": "immuta",
      "allow": "all"
    },
    {
      "group": "query_user",
      "catalog": "immuta",
      "allow": "read-only"
    },
    {
      "catalog": "postgres|redshift|mysql|oracle|system",
      "allow": "none"
    }
  ]
}

This rules file grants anyone with the super_admin role full access to both Immuta-managed and non-Immuta-managed catalogs. It also ensures IT has full access to Immuta-managed objects but no other catalogs, and it gives read-only access to Immuta-managed schemas and tables to query_user roles. This configuration prevents users from running DESCRIBE on Immuta views and avoids secret disclosures in masking policies. Finally, the rules file ensures that non-Immuta catalog access defaults to none for everyone except super_admin.

With Immuta integrated with Starburst Enterprise, you’re able to seamlessly create data access policies once and enforce them across all data, so the right people are able to access the right data at the right time.

Ready to start building a data product with Starburst and Immuta? Check out this exclusive video featuring Starburst’s Director of Engineering, Colleen Tartow, and Head of Data Products, Vishal Singh to learn more.

Ready to try it out yourself? Use the documentation for the Immuta integration with Starburst Enterprise for all the details.

Alex Breshears is a Product Manager at Starburst.