Accessing Kinesis with Data Access Server
Datastream-Level Access Control
Create Datastream Query#
-
Go to terminal and execute the following command to create a new datastream SalesDataStream.
aws kinesis create-stream --stream-name SalesDataStream --shard-count 1 --region us-east-1
-
options
–stream-name : datastream name
It will show the result: An error occurred (403).
This indicates that the current user doesn’t have permissions to perform this operation.
-
-
Check audit for the above executed command in Privacera Access Manager using the below steps:
-
On the Privacera Portal home page, from the left menu, expand Access Management and click Audit.
The Audit page will be displayed with Ranger Audit details.
-
-
Now, you need to create Ranger policy to allow the user to have CreateStream permission on SalesDataStream.
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Resource Policies.
-
On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.
-
Enter the following details as:
-
Policy Name: SalesDataStreamPolicy
-
kinesis_datastream: SalesDataStream (Kinesis Datastream which you want to allow the user to create).
-
Under Allow Conditions, click '+' icon and select the below:
-
User: User’s username to which you want to allow access.
-
Add Permission as: CreateStream
-
-
-
-
Now, run the query from Step 1.
Result: User will be able to create Data Stream.
List Datastream Query#
-
Go to terminal and execute following command to list datastreams
aws kinesis list-streams --region us-east-1
It will show the result: An error occurred (403).
This indicates that the current user doesn’t have permission to perform this operation.
-
Check audit for the above executed command in Privacera Access Manager using the below steps:
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Audit.
The Audit page will be displayed with Ranger Audit details.
-
-
Now, you need to create Ranger policy to allow the user to have ListStreams permission.
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Resource Policies.
-
On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.
-
Enter the following details as:
-
Policy Name: ListStreamsPolicy
-
kinesis_datastream: *
-
Under Allow Conditions, click '+' icon and select the below:
-
User: User’s username to which you want to allow access.
-
Add Permission as: ListStreams
-
-
-
-
Now, run the query from Step 1.
Result: User will be able to view Data Streams - SalesDataStream
Describe Datastream Query#
-
Go to terminal and execute the following command to describe datastream.
aws kinesis describe-stream --stream-name SalesDataStream --region us-east-1 aws kinesis describe-stream-summary --stream-name SalesDataStream --region us-east-1
It will show the result: An error occurred (403).
-
This indicates that the current user doesn’t have permission to perform this operation.
-
Check audit for the above executed command in Privacera Access Manager using the below steps:
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Audit.
The Audit page will be displayed with Ranger Audit details.
-
-
Now, you need to create Ranger policy to allow the user to have DescribeStream and DescribeStreamSummary permissions.
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Resource Policies.
-
On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.
-
Enter the following details as:
-
Policy Name: SalesDataStreamPolicy
-
kinesis_datastream: SalesDataStream (Kinesis Datastream which you want to allow the user to describe).
-
Under Allow Conditions, click '+' icon and select the below:
-
User: User’s username to which you want to allow access.
-
Add Permission as: DescribeStream, DescribeStreamSummary
-
-
-
Now, run the query from Step 1.
Result: User will be able to view SalesDataStream details.
PutRecord Datastream Query#
-
Go to terminal and execute the following command to putRecord into datastream SalesDataStream.
aws kinesis put-record --stream-name SalesDataStream --data testdata --partition-key pkey --region us-east-1
It will show the result: An error occurred (403).
-
This indicates that the current user doesn’t have permission to perform this operation.
-
Check audit for the above executed command in Privacera Access Manager using the below steps:
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Audit.
The Audit page will be displayed with Ranger Audit details.
-
-
Now, you need to create Ranger policy to allow the user to have PutRecord permission.
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Resource Policies.
-
On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.
-
Enter the following details as:
-
kinesis_datastream: SalesDataStream (Kinesis Datastream which you want to allow the user to putRecord).
-
Under Allow Conditions, click '+' icon and select the below:
-
User: User’s username to which you want to allow access.
-
Add Permission as: PutRecord
-
-
-
-
Now, run the query from Step 1.
Result: User will be able to putRecord into Data Streams - SalesDataStream.
GetRecord Datastream Query#
-
Go to terminal and execute the following command to getRecord into datastream SalesDataStream.
aws kinesis list-shards --stream-name SalesDataStream --region us-east-1
It will show the result: An error occurred (403).
This indicates that the current user doesn’t have permission to perform this operation.
-
Check audit for the above executed command in Privacera Access Manager using the below steps:
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Audit.
The Audit page will be displayed with Ranger Audit details.
-
-
Now, you need to create Ranger policy to allow the user to have GetRecord permission.
-
On the Privacera Portal home page, from the left menu, expand Access Management and click the Resource Policies.
-
On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.
-
Enter the following details as:
-
kinesis_datastream: SalesDataStream (Kinesis Datastream which you want to allow the user to GetRecord).
-
Under Allow Conditions, click '+' icon and select the below:
-
User: User’s username to which you want to allow access.
-
Add Permission as: GetRecords, GetShardIterator, ListShards
-
-
-
-
Now, run the query from Step 1.
-
Copy Shard id from above command output.
aws kinesis get-shard-iterator --stream-name SalesDataStream --shard-id <shard\_Id> --shard-iterator-type TRIM\_HORIZON --region us-east-1
-
Copy Shard Iterator from above command output.
aws kinesis get-records --shard-iterator <shard\_iterator> --region us-east-1
-
Copy Data from the above command output.
You received the Base64 decoded Data, Copy Data, and use it in the below command.
echo <data> | base64 --decode
Result: User will be able to getRecord into Data Streams - SalesDataStream.