Redshift Spectrum
Allow Immuta to create secure views of your external tables through one of these methods:
- Configure the integration with an existing database that contains the external tables:
Instead of creating
an
immuta
database that manages all schemas and views created when Redshift data is registered in Immuta, the integration adds the Immuta-managed schemas and views to an existing database in Redshift - Configure the integration by creating a new
immuta
database and re-create all of your external tables in that database.
For an overview of the integration, see the Redshift overview documentation.
Requirements
- A Redshift cluster with an AWS row-level security patch applied. Contact Immuta for guidance.
- An AWS IAM role for Redshift that is associated with your Redshift cluster.
- The
enable_case_sensitive_identifier
parameter must be set tofalse
(default setting) for your Redshift cluster. -
The Redshift role used to run the Immuta bootstrap script must have the following privileges when configuring the integration to
- Use an existing database:
ALL PRIVILEGES ON DATABASE
for the database you configure the integration with, as you must manage grants on that database.CREATE USER
GRANT TEMP ON DATABASE
- Create a new database:
CREATE DATABASE
CREATE USER
GRANT TEMP ON DATABASE
REVOKE ALL PRIVILEGES ON DATABASE
- Use an existing database:
-
A Redshift database that contains an external schema and external tables.
Use an existing database
- Click the App Settings icon in the left sidebar.
- Click Native Integrations in the left panel.
- Click the +Add Native Integration button and select Redshift from the dropdown menu.
- Complete the Host and Port fields.
- Enter the name of the database you created the external schema in as the Immuta Database. This database will store all secure schemas and Immuta-created views.
-
Opt to check the Enable Impersonation box and customize the Impersonation Role name as needed. This will allow users to natively impersonate another user.
-
Select Manual and download both of the bootstrap scripts from the Setup section. The specified role used to run the bootstrap needs to have the following privileges:
ALL PRIVILEGES ON DATABASE
for the database you configure the integration with, as you must manage grants on that database.CREATE USER
GRANT TEMP ON DATABASE
-
Run the bootstrap script (Immuta database) in the Redshift database that contains the external schema.
-
Choose your authentication method, and enter the credentials from the bootstrap script for the
Immuta_System_Account
. -
Click Save.
Create a new Immuta database
- Click the App Settings icon in the left sidebar.
- Click Native Integrations in the left panel.
- Click the +Add Native Integration button and select Redshift from the dropdown menu.
- Complete the Host and Port fields.
- Enter an Immuta Database. This is a new database where all secure schemas and Immuta created views will be stored.
- Opt to check the Enable Impersonation box and customize the Impersonation Role name as needed. This will allow users to natively impersonate another user.
-
Select Manual and download both of the bootstrap scripts from the Setup section. The specified role used to run the bootstrap needs to have the following privileges:
ALL PRIVILEGES ON DATABASE
for the database you configure the integration with, as you must manage grants on that database.CREATE DATABASE
CREATE USER
GRANT TEMP ON DATABASE
-
Run the bootstrap script (initial database) in the Redshift initial database.
- Run the bootstrap script (Immuta database) in the new Immuta Database in Redshift.
- Choose your authentication method, and enter the credentials from the bootstrap script for the
Immuta_System_Account
. - Click Save.
Then, add your external tables to the Immuta database.