Configure Reporting in Cp4D v4.5 using Vault connection
How do I restrict users to generate reports using personal platform connection?
In previous post, we learnt the capability of reporting on governance data in Watson Knowledge Catalog [WKC] and the need of reporting in data governance. We also learnt how to create shared connection using db2 cloud instance and establish reporting on external db2 data mart.
In this post, we will learn about the new capabilities introduced in reporting to make it secure. We will see how reporting service added support for Vault secrets to restrict users from accessing the data mart used to generate reports.
Also, we will show how to create Vaulted connection using PostgresSQL on IBM Cloud Pak For Data. Vaulted connection are supported only on IBM Cloud Pak For Data.
Configuring reporting with Vaulted connection using PostgreSQL
- Provision a Database instance
Reporting service supports Db2 and PostgreSQL instance for data mart. There are separate blogs for provisioning database instance for data mart.
Read following blog to get information about creating database instance:
In this blog, we will create PostgreSQL instance platform connection using vault secrets.
- Create Vault secret for Vaulted connection
What is Vault ?
Reporting service needs access to the data mart for reading and writing the governance data into database. For this, user need to create a platform connection. This platform connection requires the user to input the database credentials. These credentials can be stored in a more secure and encrypted form. This is where a Vault comes in. A Vault is a secure repository for all sensitive information. User can store credentials in a Vault in the form of secrets.
We will show you how you can create a vault secret and use that secret to create a connection. As a prerequisite, the administrator should enable vaults interface so that users can add secrets to the Internal Vault. Here is documentation to manage vaults.
Steps to create a secret:
- In Cloud Pak For Data dashboard, open the left-side navigation panel and select the Configurations tab.
2. You will see a Vaults and secrets tab on the page, select the Secrets tab on it, and click on Add secret button.
3. Fill in details for your secret.
Name: Give a name to your secret, this will be used when referencing the secret from add connections tab later.
Vault: Select the INTERNAL_VAULT which will be used to store the secret, one can select other vaults if they want to use secrets from the external vault.
Secret Type: Select Username and Password.
Username: Type in the username for the database.
Password: Type in the password for the database.
Now click on Add Secret button to save it.
- Create Platform Connection using Vault Secret
Nevigate to the Platform Connections tab on the navigation panel of Cloud Pak for Data dashboard and click on New Connection. On the next page select the type of Database. We select PostgreSQL in this case.
Click on Select and add connection details. After adding database name, host and port, select credentials section in the left pane.
In the input method select Use secrets from a vault. This means we will be using the credentials from the vault secrets. (Note that the Credential should be set to personal while creating a connection).
Under Username select the secret which contains the credentials. Under Value select the Username Key.
Under Password select the secret which contains the credentials. Under Value select the Password Key.
Test and save the connection. This platform connection with Vault secret can now be used for reporting.
- Configure WKC to write governance data into secured data mart
From IBM Cloud Pak For Data dashboard, access the Catalogs page followed by Reports Setup tab.
Below image shows the entry point on IBM Cloud Pak For Data home page and Reports setup page.
Read same section Configure WKC to write data into Data Mart in previous post to establish reporting into data mart.
While selecting the connection to use for data mart, select vaulted connection that we have created above.
In this way, user can establish reporting with vaulted platform connection. User can add collaborators to his vaulted platform connection if he/she wants to give access to others.
Conclusion
In this post we learnt about new capabilities of reporting service introduced in Cloud Pak for Data 4.5. We have learnt to create vaulted platform connection by which we can secure the data mart used for generating the reports. And restrict users who can generate reports on data mart.