Skip to content

Accessing Kinesis with Data Access Server

Datastream-Level Access Control

Create Datastream Query#

  1. Go to terminal and execute following command to create new datastream SalesDataStream.

    aws kinesis create-stream --stream-name SalesDataStream --shard-count 1 --region us-east-1
    
    • options

      –stream-name : datastream name

    It will show following result An error occurred (403).

  2. This indicates that the current user doesn’t have permissions to perform this operation.

  3. Check audit for the above executed command in Privacera Access Manager using the below steps:

    • On the Privacera Portal home page, expand Access Management and click the Audit from the left menu.

    • The Audit page will be displayed with Ranger Audit details.

  4. Now, you need to create Ranger policy to allow the user to have CreateStream permission on SalesDataStream.

    • On the Privacera Portal home page, expand Access Management and click the Resource Policies from the left menu.

    • On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.

    • Enter the following details as:

      • Policy Name: SalesDataStreamPolicy

      • kinesis_datastream: SalesDataStream (Kinesis Datastream which you want to allow the user to create).

      • Under Allow Conditions, click '+' icon and select the below:

        • User: User’s username to which you want to allow access.

        • Add Permission as: CreateStream

  5. Now, run the 'Step 1' query.

    Result: User will be able to create Data Stream.

List Datastream Query#

  1. Go to terminal and execute following command to list datastreams

    aws kinesis list-streams --region us-east-1
    

    It will show result An error occurred (403).

  2. This indicates that the current user doesn’t have permission to perform this operation.

  3. Check audit for the above executed command in Privacera Access Manager using the below steps:

    • On the Privacera Portal home page, expand Access Management and click the Audit from the left menu.

    • The Audit page will be displayed with Ranger Audit details.

  4. Now, you need to create Ranger policy to allow the user to have ListStreams permission.

    • On the Privacera Portal home page, expand Access Management and click the Resource Policies from the left menu.

    • On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.

    • Enter the following details as:

      • Policy Name: ListStreamsPolicy

      • kinesis_datastream: *

      • Under Allow Conditions, click '+' icon and select the below:

        • User: User’s username to which you want to allow access.

        • Add Permission as: ListStreams

  5. Now, run the 'Step 1' query.

    Result: User will be able to view Data Streams - SalesDataStream

Describe Datastream Query#

  1. Go to terminal and execute the following command to describe datastream.

    aws kinesis describe-stream --stream-name SalesDataStream --region us-east-1
    
    aws kinesis describe-stream-summary --stream-name SalesDataStream --region us-east-1
    

    It will show the following result An error occurred (403).

  2. This indicates that the current user doesn’t have permission to perform this operation.

  3. Check audit for the above executed command in Privacera Access Manager using the below steps:

    • On the Privacera Portal home page, expand Access Management and click the Audit from the left menu.

    • The Audit page will be displayed with Ranger Audit details.

  4. Now, you need to create Ranger policy to allow the user to have DescribeStream and DescribeStreamSummary permissions.

  5. On the Privacera Portal home page, expand Access Management and click the Resource Policies from the left menu.

  6. On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.

  7. Enter the following details as:

    • Policy Name: SalesDataStreamPolicy

    • kinesis_datastream: SalesDataStream (Kinesis Datastream which you want to allow the user to describe).

    • Under Allow Conditions, click '+' icon and select the below:

      • User: User’s username to which you want to allow access.

      • Add Permission as: DescribeStream, DescribeStreamSummary

  8. Now, run the 'Step 1' query.

    Result: User will be able to view SalesDataStream details.

PutRecord Datastream Query#

  1. Go to terminal and execute the following command to putRecord into datastream SalesDataStream.

    aws kinesis put-record --stream-name SalesDataStream --data testdata --partition-key pkey --region us-east-1
    

    It will show the following result An error occurred (403).

  2. This indicates that the current user doesn’t have permission to perform this operation.

  3. Check audit for the above executed command in Privacera Access Manager using the below steps:

    • On the Privacera Portal home page, expand Access Management and click the Audit from the left menu.

    • The Audit page will be displayed with Ranger Audit details.

  4. Now, you need to create Ranger policy to allow the user to have PutRecord permission.

    • On the Privacera Portal home page, expand Access Management and click the Resource Policies from the left menu.

    • On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.

    • Enter the following details as:

      • kinesis_datastream: SalesDataStream (Kinesis Datastream which you want to allow the user to putRecord).

      • Under Allow Conditions, click '+' icon and select the below:

        • User: User’s username to which you want to allow access.

        • Add Permission as: PutRecord

  5. Now, run the 'Step 1' query.

    Result: User will be able to putRecord into Data Streams - SalesDataStream.

GetRecord Datastream Query#

  1. Go to terminal and execute the following command to getRecord into datastream SalesDataStream.

    aws kinesis list-shards --stream-name SalesDataStream --region us-east-1
    

    It will show the following result An error occurred (403).

  2. This indicates that the current user doesn’t have permission to perform this operation.

  3. Check audit for the above executed command in Privacera Access Manager using the below steps:

    • On the Privacera Portal home page, expand Access Management and click the Audit from the left menu.

    • The Audit page will be displayed with Ranger Audit details.

  4. Now, you need to create Ranger policy to allow the user to have GetRecord permission.

    • On the Privacera Portal home page, expand Access Management and click the Resource Policies from the left menu.

    • On the Resource Policies page, go to privacera_kinesis and then click Add New Policy to create policy for Kinesis.

    • Enter the following details as:

      • kinesis_datastream: SalesDataStream (Kinesis Datastream which you want to allow the user to GetRecord).

      • Under Allow Conditions, click '+' icon and select the below:

        • User: User’s username to which you want to allow access.

        • Add Permission as: GetRecords, GetShardIterator, ListShards

  5. Now, run the 'Step 1' query.

  6. Copy Shard id from above command output.

    aws kinesis get-shard-iterator --stream-name SalesDataStream --shard-id <shard\_Id> --shard-iterator-type TRIM\_HORIZON --region us-east-1
    
  7. Copy Shard Iterator from above command output.

    aws kinesis get-records --shard-iterator <shard\_iterator> --region us-east-1
    
  8. Copy Data from the above command output.

    You received the Base64 decoded Data, Copy Data, and use it in the below command.

    echo <data> | base64 --decode
    

    Result: User will be able to getRecord into Data Streams - SalesDataStream.


Last update: July 23, 2021