Data Governance
Policy management, data classification, masking, access control, and compliance auditing.
Production
Overview
The Governance Service provides a comprehensive data governance framework covering policy lifecycle management, data classification, attribute-based access control (ABAC), row-level security (RLS), data masking, and query audit logging. It enforces data governance across all data plane services.
Architecture
+----------------------------------+
| Governance Service |
| Port: 8080 |
+--+-------+-------+-------+-------+
| | | |
+------------+ +---+---+ +---+---+ +---+---+
| | | | | | |
+-----v-----+ +------v-+ +--v---v+ +---v---+ +----v----+
| Governance | | ABAC | | RLS | | Query | | Classif |
| Controller | | Ctrl | | Ctrl | | Audit | | Ctrl |
+-----+------+ +---+----+ +---+---+ +---+---+ +----+----+
| | | | |
+-----v------+ +---v----+ +--v---+ +----v----+ +----v----+
| Policy | | ABAC | | RLS | | Audit | | Classif |
| Service | | Service| | Svc | | Service | | Service |
+-----+------+ +---+----+ +--+---+ +----+----+ +----+----+
| | | | |
+-----v------+ +---v----+ +--v---+ +----v----+ +----v----+
| Masking | | OPA | | Audit| | Query | | Auto |
| Service | | Integr | | Log | | Audit | | Classify|
+------------+ +--------+ | Repo | | Repo | +---------+
+------+ +---------+Service Components
| Controller | Base Path | Purpose |
|---|---|---|
GovernanceController | /api/v1/governance | Policies, classification, masking |
AbacController | /api/v1/abac | Attribute-based access control |
RlsController | /api/v1/tenants/:tenantId/rls | Row-level security |
QueryAuditController | /v1/audit | Query execution audit logging |
ClassificationController | /v1/classification | Table-level data classification |
Section Contents
| Page | Description |
|---|---|
| Policies | Policy lifecycle management (create, submit, approve, activate, suspend, clone) |
| Data Classification | Classify data by sensitivity level and category |
| Data Masking | Mask, tokenize, and detokenize sensitive data |
| ABAC | Attribute-based access control with OPA integration |
| Row-Level Security | RLS policy management and WHERE clause injection |
| Query Audit | Query execution audit logging and compliance |
| Sensitive Data | PII, PHI, PCI discovery and management |
| Compliance | Compliance reporting and regulatory support |
| API Reference | Complete endpoint reference for all governance APIs |
Key Design Principles
- Policy-as-Code -- All governance rules are defined as structured policies with version control and approval workflows
- Multi-tenancy -- Complete tenant isolation with
X-Tenant-IDheader on all requests - Defense in Depth -- Layered security: ABAC for access decisions, RLS for data filtering, masking for data protection
- Audit Everything -- Every data access is logged with full context for compliance review
- OPA Integration -- ABAC policies can be exported as Rego for OPA-based enforcement at the query engine level
Source Reference
| Component | File |
|---|---|
| Governance controller | GovernanceController.java |
| ABAC controller | AbacController.java |
| RLS controller | RlsController.java |
| Query audit controller | QueryAuditController.java |
| Classification controller | ClassificationController.java |
| Policy service | PolicyService.java |
| Classification service | ClassificationService.java |
| Data masking service | DataMaskingService.java |
| ABAC service | AbacService.java |
| OPA integration | OpaIntegrationService.java |
| RLS service | RlsService.java |
| Query audit service | QueryAuditService.java |