Security overview#

After the initial installation of your cluster, security is the next major concern for successfully operating Starburst Enterprise platform (SEP). This overview provides an introduction to different aspects of configuring security for your SEP cluster.

Aspects of configuring security#

The default installation of SEP has no security features enabled. Security can be enabled for different parts of the SEP architecture:

Suggested configuration workflow#

To configure security for a new SEP cluster, follow this best practice order of steps. Do not skip or combine steps.

  1. Enable TLS/HTTPS

    • Work with your security team.

    • Use a load balancer or proxy to terminate HTTPS, if possible.

    • Use a globally trusted TLS certificate.

    Verify this step is working correctly.

  2. Configure a a shared secret

    Verify this step is working correctly.

  3. Enable authentication

    • Start with password file authentication to get up and running.

    • Then configure your preferred authentication provider, such as LDAP.

    • Avoid the complexity of Kerberos for client authentication, if possible.

    Verify this step is working correctly.

  4. Enable authorization and access control

    • Start with file-based rules.

    • Then configure another access control method as required.

    Verify this step is working correctly.

Configure one step at a time. Always restart the SEP server after each change, and verify the results before proceeding.

Securing client access to the cluster#

SEP clients includes the Starburst Enterprise query editor overview in the Starburst Enterprise web UI, the CLI, the JDBC driver, and community-provided clients Python, Go, or other clients, and any applications using these tools.

SEP includes support for the additional clients shown in Clients.

All access to the SEP cluster is managed by the coordinator. Thus, securing access to the cluster means securing access to the coordinator.

There are three aspects to consider:

Encryption#

The SEP server uses the standard HTTPS protocol and TLS encryption, formerly known as SSL.

Authentication#

SEP supports several authentication providers. When setting up a new cluster, start with simple password file authentication before configuring another provider.

User name management#

SEP provides ways to map the user and group names from authentication providers to SEP user names.

  • User mapping applies to all authentication systems, and allows for JSON files to specify rules to map complex user names from other systems (alice@example.com) to simple user names (alice).

  • File group provider provides a way to assign a set of user names to a group name to ease access control.

  • LDAP group provider provides a way to map user names to groups using LDAP configuration.

  • SCIM user synchronization imports users and groups into SEP from an external service using SCIM protocols.

Authorization and access control#

Starburst Enterprise and the included enhanced connectors allow you to control access to the data queried by SEP in configured data sources.

SEP’s default method of access control allows all operations for all authenticated users.

To implement access control:

In addition, SEP provides an API that allows you to create a custom access control method, or to extend an existing one.

Access control can limit access to columns of a table. The default behavior of an unqualified query to all columns with a SELECT * statement is to deny access to all inaccessible columns.

You can change this behavior to silently hide inaccessible columns with the global property hide-inaccessible-columns configured in Config properties:

hide-inaccessible-columns = true

All access control tools require access to several schemas in the system catalog in order for all users to retrieve the list of available catalogs. This is handled for you when the built-in access control system is enabled. Users of third-party access control systems such as Apache Ranger and Immuta, and connector-level access control methods, must create a policy that includes system.metadata, system.jdbc, and system.runtime. Access to the system.jdbc schema is granted automatically.

Content security policy (CSP)#

All HTTP responses include the Content-Security-Policy header. Use the http-server.content-security-policy property to configure the header value and customize security policies. Set the property to an empty string to exclude the header from HTTP responses.

Connector-level access control#

SEP includes a number of additional authorization methods that provide a greater level of access control. The SEP connectors overview includes information on which connectors support each feature.

  • User impersonation, where you can configure a single service user account with actual access to data sources, yet still have authenticated user accounts access the same data sources with their own credentials.

  • Password credential pass-through, where the user credentials and access rights specified by an authentication provider such as LDAP are passed transparently to data sources.

  • Kerberos credential pass-through, where Kerberos-defined user credentials are passed through to data sources.

Role-based access control#

SEP supports fine-grained access control policies:

Securing inside the cluster#

You can secure the internal communication between coordinator and workers inside the clusters.

Secrets in properties files, such as passwords in catalog files, can be secured with the secrets management.

Securing cluster access to data sources#

Communication between the SEP cluster and data sources is configured for each catalog. Each catalog uses a connector, which supports a variety of security-related configurations. More information is available with the documentation for individual connectors.

Secrets management can be used for the catalog properties files content.

The list of connector features on the connectors overview provides more details.

Auditing security#

SEP provides two security auditing features: