Skip to main content

Database auth tokens in Pivot

An Imply Pivot data cube provides a view of a subset of an Apache Druid table. You can control the access your Pivot users have to Druid data by configuring data cubes to use specific Druid tables, rows, and columns and enabling user access to those data cubes.

However, if your Pivot users can create or edit data cubes (ManageDataCubes and AdministerDataCubes permissions) or query data in the SQL console (AccessQueries and AdministerQueries permissions), they can effectively bypass the controls you set on data cubes.

If you don't want users with any of the above permissions to have unrestricted access to all of your data, you must:

  1. Configure access control in Druid.
  2. Set up a database auth token on a Pivot role.
  3. Assign your Pivot users to the role.

This topic describes how to set up a database auth token on a Pivot role.

Prerequisites

Before you can set up a database auth token on a Pivot role, you must perform the following tasks in Druid:

  1. Load and configure the Basic Security Druid extension.
  2. Create an Authenticator user and a corresponding Authorizer user in Druid.
    Save the Authorizer user login credentialsyou'll need them to create a database auth token.
  3. Create an authorizer role, set up role permissions with access to the required Druid data, and assign your Authorizer user to the role.

For a step-by-step guide to the above process, see Setting up basic auth users and permissions in Druid.

Create a database auth token

To create a database auth token:

  1. Access Imply Pivot and go to Settings > User Roles.

  2. Create a new role or click the Name of an existing role. See Manage roles and permissions for a description of all properties.

  3. Click Configure auth token.

    settings db auth token

  4. Enter the Username and Password of your Druid user.

  5. Select one or more Datasources or set a Priority:

    Datasources: Select the datasources that correspond to the Druid resources you assigned to the Druid user. This tells Pivot to use the Druid credentials in the Username and Password fields when connecting to these datasources.

    Priority: If you don't select any datasources, you can enter a priority number. Pivot uses the priority to determine which credentials to use to connect to Druid, if a Pivot user is a member of multiple roles containing multiple Druid credentials. You can set your own range of priorities. A higher number indicates a higher priority. For example, Pivot evaluates an auth token with priority 10 before a token with priority 8.

You can now assign this role to Pivot users to restrict their access to the Druid data accessible to the corresponding Druid user.

info

If you want a Druid user to be able to access more than one datasource in a single Pivot query, you must create a single database auth token with all required datasources checked.