Database auth tokens in Pivot
An Imply Pivot data cube provides a view of a subset of an Apache Druid table. You can control the access your Pivot users have to Druid data by configuring data cubes to use specific Druid tables, rows, and columns and enabling user access to those data cubes.
However, if your Pivot users can create or edit data cubes (ManageDataCubes
and AdministerDataCubes
permissions) or query data in the SQL console (AccessQueries
and AdministerQueries
permissions), they can effectively bypass the controls you set on data cubes.
How auth tokens work
Imply assigns an auth token to each user role. A user's auth tokens come from the roles assigned to that user. A user with several roles therefore has several associated auth tokens.
Pivot uses a single auth token for each user when executing Druid queries on that user's behalf. This auth token is the database auth token. Pivot uses the auth token with the highest priority—a numeric property on the auth token JSON object named priority—for all requests originating from that user. This might not be the most appropriate auth token to use, and might provide the user with more access than Pivot needs to complete the request. Also, if a user has multiple auth tokens with the same priority, Pivot selects one of them at random.
The database auth tokens feature allows you to direct Pivot to use a particular auth token for selected roles, based on the datasources you select that are involved in query operations.
Note that Pivot can use an auth token with other (unselected) datasources if the token has sufficient priority and no other auth tokens are selected for those datasources.
Prerequisites
Before you can set up a database auth token on a Pivot role, you must perform the following tasks in Druid:
- Load and configure the Basic Security Druid extension.
- Create an Authenticator user and a corresponding Authorizer user in Druid.
Save the Authorizer user login credentials—you'll need them to create a database auth token. - Create an authorizer role, set up role permissions with access to the required Druid data, and assign your Authorizer user to the role.
For a step-by-step guide to the above process, see Setting up basic auth users and permissions in Druid.
Set up a database auth token on a role
To set up a database auth token on a Pivot role:
Access Imply Pivot and go to Settings > User Roles.
Create a new role or click the Name of an existing role. See Manage roles and permissions for a description of all properties.
Click Configure auth token.
Enter the Username and Password of your Druid user.
Select one or more Datasources or set a Priority:
Datasources: Select the datasources that correspond to the Druid resources you assigned to the Druid user. This tells Pivot to use the Druid credentials in the Username and Password fields when connecting to these datasources.
Priority: If you don't select any datasources, you can enter a priority number. Pivot uses the priority to determine which credentials to use to connect to Druid, if a Pivot user is a member of multiple roles containing multiple Druid credentials. You can set your own range of priorities. A higher number indicates a higher priority. For example, Pivot evaluates an auth token with priority 10 before a token with priority 8.
You can now assign this role to Pivot users to restrict their access to the Druid data accessible to the corresponding Druid user.
If you want a Druid user to be able to access more than one datasource in a single Pivot query, you must create a single database auth token with all required datasources checked.