Imply Manager security
This topic describes security settings applicable to Imply Manager when deployed on-premises in a Linux environment or in a Kubernetes environment, such as on Amazon Elastic Kubernetes Service (Amazon EKS).
For Imply Hybrid (formerly Imply Cloud) security, see Imply Hybrid security. Also see security information for Druid.
TLS
You can configure Imply Manager to automatically generate certificates for the agents and itself by providing a signing certificate and key. This allows for secure communication between Imply Manager and agents, between agents, and between users and the system. For metadata store connections, Imply validates certificates for connections to MySQL or PostgreSQL metadata stores by default.
For additional information specific for your target platform, see the topic that covers the platform. For example, for Imply Enterprise (formerly Imply Private) on Linux, see Enabling TLS.
Enabling TLS connectivity
To enable cluster TLS security, enter a key and certificate in the Password and TLS cert fields in the Advanced Config settings for a cluster. Note that the agent will get the certificate only to validate the generated certificates. See Generating a CA certificate and key for more information about certificates and keys.
Enabling, disabling, or updating your certificates will require a restart of any running clusters. You will be notified in Imply Manager that a certificate change has been detected and prompted to restart. You should plan the changes around maintenance windows as it will require an outage.
This ca.crt should be trusted/installed in browsers connecting to Imply Manager or Druid so that they can be validated and the https://
scheme used for all
web requests.
TLS 1.0 and 1.1 are deprecated for use with any Imply user interface, including browser-based UIs, such as Pivot or Imply Manager, or APIs. If you use a supported browser to access Imply user interfaces, you should not be impacted by this change, since they use later protocols exclusively.
However, if you have tools or other types of client software that access Imply APIs, you should verify that they use TLS 1.2 or later.
Enabling client authentication to the metadata store
By specifying a client cert and client key fields for a cluster, you enable authentication on client connections from the Druid cluster to the metadata store.
Follow these steps to enable client authentication to the metadata store:
- In Imply Manager, click the Manage button for the cluster you want to configure.
- Click Setup.
- Expand the Advanced config settings.
- Verify that you have a TLS certificate in the TLS cert field and add one if not.
- In the optional Client cert and Client key fields, enter the client certificate and client secret, respectively.
- Click Save or Create cluster to complete the configuration.
To enable client authentication between Imply Manager and the metadata store, use Helm. For details, see Imply Enterprise on Kubernetes.
Generating a CA certificate and key
To generate a CA certificate and key, use the following command:
openssl req -x509 -new -nodes -keyout ca.key -out ca.crt -days 365
When executing the command you will be prompted to fill in the information for the certificate. For example:
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Burlingame
Organization Name (eg, company) []:Imply Data, Inc
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Imply Manager CA
Email Address []:
These values are just an example and should be filled in with your own values. Once this is completed a new certificate
and key that are valid for 1 year will be generated. If you want a longer or shorter expiry update the -days
argument. For more
information please consult the OpenSSL Documentation.
Trusting your CA
Mac OS
Double-clicking the ca.crt
file will add it to your Keychain as a trusted certificate. For more information you can consult
the Keychain Access User Guide.
Windows
To add the certificate on windows we will perform the following steps.
- Right-click the
ca.crt
and select Install Certificate. This will launch the Certificate Import Wizard. - Select Local Machine for the Storage Location and select Next.
- Browse to Trusted Root Certification Authorities for where to place it.
- Click next and review the changes to be made before selecting finish.
- Restart your browser.
For managed environments the certificate can be installed as part of a Group Policy.
Ports
When TLS is enabled Druid will use different ports by default as well as require the https://
schema for all web requests.
By default these ports are the default port for the service increased by 200. Note that Pivot and Imply Manager still run on the same port.
See the table below for some examples:
Service | Default Port | TLS Port |
---|---|---|
Imply Manager | 9097 | 9097 |
Pivot | 9095 | 9095 |
Router | 8888 | 9088 |
Overlord | 8090 | 8290 |
Review the Druid Configuration reference for more defaults.
Token authentication
Enabling authentication directs Imply Manager to communicate with the agents in an authenticated manner. It also enables Druid and Pivot authentication, securing the entire deployment. Authentication should be used in conjunction with TLS as the tokens are sent in plain text.
Druid
When authentication is enabled by providing a token to Imply Manager and agents, it also enables Druid authentication by default. For more information on Druid authentication, see Authentication and Authorization in the Druid documentation.
When Druid Authentication is enabled you can find the credentials in Imply Manager under the API tab.
Pivot
When authentication is enabled by providing a token to Imply Manager and agents, it also enables Pivot authentication by default. For more
information on Pivot user modes review userMode
configuration.
Pivot is configured to use native-users
, by default. You can find default credentials in the userMode
documentation.
Security policy
You can configure custom password options, login throttling, and idle session options in Master settings > Settings > Security policy.
For passwords, some of the parameters you can configure include the following:
- Minimum and maximum password length
- Minimum passphrase length
- Password lifetime
- Password history
For login throttling, you can configure the following:
- Lockout tries: Number of login attempts permitted before a user account is locked out.
- Lockout duration: Amount of time the user account is locked out for.
- Disable tries: Number of login attempts permitted before a user account is disabled.
- Disable duration: Amount of time the user account is disabled for.
For idle sessions, you can configure the following:
- Idle timeout duration: Time interval in ISO 8601 format a session can remain idle before it times out. For example: PT15M for 15 minutes or PT1H for 1 hour.
- Idle timeout: Enable or disable the idle timeout feature.
- Warning prompt duration: Time duration in ISO 8601 format for displaying a warning dialog before a session times out. Must be less than the timeout duration.
- Warning prompt: Enable or disable the warning prompt that alerts users before their session times out.