By default, the Imply Manager in Imply Hybrid (formerly Imply Cloud) provides a gateway between a user's browser and Pivot. Imply Hybrid users can access Pivot from the Imply Manager without having to enter their credentials as user authentication is performed automatically.
If you do not want for the Imply Manger to act as a proxy between your browser and Pivot, you can configure direct access for Pivot. In the direct access mode, Pivot users access Pivot directly, from within the Virtual Private Cloud (VPC) running the clusters.
Why use direct-access mode?
Direct access mode offers a few advantages over standard access with Imply Hybrid. The Pivot APIs are available in direct access mode, but not when in the default, proxied mode.
Also, in direct access mode, traffic between a Pivot user's browser and the Druid cluster does not need to traverse public networks.
On the other hand, in direct access mode, functions that the Imply Hybrid Manager performs in proxy mode, such as user authentication, need to be provided for separately. Also, Pivot and the Druid Console will no longer be accessible by link from the Imply Manager.
Enabling direct access mode
To enable direct access mode, follow these steps:
Select how to manage Pivot users when switching to direct access mode:
- From the Imply Manager home page, click the Manage link for the cluster you are setting to direct access mode.
- Click Setup and expand the Advanced config settings.
- From the Access mode menu under the Pivot settings, choose native, OIDC, or LDAP as the Pivot user authentication option:
Note that proxied is the default option. Choosing one of the other three options effectively puts Pivot into direct access mode.
Optionally, set the URL for Pivot Access field to a published domain name to which Pivot users can go to access Pivot—for example,
Setting this field enables access options for opening Pivot from the Cloud Manager UI, that is, the Open button next to the cluster in the cluster list view.
For LDAP or OIDC, specify the role authority for users, Pivot or the external authentication mechanism.
In the AWS account, set a DNS mapping between the Pivot URL you entered and the load balancer. Druid clusters created by Imply have two load balancers associated with them. One serves as an internal load balancer (for internal VPC access) and the other serves as an external load balancer (for public internet access).
Depending on which one you want to map the Pivot URL to, you need to put that into your DNS mapping Route table. For example:
Pivot.customercompany.com → internalELB.amazonaws.com:9095
Note that you can find the load balancer hostname in the API page for the cluster, as shown:
Note the following caveats:
- The load balancers are deleted or removed when you terminate or stop the cluster; when you restart your cluster, make sure that you retrieve the new hostname from the page and add it into the route table.
- Rolling upgrades will not change the load balancer’s hostname and won’t impact the route table.
- In standard proxied mode, Imply Manager manages the Imply Pivot license. When you switch to direct access mode, Imply Manager generates a license and installs it as a local Pivot license. It resumes license management if switched back to proxied mode.
Provide a public CA certificate in the load balancer. Imply has a self-signed certificate stored on all Imply cluster nodes, but as it is self-signed, most browsers will deem this insecure and present warnings when being redirected to the Pivot URL you configured. To avoid this, you must put a public CA certificate in the load balancer whose hostname is mapped to the Pivot URL you intend for end users to visit.
The same caveats of the load balancer apply when a cluster is stopped or terminated.
Access Pivot and Druid Console
Users should now access Pivot on port 9095 of the load balancer URL, as listed on the cluster's API tab. The Pivot UI is no longer accessible at the usual URL for Cloud Imply,
The Druid Console is available to users from the Data tab in Pivot or by directly accessing through the load balancer through port 9088.