2023.05

2023.05

  • Imply
  • Ingest
  • Query
  • Visualize
  • Administer
  • Deploy

›Authentication and Authorization

Overview

  • About Imply administration

Manager

  • Using Imply Manager
  • Managing Imply clusters
  • Imply Manager security
  • Extensions

Users

  • Imply Manager users
  • Druid API access
  • Authentication and Authorization

    • Get started with Imply Hybrid Auth
    • Authentication
    • Local users
    • User roles
    • User groups
    • User sessions
    • Brute force attack detection
    • Identity provider integration
    • Okta OIDC integration
    • Okta SAML integration
    • LDAP integration
    • OAuth client authentication

Clarity

  • Monitoring
  • Set up SaaS Clarity
  • Cloudwatch monitoring
  • Metrics

Druid administration

  • Configuration reference
  • Logging
  • API reference
  • Druid design

    • Design
    • Segments
    • Processes and servers
    • Deep storage
    • Metadata storage
    • ZooKeeper

    Data management

    • Overview
    • Data updates
    • Data deletion
    • Schema changes
    • Compaction
    • Automatic compaction

    Security

    • Security overview
    • User authentication and authorization
    • LDAP auth
    • Dynamic Config Providers
    • Password providers
    • Authentication and Authorization
    • TLS support
    • Row and column level security

    Performance tuning

    • Basic cluster tuning
    • Segment size optimization
    • Mixed workloads
    • HTTP compression
    • Automated metadata cleanup

    View Manager

    • View Manager
    • View Manager API
    • Create a view
    • List views
    • Delete a view
    • Inspect view load status
  • Rolling updates
  • Using rules to drop and retain data
  • Alerts
  • Java runtime
  • Working with different versions of Apache Hadoop
  • Misc

    • dump-segment tool
    • reset-cluster tool
    • pull-deps tool
    • Deep storage migration
    • Export Metadata Tool
    • Metadata Migration

Get started with Imply Hybrid Auth

To enable Imply Hybrid Auth (formerly Imply Cloud Auth) for your organization, contact your Imply account representative. After you onboard to Imply Hybrid Auth, make sure to migrate over any users, user credentials, and custom roles you have created.

Imply Hybrid Auth is the user authentication and authorization service for Imply Hybrid. It offers a single, centralized user management interface for administering Imply users. With Imply Hybrid Auth enabled, you can control access to Imply Manager, Pivot, and SaaS Clarity, across all of your Imply Hybrid environments.

Imply Hybrid Auth lets you define password policies, configure multi-factor authentication, and use OAuth 2.0 for API authentication. You can also use Imply Hybrid Auth to integrate user provisioning with external identity providers.

Key concepts

Before you start using Imply Hybrid Auth, familiarize yourself with the following key concepts:

  • Organization: An organization is a top-level entity that maps to an Imply customer. It is where you manage and authenticate users, set credentials, and define roles and groups. All organizations are isolated from one another and can only manage and authenticate the users that they control. Your organization is created for you when you first sign up for Imply Hybrid.

  • Environment: An environment represents a complete Imply deployment to an individual AWS VPC. An organization can have multiple environments. This is useful when you need to maintain separate environments; for example, for production and staging, or to support AWS infrastructure in multiple regions.

  • Groups: Groups let you assign and manage roles for a set of users collectively, instead of mapping roles to users individually. When you add a member to a group, that member inherits all attributes and role mappings that the group defines.

  • Role: A role is a permission to perform certain actions in Imply Hybrid. For example, the administer-data-cubes role lets you view and manage all data cubes and the monitor-queries role makes it possible to monitor Pivot's database queries. Roles associate permissions to users or groups within the context of an environment, giving you the flexibility to control user permissions for each deployment. For example, you can give a user admin permissions for a staging environment without granting them admin access to a production environment.

    The following figure depicts the sample scenario:

    SSO concepts

  • Mappers: Mappers associate external identity provider tokens and assertions with Imply user attributes such as roles. You can propagate identity information from external groups to respective internal roles in your Imply Hybrid environment.

  • Session: A session is created when a user logs into an Imply Hybrid environment. A session contains information such as active users, their IP addresses, and when they last logged in. Both admins and users can view session information.

User management console

The User management console is a web interface for setting up, monitoring, and managing user access settings across an organization in Imply Hybrid. It is where you configure authentication policies, create user groups, and integrate with third-party identity providers.

You can access the console from Imply Manager by clicking the profile menu icon in the top-right corner of the page. Select User management from the list of options.

User management

Imply Hybrid Auth enables you to perform the following tasks from the User management console:

  • Configure local users
  • Configure multi-factor authentication
  • Configure defenses against brute force attacks
  • Integrate with external identity providers
  • Reset passwords and terminate user sessions
  • Set up client API authentication tokens

Many of the configuration settings apply at the organization level, but you can configure user-level settings as well. For any user, you can configure role mappings and groups, manage sessions and multi-factor authentication (via OTP), and request specific actions such as updating a user profile:

User settings

Access personal settings

To access your personal settings from the User management console, click the profile icon or your username at the top of the page and select Manage account. Personal settings include personal information, account security, and applications. Applications refer to the different Imply Hybrid environments you have access to.

Authentication capabilities

It is important to understand how Imply Hybrid Auth relates to other user management mechanisms in the Imply technology stack. When running on-premises or in detached Pivot mode, you can provision users for Pivot separately, as described in Access control for Pivot. Similarly, the Druid engine has its own authorization and authentication mechanism, as described in Druid administration topics. Imply Hybrid Auth encompasses both of these methods so that you can control access to Pivot, Druid, and Imply Manager from a single location.

Access SaaS Clarity

With Imply Hybrid Auth enabled, SaaS Clarity negotiates the authentication process using your Imply Hybrid login information. This means that you can access SaaS Clarity from the Imply Manager console without needing to enter another set of credentials. Imply Hybrid Auth validates your session and automatically logs you into an instance of SaaS Clarity. If your session is expired or invalid, you are prompted to authenticate before you can proceed.

Last updated on 5/19/2023
← Druid API accessAuthentication →
  • Key concepts
  • User management console
    • Access personal settings
  • Authentication capabilities
    • Access SaaS Clarity
2023.05
Key links
Try ImplyApache Druid siteImply GitHub
Get help
Stack OverflowSupportContact us
Learn more
Apache Druid forumsBlog
Copyright © 2023 Imply Data, Inc