2022.05

2022.05

  • Imply
  • Ingest
  • Query
  • Visualize
  • Administer
  • Deploy

›Authentication and Authorization

Overview

  • About Imply administration

Manager

  • Using Imply Manager
  • Managing Imply clusters
  • Imply Manager security
  • Extensions

Users

  • Imply Manager users
  • Druid API access
  • Authentication and Authorization

    • Get started with Imply Hybrid Auth
    • Authentication
    • Local users
    • User roles
    • User groups
    • User sessions
    • Brute force attack detection
    • Identity provider integration
    • Okta OIDC integration
    • Okta SAML integration
    • LDAP integration
    • OAuth client authentication

Clarity

  • Monitoring
  • Set up Clarity
  • Cloudwatch monitoring
  • Metrics

Druid administration

  • Configuration reference
  • Logging
  • Druid design

    • Design
    • Segments
    • Processes and servers
    • Deep storage
    • Metadata storage
    • ZooKeeper

    Security

    • Security overview
    • User authentication and authorization
    • LDAP auth
    • Dynamic Config Providers
    • Password providers
    • Authentication and Authorization
    • TLS support
    • Row and column level security

    Performance tuning

    • Basic cluster tuning
    • Segment size optimization
    • Mixed workloads
    • HTTP compression
    • Automated metadata cleanup
  • API reference
  • View Manager

    • View Manager
    • View Manager API
    • Create a view
    • List views
    • Delete a view
    • Inspect view load status
  • Rolling updates
  • Retaining or automatically dropping data
  • Alerts
  • Working with different versions of Apache Hadoop
  • Misc

    • dump-segment tool
    • reset-cluster tool
    • pull-deps tool
    • Deep storage migration
    • Export Metadata Tool
    • Metadata Migration

Get started with Imply Hybrid Auth

To enable Imply Hybrid (formerly Imply Cloud) Auth for your organization, contact your Imply account representative.

Imply Hybrid Auth provides secure and comprehensive authentication and authorization capabilities. Imply Hybrid Auth lets you set strict password policies, configure multi-factor authentication, integrate Imply Hybrid with a third-party identity provider, and use OAuth 2.0 for API authentication. It brings all of your Imply Hybrid accounts under one organization, making administration easier.

Imply Hybrid Auth lets you control access to Imply components, including Imply Manager, Pivot, and Clarity, across Imply Hybrid environments in your organization.

Key concepts

The following are key concepts of Imply Hybrid Auth:

  • User management: A web interface for setting up, monitoring, and managing user access. It encapsulates access settings across an organization.

  • Organization: An organization is a top level entity that maps to an Imply customer. When you first sign up for Imply Hybrid, an organization is created for you automatically. You log into the organization to manage and authenticate the users, set credentials, define roles and groups, and perform other actions. All organizations are isolated from one another and can only manage and authenticate the users that they control.

  • Environment: An environment represents a complete Imply deployment to an individual AWS VPC. An organization can have one or more environments. This is useful when you need to maintain separate environments; for example, for production and staging, or to support data in different AWS regions.

  • Groups: Groups let you assign and manage roles for a set of users collectively, instead of mapping roles to users individually. When you add a member to a group, that member inherits all attributes and role mappings that the group defines.

  • Role: A role is a permission to perform certain actions in Imply Hybrid. For example, the administer-data-cubes role lets you view and manage all data cubes and the monitor-queries role makes it possible to monitor Pivot's database queries. Roles associate permissions to users or groups within the context of an environment, giving you the flexibility to control user permissions for each deployment. For example, a user can have admin permissions in staging but not in a production environment.

The following figure depicts the sample scenario:

SSO concepts

  • Mappers: Mappers associate a user's attribute or property from an external identity provider to a particular role in Imply. For example, you can map users in an admin group in Okta to an admin role in Imply.

  • OAuth Client: An API client that contains a name (ID), a secret, and a token used to authenticate API requests.

  • Session: A session is created when a user logs into an environment. A session contains information such as active users, their IP addresses, and when they last logged in. Both admins and users can view session information.

User management console

The User management console is where you manage user access settings, configure authentication policies, create user groups, and connect third-party identity providers for Imply Hybrid.

To access the User management console from Imply Manager, click on the profile menu in the top right corner. Select User management from the list of menu options.

User profile settings

As an end user, after logging in, you can access your personal settings from the User management console by clicking the profile icon or your username at the top of the page and selecting Manage account. Personal settings include personal information, account security, and applications. Applications refer to the different Imply Hybrid environments you have access to.

Next steps

It is important to understand how Imply Hybrid Auth relates to other user management mechanisms in the Imply technology stack. When running on-premises or in detached Pivot mode, you can provision users for Pivot separately, as described in Access control for Pivot. Similarly, the Druid engine has its own authorization and authentication mechanism, as described in Druid operations topics. Imply Hybrid Auth encompasses both of these methods so that you can control access to Pivot, Druid, and the Imply Manager from a single place.

The following are the setup and administrative tasks you can perform when using Imply Hybrid Auth:

  • Configure local users
  • Configure an external identity provider integration, so that you can rely on user data from a single source for your organization, with specific instructions for:
    • Okta OIDC integration
    • Okta SAML integration
  • Understand roles and permissions in Imply Hybrid Auth.
  • Configure multi-factor authentication.
  • Configure password retry attempts and generally defenses against brute force attacks.
  • Resetting passwords and terminating user sessions.
  • Set up client API authentication tokens.

Many of the configuration settings apply at the organization level, but you can configure user-level settings as well. For any user, you can configure role mappings and groups, manage sessions and configure multi-factor authentication (via OTP), require password update, and verify email:

user settings

Last updated on 4/20/2022
← Druid API accessAuthentication →
  • Key concepts
  • User management console
  • User profile settings
  • Next steps
2022.05
Key links
Try ImplyApache Druid siteImply GitHub
Get help
Stack OverflowSupportContact us
Learn more
Apache Druid forumsBlog
Copyright © 2022 Imply Data, Inc