Security overview#
After the initial installation of your cluster, security is the next major concern for successfully operating BDV. This overview provides an introduction to different aspects of configuring security for your BDV cluster.
Aspects of configuring security#
The default installation of BDV has no security features enabled. Security can be enabled for different parts of the BDV architecture:
Suggested configuration workflow#
To configure security for a new BDV cluster, follow this best practice order of steps. Do not skip or combine steps.
Enable HTTPS/TLS
Work with your security team.
Use a load balancer or proxy to terminate HTTPS, if possible.
Use a globally trusted TLS certificate.
Enable authentication
Start with password file authentication to get up and running.
Then configure your preferred authentication provider, such as LDAP.
Avoid the complexity of Kerberos for client authentication, if possible.
Enable authorization and access control
Start with file-based rules.
Then configure another access control method as required.
Configure one step at a time. Always restart the BDV server after each change, and verify the results before proceeding.
Securing client access to the cluster#
BDV clients include the MDACA Data Storage Explorer and ODBC driver, the Web UI, the JDBC driver, Python, Go, or other clients, and any applications using these tools.
All access to the BDV cluster is managed by the coordinator. Thus, securing access to the cluster means securing access to the coordinator.
There are three aspects to consider:
Encryption: protecting the integrity of client to server communication in transit.
Authentication: identifying users and user name management.
Authorization and access control: validating each user’s access rights.
Encryption#
The BDV server uses the standard HTTPS protocol and TLS encryption, formerly known as SSL.
Authentication#
BDV supports several authentication providers. When setting up a new cluster, start with simple password file authentication before configuring another provider.
User name management#
BDV provides ways to map the user and group names from authentication providers to BDV user names.
User mapping applies to all authentication systems, and allows for regular expression rules to be specified that map complex user names from other systems (
alice@example.com) to simple user names (alice).File group provider provides a way to assign a set of user names to a group name to ease access control.
Authorization and access control#
BDV’s default method of access control allows all operations for all authenticated users.
To implement access control, use:
File-based system access control, where you configure JSON files that specify fine-grained user access restrictions at the catalog, schema, or table level.
In addition, SpinSys can create a custom access control method, or extend an existing one, to meet specific needs.
Access control can limit access to columns of a table. The default behavior
of a query to all columns with a SELECT * statement is to show an error
denying access to any inaccessible columns.
You can change this behavior to silently hide inaccessible columns with the
global property hide-inaccessible-columns configured in
Config properties:
hide-inaccessible-columns = true
Securing inside the cluster#
You can secure the internal communication between coordinator and workers inside the clusters.
Secrets in properties files, such as passwords in catalog files, can be secured with secrets management.
Securing cluster access to data sources#
Communication between the BDV cluster and data sources is configured for each catalog. Each catalog uses a connector, which supports a variety of security-related configurations.
More information is available with the documentation for individual connectors.
Secrets management can be used for the catalog properties files content.