Authentication & Authorization
Indexima manages two kinds of authentication (user identification) & authorization (user rights):
- Console users: connecting to Indexima dev console. Used by systems administrators and data engineers.
- SQL users: connecting to Indexima core sql engine, using third-party tools (Visualisation tools or SQL request tools). Used by data analysts.
SQL (Engine) users authentication
- Authentication modes available:
- By default, the cluster will be accessible without any user control.
SQL (Engine) users authorization
- Authorizations of sql users can be handled :
- either with custom rights in Indexima
- or with integration with Hadoop Ranger. More details...
- Only users with the administrator role can create a new schema or modify the dynamic (configuration) parameters of a cluster. Those users are :
- Users listed in parameter users.in.admin.role in galactica.conf
- Users which have been granted the admin role (with
GRANT admin TO USER username;). More details...
Console users authentication
- Authentication modes available:
- BASIC (users are declared in the dev console)
- With BASIC authentication, only the very first admin user (username: admin) is declared through configuration (with the initial password defined with VISUALDOOP_DEFAULT_PASS, defaulting to 'admin'). The other users are created directly in the dev console ('Add User' button available in the console).
- LDAP (users are declared in an LDAP directory) More details...
- In order to use a group filter on LDAP, the file visualdoop/ldap.properties needs to be customized instead.
- BASIC (users are declared in the dev console)
Console users authorization
- Only users with the VisualDoop administrator role (parameter VISUALDOOP_ADMIN in visualdoop2/config.sh) can perform the following actions:
- Attach a cluster to the Clusters hub
- Edit an existing cluster connexion
- Create, edit or delete a console user (only possible with BASIC authentication)
- Through a connection, a "console user" is allowed to connect to the Indexima console and may administer the cluster.
- In case a fine-grained authorization is required, you can activate some authorization restriction on "Console users" with the parameter webui.rights=true in galactica.conf. With this parameter enabled, you can restrict the console user access: the cluster view, the queries listing of any users, the analyzer, the server logs. More details...
Access a SQL Engine (ie Indexima Cluster) through the Indexima Console
- Any "console user" would require a valid "SQL user" to interact with the Indexima sql engine (Data view).
- If the flag 'Impersonate' is activated when creating a 'Connection' in the console, the queries executed will appear as if they had been executed by the 'Console user'.
- Please be aware that in this case, both the SQL user AND the Console user impersonating the SQL user, must have the appropriate authorization to execute the query. More details...
- If the flag 'Impersonate' is activated when creating a 'Connection' in the console, the queries executed will appear as if they had been executed by the 'Console user'.
- If the flag 'Is Shared' is activated when creating a 'Connection' in the console, all console users will be able to use this connection. More details...