Authentication & Authorization
Indexima manages two kinds of authentication (user identification) & authorization (user rights):
- Console users: connecting to Indexima dev console. They are used by systems administrators and data engineers.
- SQL users: connecting to Indexima core SQL engine, using third-party tools (Visualisation tools or SQL request tools). They are used by data analysts.
SQL (Engine) users authentication
- Authentication modes available:
- By default, the cluster will be accessible without any user control.
SQL (Engine) users authorization
- SQL users authorizations can be handled :
- either with custom rights in Indexima
- or with integration with Hadoop Ranger. More details...
- Only users with the administrator role can create a new schema or modify the dynamic (configuration) parameters. Those users are :
- Users listed in parameter users.in.admin.role in galactica.conf
- Users who have been granted the admin role (with
GRANT admin TO USER username;). More details...
Console users authentication
Authentication modes available:
- BASIC (users are declared in the dev console)
With BASIC authentication, only the first admin user (username: admin) is declared through configuration (with the initial password defined with VISUALDOOP_DEFAULT_PASS, defaulting to 'admin'). The other users are created directly in the dev console ('Add User' button available in the console).
- LDAP (users are declared in an LDAP directory) More details...
In order to use a group filter on LDAP, the file visualdoop/ldap.properties needs to be customized instead.
Console users authorization
- Only users with the VisualDoop administrator role (parameter VISUALDOOP_ADMIN in visualdoop2/config.sh) can perform the following actions:
- Attach a cluster to the Clusters hub
- Edit an existing cluster connexion
- Create, edit or delete a console user (only possible with BASIC authentication)
- Through a connection, a "console user" is allowed to connect to the Indexima console and may administer the cluster.
In case a fine-grained authorization is required, you can activate some authorization restriction on "Console users" with the parameter webui.rights=true in galactica.conf. With this parameter enabled, you can restrict the console user access: the cluster view, the queries listing of any users, the analyzer, the server logs. More details...
Access a SQL Engine (ie Indexima Cluster) through the Indexima Console
- Any "console user" would require a valid "SQL user" to interact with the Indexima sql engine (Data view).
- If the flag 'Impersonate' is activated when creating a 'Connection' in the console, the queries executed will appear as if they had been executed by the 'Console user'.
Please be aware that in this case, both the SQL user AND the Console user impersonating the SQL user must have the appropriate authorization to execute the query. More details...
- If the flag 'Is Shared' is activated when creating a 'Connection' in the console, all console users will be able to use this connection. More details...