Securing Starburst Enterprise

Learn how to safeguard your data with Starburst Enterprise platform (SEP)’s security toolkit in this training video presented by one of our founders, Dain Sundstrom. For your convenience, we’ve divided the video training course up into topic sections, and provided links to the relevant parts of our documentation below.

Introduction

Running time: ~11 min.

Topics:
SEP security process.
What to secure.
Preparing: Verifying HTTP.

Client to server encryption with TLS

Enabling TLS to the coordinator can be handled from the load balancer in two ways:

• Terminate TLS on the load balancer and use HTTP to the coordinator

• Pass TLS through the load balancer and use HTTPS to the coordinator

We highly recommend terminating HTTPS on the load balancer. In this case, the only property required in the Helm chart coordinator.etcFiles.properties section under config.properties: is as follows:

coordinator:
  etcFiles:
    properties:
      config.properties: |
        http-server.process-forwarded=true

For non-Kubernetes installs, the same property must be defined instead in the config.properties file.

To pass TLS through the load balancer, you must configure TLS on the coordinator. Place a certificate or private key in the coordinator pod with HTTPS enabled. To do so:

1. Create a secret from the signed certificate or private key. This file can be a PEM, JKS, or PK12 keystore.

2. Follow the steps outlined in the reference documentation to configure the coordinator. Refer to your SSL secret as follows in the following snippet, which uses a PEM file as an example:

coordinator:
  etcFiles:
    properties:
      config.properties: |
        http-server.https.keystore.path=secretRef:ssl-cert:yoursslcert.pem

The following video provides an overview of client-to-server encryption in SEP:

Running time: ~19 min.

Topics:
Approaches for HTTPS, including proxies and load balancers.
Adding SSL/TLS certificates
Handling PEM and JKS files.
Verifying HTTPS for SEP.

Authentication and authorization in SEP

Get up and running

The SEP Helm chart has built-in support for file-based password authentication. In the following example, two users are created with very simple passwords:

userDatabase:
  enabled: true
  users:
    - username: admin
      password: adM1nPassWord
    - username: user1
      password: Us4r1PassW0rd

File-based authentication is recommended only for your initial build-out. Read more about password files, for information on how to handle non-Kubernetes installations.

Implement LDAP

Authentication via LDAP or Active Directory is configured in the coordinator.etcFiles.properties section of the Helm chart under password-authenticator.properties:. The following example shows the required Helm chart configuration:

coordinator:
  etcFiles:
    properties:
      password-authenticator.properties: |
        password-authenticator.name=ldap
        ldap.url=ldaps://ldap-server:636
        ldap.user-bind-pattern=uid=${USER},DC=example,DC=com
        ldap.ssl-trust-certificate=secretRef:ldap-ca:ca.crt

In non-Kubernetes installs, the same properties must be defined instead in the etc/password-authenticator.properties file.

Read more about LDAP for information on how to handle non-Kubernetes installs.

Learn more

The following video provides an overview of authentication and authorization in SEP:

Running time: ~34 min.

Topics:
Password file authentication.
LDAP authentication. See also: group providers.
Kerberos authentication. See also: passthrough.
Client certificate authentication.
JSON Web Token authentication.
Using multiple authenticators.
Authentication with user mapping.
File-based system access control.

Securing SEP’s internal communications and management endpoints

Documentation for the material covered in this section is found here.

Running time: ~16 min.

Topics:
Securing the Starburst cluster itself.
Shared secret.
Internal HTTPS.
Secrets management.
Management endpoints.

Data security

We recommend the following additional reading, which covers enabling SEP’s powerful built-in role-based access control:

• SEP’s built-in access control

SEP provides other methods of implementing global access control:

• Global access control with Apache Ranger

• Built-in system access control

While we strongly recommend implementing global access control, you can still secure Hive at the catalog level if your particular situation makes that necessary. Documentation covering the various options for securing Hive at the catalog level can be found as follows:

• SEP’s built-in access control

• Configuring Hive security

• Hive-level security with Apache Ranger

Running time: ~18 min.

Topics:
Authorization.
Metastore authentication.
HDFS authentication.
Kerberos debugging.
S3 authentication.
Google Cloud authentication