Security

In this section of our reference documentation, learn about the basic workflows for securing your Starburst Enterprise platform (SEP) cluster.

• Security overview

Security topic areas

There are three main types of security measures for SEP clusters:

• User authentication and client security

• Security inside the cluster

• Security between the cluster and data sources

Built-in access control offer the most convenient way to configure security for the connected data sources as well as the features in the Starburst Enterprise web UI .

This section provides reference material for each of these security types. Not sure where to start? Review our Security overview to get started.

Built-in access control

SEP provides a built-in, role-based access control system that is integrated with the Starburst Enterprise web UI. This system makes it easy to configure any user’s correct access rights to catalogs, schemas, and tables, as well as to elements of the UI itself.

• Built-in access control overview
• Built-in access control roles
• Built-in access control privileges
• Built-in access control masks and filters
• Built-in access control audit log
• Differences between built-in access control and Apache Ranger

User authentication and client security

When setting up a new cluster, start with simple password file authentication. Once access to your cluster is secured, SEP provides a number of production-level options for authenticating users such as LDAP, Okta or OAuth 2.0. SEP also offers several options for delegated authorization. These pass-through features guarantee that SEP uses the same token as a user directly accessing a data source.

• Authentication types
  • Password files
  • LDAP
  • LDAP group provider
  • Keycloak group provider
  • SCIM user and group synchronization
  • Salesforce
  • OAuth2 over HTTPS
  • OAuth2 providers
  • SAML 2.0 over HTTPS
  • Okta
  • Kerberos
  • Certificate
  • JWT
  • Header
  • Password pass-through
  • OAuth 2.0 token pass-through
  • Kerberos credential pass-through
  • Multiple authentication types
  • Multiple password authenticators
  • Multiple header authenticators

Once authenticated, users are authorized by one of SEP’s available access control systems, including our comprehensive built-in access control.

Client security is covered in our clients documentation.

Cluster security

Cluster security topics cover both securing external client access to your SEP cluster, and internal communications between cluster resources. Secrets are available for use in any configuration file throughout SEP to provide a secure means of managing values such as usernames, passwords and other strings used in the cluster through your provisioning system.

• TLS and HTTPS
• PEM files
• JKS files
• Secure internal communication
• Secrets

Third-party access control

If your organization uses Ranger, Privacera, or Immuta, SEP integrates with those access control systems.

• Apache Ranger overview
  • Global Ranger
  • Hive Ranger
  • Requirements
  • Ranger usage options
  • Key concepts
  • Features and use cases
  • Configuration properties
  • Ensure Ranger works with TLS
  • Ensuring Ranger works with your authentication service
  • Enabling BIAC with Ranger
  • Starburst Ranger CLI
  • Ranger REST API
• Immuta
  • Requirements
  • Next steps
• AWS Lake Formation
  • Requirements
  • Overview
  • Configure AWS Lake Formation
  • Configuration properties
  • Lake formation credential vending integration
  • Lake formation security mapping
  • Caching
  • Views
  • Limitations

Miscellaneous security options

Learn about other security options that may apply to your environment.

• System access control
• File system access control
• File-based group provider
• User impersonation
• User mapping
• Query audit