Securing Starburst Enterprise #

Learn how to safeguard your data with Starburst Enterprise platform (SEP)’s security toolkit in this training video presented by one of our founders, Dain Sundstrom. For your convenience, we’ve divided the video training course up into topic sections, and provided links to the relevant parts of our documentation below.

Introduction #

Topics:
  • SEP security process
  • What to secure
  • Preparing: Verifying HTTP

Running time: ~11 min.


Client to server encryption with TLS #

Enabling TLS to the coordinator can be handled from the load balancer in two ways:

  • Terminate TLS on the load balancer and use HTTP to the coordinator
  • Pass TLS through the load balancer and use HTTPS to the coordinator

We highly recommend terminating HTTPS on the load balancer. In this case, the only property required in the Helm chart coordinator.etcFiles.properties section under config.properties: is as follows:

coordinator:
  etcFiles:
    properties:
      config.properties: |
        http-server.process-forwarded=true

For non-Kubernetes installs, the same property must be defined instead in the config.properties file.

To pass TLS through the load balancer, you must configure TLS on the coordinator. Place a certificate or private key in the coordinator pod with HTTPS enabled. To do so:

  1. Create a secret from the signed certificate or private key. This file can be a PEM, JKS, or PK12 keystore.
  2. Follow the steps outlined in the reference documentation to configure the coordinator. Refer to your SSL secret as follows in the following snippet, which uses a PEM file as an example:
coordinator:
  etcFiles:
    properties:
      config.properties: |
        http-server.https.keystore.path=secretRef:ssl-cert:yoursslcert.pem

The following video provides an overview of client-to-server encryption in SEP:

Topics:

Running time: ~19 min.


Authentication and authorization in SEP #

Get up and running #

The SEP Helm chart has built-in support for file-based password authentication. In the following example, two users are created with very simple passwords:

userDatabase:
  enabled: true
  users:
    - username: admin
      password: adM1nPassWord
    - username: user1
      password: Us4r1PassW0rd

File-based authentication is recommended only for your initial build-out. More detail is available in our reference documentation, including how to handle non-Kubernetes installs.

Implement LDAP #

Authentication via LDAP or Active Directory is configured in the coordinator.etcFiles.properties section of the Helm chart under password-authenticator.properties:. The following example shows the required Helm chart configuration:

coordinator:
  etcFiles:
    properties:
      password-authenticator.properties: |
        password-authenticator.name=ldap ldap.url=ldaps://ldap-server:636
        ldap.user-bind-pattern=uid=${USER},DC=example,DC=com
        ldap.ssl-trust-certificate=secretRef:ldap-ca:ca.crt

In non-Kubernetes installs, the same properties must be defined instead in the etc/password-authenticator.properties file.

More detail is available in our reference documentation, including how to handle non-Kubernetes installs.

Learn more #

The following video provides an overview of authentication and authorization in SEP:

Topics:

Running time: ~34 min.


Securing SEP’s internal communications and management endpoints #

Documentation for the material covered in this section is found here.

Topics:
  • Securing the Starburst cluster itself
  • Shared secret
  • Internal HTTPS
  • Secrets management
  • Management endpoints

Running time: ~16 min.


Hive catalog security #

We recommend the following additional reading, which covers enabling SEP’s powerful role-based global access control:

While we strongly recommend implementing global access control, you can still secure Hive at the catalog level if your particular situation makes that necessary. Documentation covering the various options for securing Hive at the catalog level can be found as follows:

Topics:
  • Authorization
  • Metastore authentication
  • HDFS authentication
  • Kerberos debugging
  • S3 authentication
  • Google Cloud authentication

Running time: ~18 min.