Securing Starburst Enterprise#
Learn how to safeguard your data with Dell Data Analytics Engine, powered by Starburst Enterprise platform (SEP)’s security toolkit in this training video presented by one of our founders, Dain Sundstrom. For your convenience, we’ve divided the video training course up into topic sections, and provided links to the relevant parts of our documentation below.
Introduction#
Running time: ~11 min.
Topics: |
---|
SEP security process. |
What to secure. |
Preparing: Verifying HTTP. |
Client to server encryption with TLS#
Enabling TLS to the coordinator can be handled from the load balancer in two ways:
Terminate TLS on the load balancer and use HTTP to the coordinator
Pass TLS through the load balancer and use HTTPS to the coordinator
We highly recommend terminating HTTPS on the load balancer. In this case, the
only property required in the Helm chart coordinator.etcFiles.properties
section under config.properties:
is as follows:
coordinator:
etcFiles:
properties:
config.properties: |
http-server.process-forwarded=true
For non-Kubernetes installs, the same property must be defined instead in the
config.properties
file.
To pass TLS through the load balancer, you must configure TLS on the coordinator. Place a certificate or private key in the coordinator pod with HTTPS enabled. To do so:
Create a secret from the signed certificate or private key. This file can be a PEM, JKS, or PK12 keystore.
Follow the steps outlined in the reference documentation to configure the coordinator. Refer to your SSL secret as follows in the following snippet, which uses a PEM file as an example:
coordinator:
etcFiles:
properties:
config.properties: |
http-server.https.keystore.path=secretRef:ssl-cert:yoursslcert.pem
The following video provides an overview of client-to-server encryption in SEP:
Running time: ~19 min.
Topics: |
---|
Approaches for HTTPS, including proxies and load balancers. |
Handling PEM and JKS files. |
Verifying HTTPS for SEP. |
Securing SEP’s internal communications and management endpoints#
Documentation for the material covered in this section is found here.
Running time: ~16 min.
Topics: |
---|
Securing the Starburst cluster itself. |
Shared secret. |
Internal HTTPS. |
Secrets management. |
Management endpoints. |
Data security#
We recommend the following additional reading, which covers enabling SEP’s powerful built-in role-based access control:
SEP’s built-in access control
SEP provides other methods of implementing global access control:
While we strongly recommend implementing global access control, you can still secure Hive at the catalog level if your particular situation makes that necessary. Documentation covering the various options for securing Hive at the catalog level can be found as follows:
Running time: ~18 min.
Topics: |
---|
Authorization. |
Kerberos debugging. |
S3 authentication. |
Google Cloud authentication |