Authentication and Authorization
A newly installed Hydrolix cluster comes with centralized user authentication and encrypted data at rest.
User authentication and authorization
Each Hydrolix cluster can be configured to use different access restrictions for your users. Access restrictions come in different forms:
- IP allow-lists
- User Authentication
- Role-Based Access Control (RBAC) to configure per-user authorization to projects and tables.
Secure data in transit
Move data securely through Hydrolix.
TLS
Hydrolix clusters securely retrieve data from cloud storage with token-based authentication over TLS. The data remains accessible only in the Virtual Private Cloud (VPC) hosting the Kubernetes deployment, isolating it from external networks.
Hydrolix can enforce TLS communication between end users and your cluster. To enforce TLS between end users and your cluster, Enable TLS. When TLS is enabled, Hydrolix disables non-secure port access to endpoints, including ingest, the UI, and query.
To use a custom certificate, see Add a Custom Certificate.
Network access
When you create your Hydrolix cluster, you can select different load balancers. Hydrolix supports the following load balancers using the traefik_service_type variable:
| Name | identifier | Behavior |
|---|---|---|
public load balancer | public_lb | A load balancer using a routable public IP address. |
private load balancer | private_lb | A load balancer using a private IP in the same subnet as the Kubernetes nodes. |
cluster IP | cluster_ip | No load balancer at all. You can only access your cluster from within your Kubernetes cluster. |
node port | node_port | A custom load balancer provided externally. |
Depending on your usage and use case you might want a publicly addressable cluster or a private one.
Whichever load balancer you choose, be sure to Configure IP Access for it.
Encrypt data at rest
For AWS, Google Cloud, and Azure, Hydrolix uses cloud storage layers which encrypt data at rest by default. For more information, see the platform documentation:
Encrypt data at rest to ensure your data storage layer is secure and can't be accessed without authorization.
Service account or secret key
To connect to data storage layers, Hydrolix requires a service account or a secret key. See how to create and manage permissions for Hydrolix clusters in User Authentication.
Use a service account or secret key to control access so only your Hydrolix cluster can access your storage layers.
Hydrolix clusters use a cache that stores metadata to disk. This cache is managed by your cloud storage layer provider, and thus is encrypted.
Updated 5 days ago