Authentication and Authorization

A newly installed Hydrolix cluster comes with centralized user authentication and encrypted data at rest.

User authentication and authorization

Each Hydrolix cluster can be configured to use different access restrictions for your users. Access restrictions come in different forms:

Secure data in transit

Move data securely through Hydrolix.

TLS

Hydrolix clusters securely retrieve data from cloud storage with token-based authentication over TLS. The data remains accessible only in the Virtual Private Cloud (VPC) hosting the Kubernetes deployment, isolating it from external networks.

Hydrolix can enforce TLS communication between end users and your cluster. To enforce TLS between end users and your cluster, Enable TLS. When TLS is enabled, Hydrolix disables non-secure port access to endpoints, including ingest, the UI, and query.

To use a custom certificate, see Add a Custom Certificate.

Network access

When you create your Hydrolix cluster, you can select different load balancers. Hydrolix supports the following load balancers using the traefik_service_type variable:

NameidentifierBehavior
public load balancerpublic_lbA load balancer using a routable public IP address.
private load balancerprivate_lbA load balancer using a private IP in the same subnet as the Kubernetes nodes.
cluster IPcluster_ipNo load balancer at all. You can only access your cluster from within your Kubernetes cluster.
node portnode_portA custom load balancer provided externally.

Depending on your usage and use case you might want a publicly addressable cluster or a private one.

Whichever load balancer you choose, be sure to Configure IP Access for it.

Encrypt data at rest

For AWS, Google Cloud, and Azure, Hydrolix uses cloud storage layers which encrypt data at rest by default. For more information, see the platform documentation:

Encrypt data at rest to ensure your data storage layer is secure and can't be accessed without authorization.

Service account or secret key

To connect to data storage layers, Hydrolix requires a service account or a secret key. See how to create and manage permissions for Hydrolix clusters in User Authentication.

Use a service account or secret key to control access so only your Hydrolix cluster can access your storage layers.

Hydrolix clusters use a cache that stores metadata to disk. This cache is managed by your cloud storage layer provider, and thus is encrypted.