3.5. Security#

Overview#

Mission Control provides the user powerful access to your Presto deployment. Access restrictions to allow only authenticated and authorized users are important for successful usage.

Authentication#

Mission Control supports three authentication systems:

  • built-in user management INTERNAL
  • external LDAP providers such as Active Directory LDAP
  • Google authentication GOOGLE

The user authentication systems are configured in the authentication.type property. The default is INTERNAL. One or more types in the desired order, separated by commas, are supported. Leaving the value empty disables authentication, and is not recommended.

Internal Authentication#

The internal authentication uses data stored in the backend database for access control and can be controlled with the user management section.

LDAP Authentication#

LDAP authentication for Mission Control has to be configured using the ldap.* properties in the general config file.

Google Authentication#

You can use Google authentication, if your Mission Control server is available at a URL using a full domain name, such as example.com.

The following steps describe how to activate this authentication in your Google cloud configuration.

  1. Go to your Google Cloud console at https://console.cloud.google.com.
  2. Select your project.
  3. Access the APIs & Services > OAuth consent screen.
  4. Select application type. Use internal app so that only users within your organization can authenticate.
  5. Add your domain name to the authorized domains list.
  6. Save and access APIs & Services > Credentials.
  7. Create credentials selecting OAuth client ID.
  8. Select Web application.
  9. Provide a name such as Mission Control and the full URL to Mission Control.
  10. Use the provided client id and client secret for the parameters authentication.google.client-id and authentication.google.secret in your Mission Control general config file.
  11. Add the domain name of the Google accounts to allow, such as example.com with authentication.google.hosted-domain in the config file.
  12. Restart Mission Control.

Now you can sign into Mission Control using your Google account.

Authorization#

Mission Control distinguishes between users with and without administrative rights. Only administrative users have access to manage other users and to edit all data sources and clusters.

Only the INTERNAL authentication system allows users to have administrative rights. We therefore suggest to use other authentication types in combination with the internal authentication.

Data sources have no authorization restrictions.

Clusters can only be edited by the creator, who are automatically assigned as the owner of the cluster, and administrators.