Manage Helios BYOC

After setting up Helios BYOC, you can manage your workspaces, databases, and other SingleStore Helios features via the Cloud Portal. For more information on managing workspaces, refer to Creating and Using Workspaces.

For information on shared responsibilities of the customer and SingleStore, refer to Shared Responsibility.

Note

The Control Plane must have the required privileges and network access configured during bootstrapping to manage and deploy Helios BYOC via the Cloud Portal.

Authentication

Token-Based Authentication

SingleStore’s Cloud Portal supports token-based secure authentication, which is based on username and password. The organization owners can provision and control access within an organization. You can also set the complexity, expiration, and reuse of passwords through password policies. Refer to Configuring a Password Policy for more information.

Single Sign-On Authentication

The Cloud Portal supports authentication via cloud-native identity providers that support the SAML protocol, such as Okta, Ping, Azure AD for SSO.

Authenticate via JWTs

The Cloud Portal supports authentication via JSON Web Tokens (JWTs). JWTs can be created through the Cloud Portal and user-managed identity providers to authenticate users. Refer to Authenticate via JWT for more information.

EKS IRSA

The Helios BYOC running on Kubernetes uses EKS IRSA as a non-static authentication mechanism at the control-plane operational level (backend).

Open ID Connect (OIDC)

The Cloud Portal supports self-service OIDC authentication using Okta, Azure, Ping, JumpCloud, etc. Refer to OIDC for more information.

IP Allowlisting

Use the IP Allowlist to ensure that a SingleStore workspace can only be accessed by a specified set of IP addresses. All Helios BYOC endpoints are private. This allows the user to identify and manage how Helios BYOC clusters can be accessed from their network and applications.

Administration

Role-Based Access Control at the Feature Level

The Role-Based Access Control (RBAC) framework controls access to the features in the Cloud Portal at different levels, such as, organizations and workspace groups. Features or actions can be enabled or disabled on the Cloud Portal based on the roles granted to a user. This framework only controls access to the administrative features of Helios BYOC. Refer to Role-Based Access Control (RBAC) for more information.

Role-Based Access Control at the Database Level

The Role-Based Access Control (RBAC) framework controls access at the database level. Refer to Role-Based Access Control (RBAC) at the Database Level for information on standard roles and creating users with specific roles.

SingleStore recommends storing role/account creation commands in a separate version-controlled file. These commands must be run on all the nodes where users can connect.

Row-Level Security

Row-Level Security (RLS) allows only those users who have the required permissions to access data by rows in a database. Refer to Row Level Security for more information.

Logging and Monitoring

Internal Logs

All of the internal logs are available to ensure a full audit trail. Internal metrics use Prometheus in the Data Plane to collect metrics on the monitoring cluster. The collected metrics can be viewed from the monitoring portal via Grafana. Internal logs are stored on the customer's AWS VPC.

Grafana also queries the user logs (database-associated) of the clusters deployed in the Data Plane. The user logs are not stored in the Control Plane, and they are only available on the Dashboard for the current session.

Audit Logs

SingleStore captures and manages all the logs within a cluster. By default, a cluster is set to the ADMIN-ONLY-INCLUDING-PARSE-FAILS audit logging level which logs all the valid and invalid statements and queries. However, user credentials and personally identifiable information (PII) is obfuscated in audit logs. Audit logs are available on demand. Refer to Audit Logging for more information.

Control Plane Audit Logs

Control Plane audit logs identify and log the user actions in the Control Plane that can be used to track user activity. All the Cloud Portal activities are logged, including IP configuration, RBAC, access management, etc.

Data Plane Audit Log Forwarding

You can view Data Plane logs using AWS CloudTrail.

Updates

Updates are classified into two categories:

  • SingleStore updates: Updates to the SingleStore engine, including minor/major releases and maintenance updates, which can be scheduled in a maintenance window of your choice under the Updates tab in the Cloud Portal. Refer to SingleStore Helios Scheduled Updates for more information.

  • Kubernetes and infrastructure updates: You may also apply Kubernetes and infrastructure security patches and updates in a preferred maintenance window.

Note

Any additional updates to the infrastructure must be reviewed with SingleStore.

Last modified: December 4, 2024

Was this article helpful?