Manage Helios BYOC

Token-Based Authentication

SingleStore’s Cloud Portal supports token-based secure authentication, which is based on username and password. The organization owners can provision and control access within an organization. You can also set the complexity, expiration, and reuse of passwords through password policies. Refer to Configuring a Password Policy for more information.

Single Sign-On Authentication

The Cloud Portal supports authentication via cloud-native identity providers that support the SAML protocol, such as Okta, Ping, Azure AD for SSO.

Authenticate via JWTs

The Cloud Portal supports authentication via JSON Web Tokens (JWTs). JWTs can be created through the Cloud Portal and user-managed identity providers to authenticate users. Refer to Authenticate via JWT for more information.

EKS IRSA

The Helios BYOC running on Kubernetes uses EKS IRSA as a non-static authentication mechanism at the control-plane operational level (backend).

Open ID Connect (OIDC)

The Cloud Portal supports self-service OIDC authentication using Okta, Azure, Ping, JumpCloud, etc. Refer to OIDC for more information.

IP Allowlisting

Use the IP Allowlist to ensure that a SingleStore workspace can only be accessed by a specified set of IP addresses. All Helios BYOC endpoints are private. This allows the user to identify and manage how Helios BYOC clusters can be accessed from their network and applications.

Role-Based Access Control at the Feature Level

The Role-Based Access Control (RBAC) framework controls access to the features in the Cloud Portal at different levels, such as, organizations and workspace groups. Features or actions can be enabled or disabled on the Cloud Portal based on the roles granted to a user. This framework only controls access to the administrative features of Helios BYOC. Refer to Role-Based Access Control (RBAC) for more information.

Role-Based Access Control at the Database Level

The Role-Based Access Control (RBAC) framework controls access at the database level. Refer to Role-Based Access Control (RBAC) at the Database Level for information on standard roles and creating users with specific roles.

SingleStore recommends storing role/account creation commands in a separate version-controlled file. These commands must be run on all the nodes where users can connect.

Row-Level Security

Row-Level Security (RLS) allows only those users who have the required permissions to access data by rows in a database. Refer to Row Level Security for more information.

Internal Logs

All of the internal logs are available to ensure a full audit trail. Internal metrics use Prometheus in the Data Plane to collect metrics on the monitoring cluster. The collected metrics can be viewed from the monitoring portal via Grafana. Internal logs are stored on the customer's AWS VPC.

Grafana also queries the user logs (database-associated) of the clusters deployed in the Data Plane. The user logs are not stored in the Control Plane, and they are only available on the Dashboard for the current session.

Audit Logs

SingleStore captures and manages all the logs within a cluster. By default, a cluster is set to the ADMIN-ONLY-INCLUDING-PARSE-FAILS audit logging level which logs all the valid and invalid statements and queries. However, user credentials and personally identifiable information (PII) is obfuscated in audit logs. Audit logs are available on demand. Refer to Audit Logging for more information.