Identity Mapping to Presto Clusters
note
To enable identity providers in Ahana, contact Ahana Support.
An OIDC identity to Presto cluster authorization mapping specifies which clusters a particular OIDC identity has access to. Because you probably don’t want all users in your identity provider to be able to access all Presto clusters, you map identities to groups associated by name with Presto clusters to authorize users to access only the Presto clusters you want them to.
For each Presto cluster, create a group named ahana-clustername. For example, create a group named ahana-prod to provide access to the Ahana-managed Presto cluster named prod.
Create a group named ahana-ahana-admin that you can assign administrators to. Users whose OIDC identity are assigned to the ahana-ahana-admin group can access all Ahana-managed Presto clusters in your Ahana Compute Plane.
View the Group Name for an Ahana-managed Presto cluster and the Admin Group Name in the Identity Provider pane of the Presto cluster management pane. See Identity Provider.
The four users we will use in this example are:
- Eli - researcher, needs access to the Presto cluster named test
- Ana - researcher, needs access to the Presto clusters named prod and staging
- Stacey - researcher, needs access to the Presto cluster named prod
- Enrique - administrator, has access to all Presto clusters
These users have identities defined in the identity provider.
The groups in this example are:
- ahana-ahana-admin
- ahana-test
- ahana-staging
- ahana-prod
The ahana-ahana-admin group and the Presto cluster groups - ahana-test, ahana-staging, and ahana-prod - must have the web application attached to the group so users assigned to the group can access the Presto cluster.
The table shows the users, their role, their group memberships, and which Presto cluster they have access to.
| User | Role | Group | Presto Cluster |
|---|---|---|---|
| Eli | researcher | ahana-test | test |
| Ana | researcher | ahana-prod, ahana-staging | prod and staging |
| Stacey | researcher | ahana-prod | prod |
| Enrique | administrator | ahana-ahana-admin | all - prod, test, and staging |
User Enrique is a member of the ahana-ahana-admin group that can access all Presto clusters.
Enrique assigns user Eli to the Presto cluster group ahana-test. Eli can access the Presto cluster named test.
Enrique assigns user Ana to the Presto cluster groups ahana-prod and ahana-staging. Ana can access the Presto clusters prod and staging.
Enrique assigns user Stacey to the Presto cluster group ahana-prod. Stacey can access the Presto cluster prod.