Authentication

Authentication modules are configured in the security configuration file. Lenses Administrator and Basic Auth do not require any configuration.

Multiple authentication configurations can be used together.

The admin account 

An admin account is available with default credentials admin/admin. If left at default, the Lenses UI will notify that the setup is insecure. You can secure the admin account.

User accounts 

The supported options to authenticate User accounts are:

Permissions 

User Accounts belong to Groups and inherit the permissions. You can add and manage User Accounts via Lenses UI or Lenses CLI or API.

Service accounts 

Service accounts are authenticated using custom or generated tokens.

Permissions and groups 

Learn how permissions work.

Lenses provides data and application centric security via permissions on groups of users.

LDAP, Active Directory and Single-Sign-On provide user authentication and group management, while Kerberos provides only user authentication, but no group management.

AuthenticationUsersGroupsPermissions
LDAPLenses.io logo small
SSOLenses.io logo small
KerberosLenses.io logo smallLenses.io logo small
BasicLenses.io logo smallLenses.io logo smallLenses.io logo smallLenses.io logo small

Authentication 

Learn more about different authentication providers:

When working with LDAP or Active Directory, user and group management is done in LDAP.

Lenses provides fine-grained role-based access (RBAC) for your existing groups of users over data and applications. Create a group in Lenses with the same name (case-sensitive) as in LDAP/AD:

Lenses.io add an LDAP group to your DataOps platform

And set permissions. See how to configure LDAP.

When using an SSO solution such as Azure AD, Google, Okta, OneLogin or an open source like KeyCloak user and group management is done in the Identity Provider.

Lenses provides fine-grained role-based access (RBAC) for your existing groups of users over data and applications. Create a group in Lenses with the same name (case-sensitive) as in your SSO group.

SSO with SAML2.0 for DataOps

And set permissions. See how to configure SSO.

When using Kerberos, the authentication of users is happening via SPNEGO.

1. First create a group of users

Kerberos Kafka Lenses.io security

2. Then add users to groups

Add new Kerberos users to Lenses.io

And set permissions. See how to configure Kerberos.

With Basic Authentication, create groups of users and add users to those groups. Authentication and authorization are fully managed, and users can change their passwords.

Learn more about permissions and create groups and add users.

Account locking 

For BASIC and LDAP authentication type, there is the option to set a policy to temporarily lock the account when successive log in attempts fail. Once the lock time window has passed the user can login again.

These two configuration entries enable the functionality (both of them have to be provided to take effect):

# Number of failed login attempts before an account is locked.
lenses.security.lockout.user.attempts.max = "5"

# The time in seconds to keep the account locked.
lenses.security.lockout.user.period.sec = "600"  #10 minutes