Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
1 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Hadoop Security
2 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Lesson Objectives
⬢ Explain how HDP addresses the key security requirements– Authentication & Authorization
– Audit & Administration
– Data Protection
⬢ Visualize a typical multi-layered deployment strategy for security– Implementing Kerberos
– Enhancing Authentication & Audit with Ranger
– Securing the perimeter with Knox
– Encrypt data at-rest and in-motion
⬢ Explain the benefits and high-level architecture of Apache Ranger
After completing this lesson, students should be able to discuss:
3 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
HDP Security Solution OverviewMulti-layered ProtectionAuthorization and Auditing with Apache Ranger
4 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
The Security Challenge
⬢ In order to protect any data system you must implement the following
3 Reasons for Security Focus
• Malicious intent
• Unintentional breach
• ComplianceAdministrationCentrally management & consistent security
AuthenticationAuthenticate users and systems
AuthorizationProvision access to data
AuditMaintain a record of data access
Data ProtectionProtect data at rest and in motion
5 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
HDP Security: Comprehensive, Complete and Simple
⬢ Security in HDP is the most comprehensive and complete for Hadoop
AdministrationCentral management & consistent security
AuthenticationAuthenticate users and systems
AuthorizationProvision access to data
AuditMaintain a record of data access
Data ProtectionProtect data at rest and in motion
• HDP ensures comprehensive enforcement of security policy across the entire Hadoop stack
• HDP provides functionality across the complete set of security requirements
• HDP is the only solution to provide a single simple interface for security policy definition and maintenance
6 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Security Today in Hadoop with HDP
• Wire encryption in Hadoop
• Native and partner encryption
• Centralized audit reporting w/ Apache Ranger
• Fine grain access control with Apache Ranger
AuthorizationWhat can I do?
AuditWhat did I do?
Data ProtectionCan data be encrypted at rest and over the wire?
• Kerberos• API security
with Apache Knox
AuthenticationWho am I/prove it?
HD
PCentralized Security Administration w/ Ranger
7 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
HDP Security Solution OverviewMulti-layered ProtectionAuthorization and Auditing with Apache Ranger
8 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Typical Flow – SQL Access through Beeline Client
HDFSHiveServer 2
A B C
Beeline Client
9 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
LAuthenticate through Kerberos
HDFSHiveServer 2
A B C
KDC
Login into Hive using AD password
Hive gets Namenode (NN) service ticket
Hive creates map reduce using NN ST
Client gets service ticket for Hive
Beeline Client
Active Directory
10 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Add Authorization through Kerberos
HDFSHiveServer 2
A B C
KDC
Hive gets Namenode (NN) service ticket
Column level access control, auditing
Ranger
Beeline Client
File level access control
Active Directory
Import users/groups from LDAP
Login into Hive using AD password
11 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Add Firewall Routed through Knox Gateway
HDFSHiveServer 2
A B C
KDC
Use Hive ST, submit query
Hive gets Namenode (NN) service ticket
Hive creates map reduce using NN ST
Ranger
Knox gets service ticket for Hive
Knox runs as proxy user using Hive ST
Original request w/user id/password
Client gets query result
Beeline Client
Apache Knox
Active Directory
12 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Add Wire and File Encryption
HDFSHiveServer 2
A B C
KDC
Use Hive ST, submit query
Hive gets Namenode (NN) service ticket
Hive creates map reduce using NN ST
Ranger
Knox gets service ticket for Hive
Knox runs as proxy user using Hive ST
Original request w/user id/password
Client gets query result
SSL
Beeline Client
SSL SASL
SSL SSL
Apache Knox
Active Directory
13 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
HDP Security Solution OverviewMulti-layered ProtectionAuthorization and Auditing with Apache Ranger
14 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Authorization and Audit
Control access into
system
Flexibility in defining
policies
⬢ AuthorizationFine grain access control
– HDFS – Folder, File
– Hive – Database, Table, Column
– HBase – Table, Column Family, Column
– Storm, Knox and more
⬢ AuditExtensive user access auditing in HDFS, Hive and HBase
– IP Address
– Resource type/ resource
– Timestamp
– Access granted or denied
15 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Central Security Administration
⬢ Apache Ranger• Delivers a ‘single pane of glass’ for the
security administrator
• Centralises administration of security policy
• Ensures consistent coverage across the entire Hadoop stack
16 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Set Up Authorization Policies
file level access control, flexible definition
Control permissions
17 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Monitor through Auditing
18 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Authorization and Auditing with Ranger
HDFS
Ranger Administration Portal
HBase
Hive Server2
Ranger Policy ServerRanger Audit Server
Ranger Plugin
Had
oo
p C
om
po
nen
tsEn
terp
rise
U
sers
Ranger Plugin
Ranger Plugin
Legacy Tools &
Data Governance
Integration APIHDFS
Knox
Storm
Ranger Plugin
Ranger Plugin
RDBMS
TBD
Ente
rpri
se S
ervi
ces:
Sec
uri
ty
Ranger Plugin*
19 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Knowledge Check
20 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Questions
1. What are the primary requirements for security?
21 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Questions
1. What are the primary requirements for security?
2. What technology guarantees strong authentication in Hadoop?
22 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Questions
1. What are the primary requirements for security?
2. What technology guarantees strong authentication in Hadoop?
3. Which requirements does Ranger address?
23 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Questions
1. What are the primary requirements for security?
2. What technology guarantees strong authentication in Hadoop?
3. Which requirements does Ranger address?
4. Does Hadoop tackle data encryption at-rest or in-motion?
24 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Summary
25 © Hortonworks Inc. 2011 – 2018. All Rights Reserved
Summary
⬢ HDP ensures comprehensive enforcement of security requirements across the entire Hadoop stack.
⬢ Kerberos is the key to strong authentication.
⬢ Ranger provides a single simple interface for security policy definition and maintenance.
⬢ Encryption options available for data at-rest and in-motion.