Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang Software Engineer, Cloudera April 07, 2014



Similar documents
Apache Sentry. Prasad Mujumdar

Data Security in Hadoop

Multitenancy and the Enterprise Data Hub. James IP EXPO EUROPE Big Data Evolution Summit

SECURING YOUR ENTERPRISE HADOOP ECOSYSTEM

Who Am I? Mark Cusack Chief Architect 9 years@rainstor Founding developer Ex UK Ministry of Defence Research InfoSec projects

Big Data Management and Security

Securing Your Enterprise Hadoop Ecosystem Comprehensive Security for the Enterprise with Cloudera

Important Notice. (c) Cloudera, Inc. All rights reserved.

Like what you hear? Tweet it using: #Sec360

Securing Your Enterprise Hadoop Ecosystem Comprehensive Security for the Enterprise with Cloudera

Data Security For Government Agencies

Hadoop Ecosystem B Y R A H I M A.

How to Hadoop Without the Worry: Protecting Big Data at Scale

Olivier Renault Solu/on Engineer Hortonworks. Hadoop Security

Practical Hadoop. Security. Bhushan Lakhe

Constructing a Data Lake: Hadoop and Oracle Database United!

IBM BigInsights Has Potential If It Lives Up To Its Promise. InfoSphere BigInsights A Closer Look

Introduction to Big data. Why Big data? Case Studies. Introduction to Hadoop. Understanding Features of Hadoop. Hadoop Architecture.

Big Data Security. Kevvie Fowler. kpmg.ca

GAIN BETTER INSIGHT FROM BIG DATA USING JBOSS DATA VIRTUALIZATION

Cloudera Navigator Installation and User Guide

Big Data Operations Guide for Cloudera Manager v5.x Hadoop

SOLVING REAL AND BIG (DATA) PROBLEMS USING HADOOP. Eva Andreasson Cloudera

Professional Hadoop Solutions

Upcoming Announcements

Securing Big Data Hadoop: A Review of Security Issues, Threats and Solution

Fighting Cyber Fraud with Hadoop. Niel Dunnage Senior Solutions Architect

Infomatics. Big-Data and Hadoop Developer Training with Oracle WDP

Hadoop Ecosystem Overview. CMSC 491 Hadoop-Based Distributed Computing Spring 2015 Adam Shook

How to Install and Configure EBF15328 for MapR or with MapReduce v1

Cloudera Backup and Disaster Recovery

Self-service BI for big data applications using Apache Drill

SQL on NoSQL (and all of the data) With Apache Drill

Oracle Big Data Fundamentals Ed 1 NEW

Self-service BI for big data applications using Apache Drill

and Hadoop Technology

Dominik Wagenknecht Accenture

Denodo Data Virtualization Security Architecture & Protocols

Introduction to Hadoop HDFS and Ecosystems. Slides credits: Cloudera Academic Partners Program & Prof. De Liu, MSBA 6330 Harvesting Big Data

Native Connectivity to Big Data Sources in MSTR 10

Workshop on Hadoop with Big Data

HareDB HBase Client Web Version USER MANUAL HAREDB TEAM

HADOOP ADMINISTATION AND DEVELOPMENT TRAINING CURRICULUM

Architectural patterns for building real time applications with Apache HBase. Andrew Purtell Committer and PMC, Apache HBase

Cloudera Navigator Installation and User Guide

Integration of Apache Hive and HBase

Spring,2015. Apache Hive BY NATIA MAMAIASHVILI, LASHA AMASHUKELI & ALEKO CHAKHVASHVILI SUPERVAIZOR: PROF. NODAR MOMTSELIDZE

Big Data SQL and Query Franchising

Enterprise-grade Hadoop: The Building Blocks

Securing your Big Data Environment

White paper. The Big Data Security Gap: Protecting the Hadoop Cluster

docs.hortonworks.com

Document Type: Best Practice

Important Notice. (c) Cloudera, Inc. All rights reserved.

Cloudera Backup and Disaster Recovery

Accelerating Enterprise Big Data Success. Tim Stevens, VP of Business and Corporate Development Cloudera

Evaluation of Security in Hadoop

Datameer Big Data Governance

Bringing Big Data to People

Hortonworks Data Platform. Buyer s Guide

MySQL and Hadoop: Big Data Integration. Shubhangi Garg & Neha Kumari MySQL Engineering

AtScale Intelligence Platform

Big Data and Hadoop. Module 1: Introduction to Big Data and Hadoop. Module 2: Hadoop Distributed File System. Module 3: MapReduce

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

MapR: Best Solution for Customer Success

MULTITENANCY AND THE ENTERPRISE DATA HUB:

Data-Intensive Programming. Timo Aaltonen Department of Pervasive Computing

docs.hortonworks.com

Cloudera Manager Training: Hands-On Exercises

Where is Hadoop Going Next?

INDUS / AXIOMINE. Adopting Hadoop In the Enterprise Typical Enterprise Use Cases

Hadoop Security PROTECTING YOUR BIG DATA PLATFORM. Ben Spivey & Joey Echeverria

Integrating Kerberos into Apache Hadoop

The Future of Big Data SAS Automotive Roundtable Los Angeles, CA 5 March 2015 Mike Olson Chief Strategy Officer,

docs.hortonworks.com

A very short talk about Apache Kylin Business Intelligence meets Big Data. Fabian Wilckens EMEA Solutions Architect

Why Spark on Hadoop Matters

Overview. Edvantage Security

MySQL and Hadoop. Percona Live 2014 Chris Schneider

Hadoop Evolution In Organizations. Mark Vervuurt Cluster Data Science & Analytics

Oracle Big Data SQL. Architectural Deep Dive. Dan McClary, Ph.D. Big Data Product Management Oracle

From Relational to Hadoop Part 1: Introduction to Hadoop. Gwen Shapira, Cloudera and Danil Zburivsky, Pythian

Data Domain Profiling and Data Masking for Hadoop

Data Analyst Program- 0 to 100

Extending the Enterprise Data Warehouse with Hadoop Robert Lancaster. Nov 7, 2012

The Future of Data Management with Hadoop and the Enterprise Data Hub

Ensure PCI DSS compliance for your Hadoop environment. A Hortonworks White Paper October 2015

Hadoop & Spark Using Amazon EMR

Encryption and Anonymization in Hadoop

BIG DATA SERIES: HADOOP DEVELOPER TRAINING PROGRAM. An Overview

Auditing Big Data for Privacy, Security and Compliance

HADOOP SOLUTION USING EMC ISILON AND CLOUDERA ENTERPRISE Efficient, Flexible In-Place Hadoop Analytics

Hadoop Trends and Practical Use Cases. April 2014

ITG Software Engineering

Cloudera Enterprise Data Hub. GCloud Service Definition Lot 3: Software as a Service

Hortonworks and ODP: Realizing the Future of Big Data, Now Manila, May 13, 2015

Transcription:

1 Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang Software Engineer, Cloudera April 07, 2014

2 Outline Introduction Hadoop security primer Authentication Authorization Data Protection Governance and Auditing Introducing Apache Sentry What's Sentry Sentry Architecture Sentry Internal Future work Q&A

3 Introduction Hadoop gets bigger... Hadoop has been enjoying an increasing adoption rate More and more data on Hadoop Cluster More and more access to the data Data warehouse offload is the most common use case Apache Hive, Apache Drill, Cloudera Impala SQL on Hadoop is phenomenon

4 Introduction (cont'd) But more encumbrance... Enterprises wants to protect sensitive data Government regulations, compliance, like HIPPA, PII, FISMA Existing security problems with Hadoop has hindered the adoption Security has become the top priority

5 Introduction (cont'd) Reality is Different components, different security mechanisms Multiple components may access the same data set Hadoop was born out of trust, not security Thinking of Windows

6 Outline Introduction Hadoop security primer Authentication Authorization Data Protection Governance and Auditing Introducing Apache Sentry What's Sentry Sentry Architecture Sentry Internal Future work Q&A

7 Hadoop Security Primer Authentication Identify who you are Untrusted users has no access to the cluster network Trusted network, every one is good citizen Who you are is determined by client host

8 Hadoop Security Primer Strong Authentication Kerberos LDAP, ActiveDirectory LDAP, AD integrated with Kerberos, establishing a single point of truth Single point of truth

9 Hadoop Security Primer (cont'd) Kerberos Strong authentication Provides mutual authentication Protects against eavesdropping and replay attacks Every user and service has a Kerberos principal Credentials: keytabs (service), password (user)

10 Hadoop Security Primer (cont'd) Authorization HDFS Posix style permission R/W/E for O/G/O, coarse-grained Other components have authorization MR job queue HBase ACLs on table and column family. Accumulo provides cell-level access control Impersonation

11 Hadoop Security Primer (cont'd) Data Protection Data at rest and in transit Hadoop provides encryption on data in transit: DTP, HTTP, RPC, JDBC/ODBC Hadoop has no native encryption on data at rest Relying on OS-level encryption

12 Hadoop Security Primer (cont'd) Governance and auditing Again, component to component DFS and MapReduce provide base audit support Apache Hive metastore records audit (who/when) information for Hive interactions. Apache Oozie provides audit trail for services

13 Outline Introduction Hadoop security primer Authentication Authorization Data Protection Governance and Auditing Introducing Apache Sentry What's Sentry Sentry Architecture Sentry Internal Future work Q&A

14 Introducing Apache Sentry Hadoop Authorization Existing authorization is fragmented, coarsegrained, and manual A lot of times data is just unprotected for simplicity Enterprises need a centralized authorization component that work across components with ease of use, fine-grained, role based

15 Introducing Apache Sentry (cont'd) What's Sentry Sentry is an authorization module for Hive, Search, Impala, and beyond It unlocks Key RBAC Requirements: secure, finegrained, role-based authorization, multi-tenant administration Open Source, Apache Incubator project Ecosystem Support: Apache SOLR, HiveServer2, & Impala 1.1+

16 Introducing Apache Sentry (cont'd) Key Benefits Store Sensitive Data in Hadoop Extend Hadoop to More Users Comply with Regulations

17 Introducing Apache Sentry (cont'd) Key Capabilities Fine-Grained: SERVERS, DATABASES, TABLES & VIEWS; INDEXES, COLLECTIONS Role-Based: role including privileges such as SELECT, INSERT, ALL; UPDATE, QUERY Multi-Tenant administration Separate policies for each database/schema Can be maintained by separate admins

18 Introducing Apache Sentry (cont'd) Sentry Architecture Impala HiveServ er2 SOLR Binding Layer Impal a Hive Search Pig Authorization Provider Policy Engine Policy Provider File Database Local FS/HDFS

19 Introducing Apache Sentry (cont'd) SQL Parse Validate SQL grammar Build Construct statement tree Check Sentry Validate statement objects First check: Authorization MR Plan Query Forward to execution planner

20 Introducing Apache Sentry (cont'd) Actors User User group membership Resources Privilege Role

21 Introducing Apache Sentry (cont'd) User User authenticated User identity obtained from session context

22 Introducing Apache Sentry (cont'd) User group membership Defined outside sentry policy Obtained from user directory (LDAP, AD, HDFS) Maybe available from session context

23 Introducing Apache Sentry (cont'd) Resources Data to be protected File or directory on HDFS Table or views in Hive URI Resource can be hierarchical

24 Introducing Apache Sentry (cont'd) Privilege Action or operation on a resource Exists in a role only SELECT on a given TABLE or VIEW CREATE a TABLE or VIEW QUERY on a search COLLECTION DELETE a FILE or DIRECTORY Example collection=customercol->action=query

25 Introducing Apache Sentry (cont'd) Roles A collection of privileges Defined in Sentry policy Example [roles] ana_query_role = collection=sentrycoll->action=query ana_update_role = collection=sentrycoll->action=update test_role = collection=testcoll->action=update full_admin_role = collection=*

26 Introducing Apache Sentry (cont'd) (Group, Role) mapping Defined in policy One-to-Many Example [groups] analyts = ana_query_role, ana_update_role admins = full_admin_role testgroup = test_role hbase = full_admin_role

27 Introducing Apache Sentry (cont'd) Rule evaluation Who's the user? Which group(s) does the user belong to? What resource to be accessed? How the resource is accessed (READ, SELECT, etc.)? Does any of the user's groups have a role, which has the right privilege? Yes great! Go head! No sorry! No sufficient privilege!

28 Outline Introduction Hadoop security primer Authentication Authorization Data Protection Governance and Auditing Introducing Apache Sentry What's Sentry Sentry Architecture Sentry Internal Future work Q&A

29 Future Work Introduce Sentry to more Hadoop components for their authorization needs Centralized policy store aiming for the whole enterprise Grant/Revoke Centralized authorization service for all protected resources including metadata We need your contribution or support

30 Click to edit Master title style