BN
Uploaded byBiju Nair
1,279 views

Hadoop security

This document provides an overview of securing Hadoop applications and clusters. It discusses authentication using Kerberos, authorization using POSIX permissions and HDFS ACLs, encrypting HDFS data at rest, and configuring secure communication between Hadoop services and clients. The principles of least privilege and separating duties are important to apply for a secure Hadoop deployment. Application code may need changes to use Kerberos authentication when accessing Hadoop services.

Embed presentation

Downloaded 33 times
Secure Hadoop Application Ecosystem Boston Application Security Conference Oct 3 2015
Google Trends – Big Data Big Data Job Trends 2
3
Hadoop EcosystemFlumeSqoop ZooKeeper HBase Hive Pig MapReduce Spark YARN – Resource Manager HDFS – Distributed File System Kafka Storm 4
Why • Hadoop is a storage/processing infrastructure – Whether Big Data is hype or not • Fits well for lot of use cases • Inherent distributed storage/processing – Provides scalability at a relatively low cost • There is lot of backing – IBM, Microsoft, Amazon, Google, Intel … • Various distributions and companies 5
Hadoop Distributed File System FileA FileB FileC H1:blk0, H2:blk1 H3:blk0,H1:blk1 H2:blk0;H3:blk1 HDFS Directory Master Host (NN) DISK Local File System File FileA0 FileB1 Inode-x Inode-y Local FS Directory Host 1 FileA1 FileC0 Inode-a Inode-n Local FS Directory Host 2 FileB0 FileC1 Inode-r Inode-c Local FS Directory Host 3 In-x In-y In-a In-n In-r In-c DISK DISK DISK Files created are of size equal to the HDFS blksize 6
HDFS - Write Flow Client Namespace MetaData Blockmap (Fsimage Edit files) Name Node Data Node Data Node Data Node 1 2 3 4 5 6 6 77 8 1. Client requests to open a file to write through fs.create() call. This will overwrite existing file. 2. Name node responds with a lease to the file path 3. Client writes to local and when data reaches block size, requests Name Node for write 4. Name Node responds with a new blockid and the destination data nodes for write and replication 5. Client sends the first data node the data and the checksum generated on the data to be written 6. First data node writes the data and checksum and in parallel pipelines the replications to other DN 7. Each data node where the data is replicated responds back with success /failure to the first DN 8. First data node in turn informs to the Name node that the write request for the block is complete which in turn will update its block map Note: There can be only one write at a time on a file 7
HDFS - Read Flow Client Namespace MetaData Blockmap (Fsimage Edit files) Name Node Data Node Data Node Data Node 1 2 3 4 5 6 1. Client requests to open a file to read through fs.open() call 2. Name node responds with a lease to the file path 3. Client requests for read the data in the file 4. Name Node responds with block ids in sequence and the corresponding data nodes 5. Client reaches out directly to the DNs for each block of data in the file 6. When DNs sends back data along with check sum, client performs a checksum verification by generating a checksum 7. If the checksum verification fails client reaches out to other DNs where the re is a replication 7 8
Authorization • POSIX model for file and directory permissions – Associated with an owner and a group – Permission for owner, group and others – r for read, w for append to files – r for listing files, w for delete/create files in dirs – x to access child directories – Sticky bit on dirs prevents deletions by others 9
Kerberos 10 TGS AS KDB KDC 1 Create Principal User 2 - kinit 3 – Receive TGT 4 – Request Service Ticket Service 5 – Receive Service Ticket For service principals Keytabs are used
Secure HDFS Cluster - Authentication Master Namenode Slave Datanode Slave Datanode Slave Datanode KDC Keytab Keytab Keytab Keytab 11
Secure HDFS - Client Authentication Namenode Slave Datanode Slave Datanode Slave Datanode KDC HDFS Client KRB Token 1 Deleg Token 2 3 Block Tokens Deleg Token Key Key Key Key 4 12
Authentication Configuration • Set up Kerberos infrastructure – It may be already available through AD • Define service principals • Create Keytabs for service principals – E.g. HDFS, YARN • Copy keytabs to the master and slave nodes • Update site.xml files • Restart the services 13
HDFS Data Encryption HDFS Client Key Mgmt Server Key Trusty Namenode Datenode 1 - EZ 2 – EZ Key 2 - Create EZ EDEK 3 EDEK 4 – R/W 5 14
YARN 15 Resource Manager Node Manager Node Manager Node Manager Keytab Keytab Keytab Keytab Client submits MapRed Job App Master Container Container
Controlling Resource Usage • Schedulers – Fair – Capacity • Queues defined to use percentage of resource – Hierarchy with in queues • Users and groups attached to groups – Administer – Submit 16
YARN Queue 17 Root 100% Sec 70% sadmin, suser Adhoc 30% Aadmin, auser
Hadoop Cluster - Secure Perimeter Master Slave Slave Slave IPS/IDS/Firewall IPS/IDS/Firewall Clients DMZ/Separate Network 18
HDFS Services & Ports HDFS Service Port Name Node 8020 Name Node UI 50070 Secondary Name Node UI 50090 Data Node 50020 Data Node UI 50075 Journal Node 8480, 8485 HttpFS 14000, 14001 19
Principle of Least Priviledge • hdfs-site xml – dfs.permissions.superusergroup – dfs.cluster.administrators • core-site.xml – Hadoop.security.authorization to true • hadoop-policy.xml – security.client.protocol.acl – security.client.datanode.protocol.acl – security.get.user.mappings.protocol.acl 20
Application Code Change Configuration conf = new Configuration(); conf.set("fs.defaultFS", "hdfs://NN:PORT/user/hbase"); conf.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("ubuntu/hostname@REALM", ”ubuntu.keytab"); FileSystem fs = FileSystem.get(conf); 21 Configuration conf = new Configuration(); conf.set("fs.defaultFS", "hdfs://NN:PORT/user/hbase"); conf.set("hadoop.security.authentication", "Kerberos"); FileSystem fs = FileSystem.get(conf); Unsecure Hadoop Secure Hadoop
Key Takeaways • New infrastructure will be part of enterprises – May not be as big as the hype • Adherence to application security principles – Complexity and maturity may be a roadblock • Constant follow-up on latest developments 22
References & Acknowledgements • Hadoop Security – https://issues.apache.org/jira/browse/HADOOP-4487 – Hadoop Project – Securing Hadoop Page • HDFS Encryption – https://issues.apache.org/jira/browse/HDFS-6134 – Hadoop Project Transparent Encryption Page – http://www.slideshare.net/Hadoop_Summit/transparent-encryption-in-hdfs • Hadoop service level authorization • YARN – Fair Scheduler – Capacity Scheduler • Hadoop Security Book 23
Thank You!! 24
bnair@asquareb.com blog.asquareb.com https://github.com/bijugs @gsbiju http://www.slideshare.net/bijugs

More Related Content

PDF
2014 sept 4_hadoop_security
byAdam Muise
 
PDF
Hadoop security
byshrey mehrotra
 
PDF
Hadoop & Security - Past, Present, Future
byUwe Printz
 
PPTX
Open Source Security Tools for Big Data
byRommel Garcia
 
PPTX
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
byAbhiraj Butala
 
PDF
Hadoop security overview_hit2012_1117rev
byJason Shih
 
PPTX
Hadoop security
byKashif Khan
 
PPTX
Hdp security overview
byHortonworks
 
2014 sept 4_hadoop_security
byAdam Muise
 
Hadoop security
byshrey mehrotra
 
Hadoop & Security - Past, Present, Future
byUwe Printz
 
Open Source Security Tools for Big Data
byRommel Garcia
 
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
byAbhiraj Butala
 
Hadoop security overview_hit2012_1117rev
byJason Shih
 
Hadoop security
byKashif Khan
 
Hdp security overview
byHortonworks
 

What's hot

PPTX
Hadoop security @ Philly Hadoop Meetup May 2015
byShravan (Sean) Pabba
 
PDF
Hadoop Security: Overview
byCloudera, Inc.
 
PPTX
Hadoop security
byShivaji Dutta
 
PPT
Hadoop Security Architecture
byOwen O'Malley
 
PPTX
Hadoop Security Today and Tomorrow
byDataWorks Summit
 
PPTX
Hadoop ClusterClient Security Using Kerberos
bySarvesh Meena
 
PPTX
Managing enterprise users in Hadoop ecosystem
byDataWorks Summit
 
PPTX
Data protection for hadoop environments
byDataWorks Summit
 
PPTX
Hadoop Security Features That make your risk officer happy
byDataWorks Summit
 
PDF
Hadoop Operations - Best practices from the field
byUwe Printz
 
PPT
Hadoop Operations: How to Secure and Control Cluster Access
byCloudera, Inc.
 
PPTX
Hadoop Security Today & Tomorrow with Apache Knox
byVinay Shukla
 
PPTX
Hadoop and Kerberos: the Madness Beyond the Gate
bySteve Loughran
 
PPTX
Improvements in Hadoop Security
byDataWorks Summit
 
PDF
Nl HUG 2016 Feb Hadoop security from the trenches
byBolke de Bruin
 
PPTX
Hadoop Security Features that make your risk officer happy
byAnurag Shrivastava
 
PPTX
Hadoop REST API Security with Apache Knox Gateway
byDataWorks Summit
 
PPTX
Securing the Hadoop Ecosystem
byDataWorks Summit
 
PDF
Apache Sentry for Hadoop security
bybigdatagurus_meetup
 
PPTX
Running secured Spark job in Kubernetes compute cluster and integrating with ...
byDataWorks Summit
 
Hadoop security @ Philly Hadoop Meetup May 2015
byShravan (Sean) Pabba
 
Hadoop Security: Overview
byCloudera, Inc.
 
Hadoop security
byShivaji Dutta
 
Hadoop Security Architecture
byOwen O'Malley
 
Hadoop Security Today and Tomorrow
byDataWorks Summit
 
Hadoop ClusterClient Security Using Kerberos
bySarvesh Meena
 
Managing enterprise users in Hadoop ecosystem
byDataWorks Summit
 
Data protection for hadoop environments
byDataWorks Summit
 
Hadoop Security Features That make your risk officer happy
byDataWorks Summit
 
Hadoop Operations - Best practices from the field
byUwe Printz
 
Hadoop Operations: How to Secure and Control Cluster Access
byCloudera, Inc.
 
Hadoop Security Today & Tomorrow with Apache Knox
byVinay Shukla
 
Hadoop and Kerberos: the Madness Beyond the Gate
bySteve Loughran
 
Improvements in Hadoop Security
byDataWorks Summit
 
Nl HUG 2016 Feb Hadoop security from the trenches
byBolke de Bruin
 
Hadoop Security Features that make your risk officer happy
byAnurag Shrivastava
 
Hadoop REST API Security with Apache Knox Gateway
byDataWorks Summit
 
Securing the Hadoop Ecosystem
byDataWorks Summit
 
Apache Sentry for Hadoop security
bybigdatagurus_meetup
 
Running secured Spark job in Kubernetes compute cluster and integrating with ...
byDataWorks Summit
 

Viewers also liked

PDF
NENUG Apr14 Talk - data modeling for netezza
byBiju Nair
 
PDF
Websphere MQ (MQSeries) fundamentals
byBiju Nair
 
PDF
Chef patterns
byBiju Nair
 
PDF
Concurrency
byBiju Nair
 
PDF
Project Risk Management
byBiju Nair
 
PDF
HDFS User Reference
byBiju Nair
 
PDF
HBase Application Performance Improvement
byBiju Nair
 
PDF
Netezza workload management
byBiju Nair
 
PPTX
Hadoop and Big Data Security
byChicago Hadoop Users Group
 
PDF
Using Netezza Query Plan to Improve Performace
byBiju Nair
 
PDF
Netezza fundamentals for developers
byBiju Nair
 
PDF
Managing Websphere Application Server certificates
byPiyush Chordia
 
PDF
It was just Open Source - TEDx Novara
byFabio Mora
 
PPT
THE BIG PRINT - Showing the Action
byBilly Marshall Stoneking
 
PDF
Hadoop Security Now and Future
bytcloudcomputing-tw
 
PDF
Row or Columnar Database
byBiju Nair
 
PDF
Big Data Security Intelligence and Analytics for Advanced Threat Protection
byBlue Coat
 
PDF
Advanced Security In Hadoop Cluster
byEdureka!
 
PPT
WebSphere Message Broker Training | IBM WebSphere Message Broker Online Training
byecorptraining2
 
PPTX
GSM/UMTS network architecture tutorial (Indonesia)
byejlp12
 
NENUG Apr14 Talk - data modeling for netezza
byBiju Nair
 
Websphere MQ (MQSeries) fundamentals
byBiju Nair
 
Chef patterns
byBiju Nair
 
Concurrency
byBiju Nair
 
Project Risk Management
byBiju Nair
 
HDFS User Reference
byBiju Nair
 
HBase Application Performance Improvement
byBiju Nair
 
Netezza workload management
byBiju Nair
 
Hadoop and Big Data Security
byChicago Hadoop Users Group
 
Using Netezza Query Plan to Improve Performace
byBiju Nair
 
Netezza fundamentals for developers
byBiju Nair
 
Managing Websphere Application Server certificates
byPiyush Chordia
 
It was just Open Source - TEDx Novara
byFabio Mora
 
THE BIG PRINT - Showing the Action
byBilly Marshall Stoneking
 
Hadoop Security Now and Future
bytcloudcomputing-tw
 
Row or Columnar Database
byBiju Nair
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
byBlue Coat
 
Advanced Security In Hadoop Cluster
byEdureka!
 
WebSphere Message Broker Training | IBM WebSphere Message Broker Online Training
byecorptraining2
 
GSM/UMTS network architecture tutorial (Indonesia)
byejlp12
 

Similar to Hadoop security

PPT
Setting_up_hadoop_cluster_Detailed-overview
byoyqhmysnxozaxsqfac
 
PPTX
Hadoop ppt on the basics and architecture
bysaipriyacoool
 
PDF
Hadoop data management
bySubhas Kumar Ghosh
 
PPTX
Introduction to hadoop and hdfs
byshrey mehrotra
 
PDF
HDFS Design Principles
byKonstantin V. Shvachko
 
PPTX
Hadoop
bySyed Measum Haider Bokhari
 
PDF
Hadoop Architecture in Depth
bySyed Hadoop
 
PPTX
Hadoop.NET
byHakeem Mohammed
 
PPTX
Module 2 C2_HadoopEcosystemComponents.pptx
byShrinivasa6
 
PDF
field_guide_to_hadoop_pentaho
byMartin Ferguson
 
PDF
Bigdata Technologies that includes various components .pdf
byashokchoppadandi685
 
PPTX
Understanding Hadoop
byMahendran Ponnusamy
 
PDF
Охота на уязвимости Hadoop
byPositive Hack Days
 
PPT
HDFS_architecture.ppt
byvijayapraba1
 
PPTX
Hadoop - HDFS
byKavyaGo
 
PPTX
Hadoop
byEsraa El Ghoul
 
PPTX
Introduction to HDFS
bySiddharth Mathur
 
PPTX
HDFS(Hadoop Distributed File System) -Unit 2.pptx
bySANKAR R
 
PPTX
Hadoop Summit Dublin 2016: Hadoop Platform at Yahoo - A Year in Review
bySumeet Singh
 
PPTX
Hadoop - Just the Basics for Big Data Rookies (SpringOne2GX 2013)
byVMware Tanzu
 
Setting_up_hadoop_cluster_Detailed-overview
byoyqhmysnxozaxsqfac
 
Hadoop ppt on the basics and architecture
bysaipriyacoool
 
Hadoop data management
bySubhas Kumar Ghosh
 
Introduction to hadoop and hdfs
byshrey mehrotra
 
HDFS Design Principles
byKonstantin V. Shvachko
 
Hadoop
bySyed Measum Haider Bokhari
 
Hadoop Architecture in Depth
bySyed Hadoop
 
Hadoop.NET
byHakeem Mohammed
 
Module 2 C2_HadoopEcosystemComponents.pptx
byShrinivasa6
 
field_guide_to_hadoop_pentaho
byMartin Ferguson
 
Bigdata Technologies that includes various components .pdf
byashokchoppadandi685
 
Understanding Hadoop
byMahendran Ponnusamy
 
Охота на уязвимости Hadoop
byPositive Hack Days
 
HDFS_architecture.ppt
byvijayapraba1
 
Hadoop - HDFS
byKavyaGo
 
Hadoop
byEsraa El Ghoul
 
Introduction to HDFS
bySiddharth Mathur
 
HDFS(Hadoop Distributed File System) -Unit 2.pptx
bySANKAR R
 
Hadoop Summit Dublin 2016: Hadoop Platform at Yahoo - A Year in Review
bySumeet Singh
 
Hadoop - Just the Basics for Big Data Rookies (SpringOne2GX 2013)
byVMware Tanzu
 

More from Biju Nair

PDF
Chef conf-2015-chef-patterns-at-bloomberg-scale
byBiju Nair
 
PDF
HBase Internals And Operations
byBiju Nair
 
PDF
Apache Kafka Reference
byBiju Nair
 
PDF
Serving queries at low latency using HBase
byBiju Nair
 
PDF
Multi-Tenant HBase Cluster - HBaseCon2018-final
byBiju Nair
 
PDF
Cursor Implementation in Apache Phoenix
byBiju Nair
 
Chef conf-2015-chef-patterns-at-bloomberg-scale
byBiju Nair
 
HBase Internals And Operations
byBiju Nair
 
Apache Kafka Reference
byBiju Nair
 
Serving queries at low latency using HBase
byBiju Nair
 
Multi-Tenant HBase Cluster - HBaseCon2018-final
byBiju Nair
 
Cursor Implementation in Apache Phoenix
byBiju Nair
 

Recently uploaded

PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
API-First Architecture in Financial Systems
bycyy111112
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 

Hadoop security

  • 1.
    Secure Hadoop Application Ecosystem BostonApplication Security Conference Oct 3 2015
  • 2.
    Google Trends –Big Data Big Data Job Trends 2
  • 3.
  • 4.
    Hadoop EcosystemFlumeSqoop ZooKeeper HBase Hive Pig MapReduce Spark YARN –Resource Manager HDFS – Distributed File System Kafka Storm 4
  • 5.
    Why • Hadoop isa storage/processing infrastructure – Whether Big Data is hype or not • Fits well for lot of use cases • Inherent distributed storage/processing – Provides scalability at a relatively low cost • There is lot of backing – IBM, Microsoft, Amazon, Google, Intel … • Various distributions and companies 5
  • 6.
    Hadoop Distributed FileSystem FileA FileB FileC H1:blk0, H2:blk1 H3:blk0,H1:blk1 H2:blk0;H3:blk1 HDFS Directory Master Host (NN) DISK Local File System File FileA0 FileB1 Inode-x Inode-y Local FS Directory Host 1 FileA1 FileC0 Inode-a Inode-n Local FS Directory Host 2 FileB0 FileC1 Inode-r Inode-c Local FS Directory Host 3 In-x In-y In-a In-n In-r In-c DISK DISK DISK Files created are of size equal to the HDFS blksize 6
  • 7.
    HDFS - WriteFlow Client Namespace MetaData Blockmap (Fsimage Edit files) Name Node Data Node Data Node Data Node 1 2 3 4 5 6 6 77 8 1. Client requests to open a file to write through fs.create() call. This will overwrite existing file. 2. Name node responds with a lease to the file path 3. Client writes to local and when data reaches block size, requests Name Node for write 4. Name Node responds with a new blockid and the destination data nodes for write and replication 5. Client sends the first data node the data and the checksum generated on the data to be written 6. First data node writes the data and checksum and in parallel pipelines the replications to other DN 7. Each data node where the data is replicated responds back with success /failure to the first DN 8. First data node in turn informs to the Name node that the write request for the block is complete which in turn will update its block map Note: There can be only one write at a time on a file 7
  • 8.
    HDFS - ReadFlow Client Namespace MetaData Blockmap (Fsimage Edit files) Name Node Data Node Data Node Data Node 1 2 3 4 5 6 1. Client requests to open a file to read through fs.open() call 2. Name node responds with a lease to the file path 3. Client requests for read the data in the file 4. Name Node responds with block ids in sequence and the corresponding data nodes 5. Client reaches out directly to the DNs for each block of data in the file 6. When DNs sends back data along with check sum, client performs a checksum verification by generating a checksum 7. If the checksum verification fails client reaches out to other DNs where the re is a replication 7 8
  • 9.
    Authorization • POSIX modelfor file and directory permissions – Associated with an owner and a group – Permission for owner, group and others – r for read, w for append to files – r for listing files, w for delete/create files in dirs – x to access child directories – Sticky bit on dirs prevents deletions by others 9
  • 10.
    Kerberos 10 TGS AS KDB KDC 1 Create Principal User 2 -kinit 3 – Receive TGT 4 – Request Service Ticket Service 5 – Receive Service Ticket For service principals Keytabs are used
  • 11.
    Secure HDFS Cluster- Authentication Master Namenode Slave Datanode Slave Datanode Slave Datanode KDC Keytab Keytab Keytab Keytab 11
  • 12.
    Secure HDFS -Client Authentication Namenode Slave Datanode Slave Datanode Slave Datanode KDC HDFS Client KRB Token 1 Deleg Token 2 3 Block Tokens Deleg Token Key Key Key Key 4 12
  • 13.
    Authentication Configuration • Setup Kerberos infrastructure – It may be already available through AD • Define service principals • Create Keytabs for service principals – E.g. HDFS, YARN • Copy keytabs to the master and slave nodes • Update site.xml files • Restart the services 13
  • 14.
    HDFS Data Encryption HDFS Client KeyMgmt Server Key Trusty Namenode Datenode 1 - EZ 2 – EZ Key 2 - Create EZ EDEK 3 EDEK 4 – R/W 5 14
  • 15.
  • 16.
    Controlling Resource Usage •Schedulers – Fair – Capacity • Queues defined to use percentage of resource – Hierarchy with in queues • Users and groups attached to groups – Administer – Submit 16
  • 17.
    YARN Queue 17 Root 100% Sec70% sadmin, suser Adhoc 30% Aadmin, auser
  • 18.
    Hadoop Cluster -Secure Perimeter Master Slave Slave Slave IPS/IDS/Firewall IPS/IDS/Firewall Clients DMZ/Separate Network 18
  • 19.
    HDFS Services &Ports HDFS Service Port Name Node 8020 Name Node UI 50070 Secondary Name Node UI 50090 Data Node 50020 Data Node UI 50075 Journal Node 8480, 8485 HttpFS 14000, 14001 19
  • 20.
    Principle of LeastPriviledge • hdfs-site xml – dfs.permissions.superusergroup – dfs.cluster.administrators • core-site.xml – Hadoop.security.authorization to true • hadoop-policy.xml – security.client.protocol.acl – security.client.datanode.protocol.acl – security.get.user.mappings.protocol.acl 20
  • 21.
    Application Code Change Configurationconf = new Configuration(); conf.set("fs.defaultFS", "hdfs://NN:PORT/user/hbase"); conf.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("ubuntu/hostname@REALM", ”ubuntu.keytab"); FileSystem fs = FileSystem.get(conf); 21 Configuration conf = new Configuration(); conf.set("fs.defaultFS", "hdfs://NN:PORT/user/hbase"); conf.set("hadoop.security.authentication", "Kerberos"); FileSystem fs = FileSystem.get(conf); Unsecure Hadoop Secure Hadoop
  • 22.
    Key Takeaways • Newinfrastructure will be part of enterprises – May not be as big as the hype • Adherence to application security principles – Complexity and maturity may be a roadblock • Constant follow-up on latest developments 22
  • 23.
    References & Acknowledgements •Hadoop Security – https://issues.apache.org/jira/browse/HADOOP-4487 – Hadoop Project – Securing Hadoop Page • HDFS Encryption – https://issues.apache.org/jira/browse/HDFS-6134 – Hadoop Project Transparent Encryption Page – http://www.slideshare.net/Hadoop_Summit/transparent-encryption-in-hdfs • Hadoop service level authorization • YARN – Fair Scheduler – Capacity Scheduler • Hadoop Security Book 23
  • 24.
  • 25.