Hadoop security @ Philly Hadoop Meetup May 2015

Apache Hadoop Security
Today and Tomorrow
Philly Hadoop Meetup
Shravan (Sean) Pabba | Senior Systems Engineer | @skpabba

2© Cloudera, Inc. All rights reserved.
Agenda
• Hadoop Evolution
• Why is Hadoop Security Different?
• Enterprise Security
• Perimeter
• Access
• Visibility
• Data
• What’s Next?
• Demo

Have you done?
•Hadoop?
•Cloudera/Hortonworks/MapR/Others?
•Security?
•Kerberos/AD/Encryption?

Evolution of the Hadoop Platform
2005-07 2008 2009 2010 2011 2012 2013-2015
Core Hadoop
(HDFS, MapReduce)
HBase
ZooKeeper
Core Hadoop
Hive
Mahout
HBase
ZooKeeper
Core Hadoop
Sqoop
Whirr
Avro
Hive
Mahout
HBase
ZooKeeper
Core Hadoop
Flume
Bigtop
Oozie
MRUnit
HCatalog
Hue
Sqoop
Whirr
Avro
Hive
Mahout
HBase
ZooKeeper
YARN
Core Hadoop
Spark
Tez
Impala
Kafka
Flume
Bigtop
Oozie
MRUnit
HCatalog
Hue
Sqoop
Whirr
Avro
Hive
Mahout
HBase
ZooKeeper
YARN
Core Hadoop
Parquet
Sentry
Spark
Tez
Impala
Kafka
Flume
Bigtop
Oozie
MRUnit
HCatalog
Hue
Sqoop
Whirr
Avro
Hive
Mahout
HBase
ZooKeeper
YARN
Core Hadoop
The stack is continually evolving and growing!

Multiple Workloads
Batch, Interactive,
and Real-Time.
Leading performance and
usability in one platform.
• End-to-end analytic workflows
• Access more data
• Work with data in new ways
• Enable new users
Security and Administration
Process
Ingest
Sqoop, Flume
Transform
MapReduce,
Hive, Pig, Spark
Discover
Analytic Database
Impala
Search
Solr
Model
Machine Learning
SAS, R, Spark,
Mahout
Serve
NoSQL Database
HBase
Streaming
Spark Streaming
Scale-Out Storage HDFS, HBase
YARN, Cloudera Manager,
Cloudera Navigator
Multiple big data opportunities in one optimized, high-performance, multi-tenant platform.

Why is Hadoop Security Different?
Benefits of EDH Security Side Effect
A single platform for all the data
Combining data and audiences that used to be
securely silo’d
A rich, flexible ecosystem of tools &
utilities
Security method proliferation can increase costs/
introduce coverage gaps
Ingest data of any type Sensitive fields added without review
Active Archive provides lower cost
storage than legacy systems
Lose the built-in compliance controls that legacy
systems provided

Business Users
• Run high value
workloads in cluster
• Quickly adopt new
innovations
Information Security
• Follow established
policies and
procedures
• Maintain
compliance
IT/Operations
• Integrate with existing
IT investments
• Minimize end-user
support
• Automate
configuration
Multiple Security Stakeholders - Competing Goals?

A Brief History of Hadoop Security
Originally developed
without security in mind
Yahoo! focused on
adding authentication
Project Rhino works to
enhance Hadoop Security
2005 2009 2013
• No authentication of users or
services
• Anyone could submit arbitrary
code to be executed
• Any user could impersonate
other users
• Security model was complex
• Security configurations were
complex and error-prone
• No data-at-rest encryption
• Limited authorization
capabilities
Project aims to add:
• Data Protection
• Authorization
Simplified Authentication

What is Enterprise Security?
Four Functional Areas
Hadoop Cluster
Users
Applications Operators
Perimeter
Data
Access
Visibility

Enterprise Security
Authentication, Authorization, Audit, and Compliance
Perimeter
Guarding access to the
cluster itself
InfoSec Concept:
Authentication
Access
Defining what users and
applications can do
with data
InfoSec Concept:
Authorization
Kerberos, LDAP/AD, Cloudera
Manager
HDFS ACLs, Apache Sentry,
HBase ABAC
Visibility
Reporting on where
data came from and
how it’s being used
InfoSec Concept:
Audit
Cloudera Navigator
Data
Protecting data in the
cluster from
unauthorized visibility
InfoSec Concept:
Compliance
HDFS Encryption, Navigator
Encrypt & Key Trustee

• Contributed by Intel in 2013
• Blueprint for enterprise-grade
security
Cloudera and Intel Project Rhino
Rhino Goal: Unified Authorization
Engineers at Intel and Cloudera
(together with Oracle and IBM)
are jointly contributing to
Apache Sentry
Rhino Goal: Encryption and Key
Management Framework
Cloudera and Intel engineers are now
contributing HDFS encryption
capabilities that can plug into enterprise
key managers

Perimeter Security Requirements
Preserve user choice of the right
Hadoop service (e.g. Impala,
Spark)
Conform to centrally managed
authentication policies
Implement with existing standard
systems: Active Directory and
Kerberos
Perimeter
Guarding access to the
cluster itself
InfoSec Concept:
Authentication
Kerberos, LDAP/AD, Cloudera
Manager

Perimeter: Authentication in Hadoop
Kerberos
• Provably strong authentication between all Hadoop services and
(optionally) to end-points
• Cloudera Manager hides complexity
LDAP/AD
• Username / password
• Option for Hue, Hive Metastore, Impala connectors, Cloudera
Manager admin logins
SAML
• For Single Sign-On (SSO) for listed options
• Kerberos clients no longer required on most user end-points

Authentication Options and Coverage
HDFS
HBase & Search
Impala & Hive
Server 2
MapReduce &
YARN
… Other Services
Commercial BI
Gateways
Client
Client
Client
Client
… Applications
(Pig, Hue, etc.)
“End-to-End” Kerberos
“Core” Kerberos “Edge” AD/LDAP/SAML

Example
KDC
NFS Server
ID: jdoe@FOO.BAR.ORG TGT & Client Session KeyTGT & Authenticator Service Ticket & Service Session Key
Service Ticket & Authenticator Timestamp

Kerberizing Hadoop Cluster
• Need a MIT KDC or Active Directory.
• Appropriate realm definitions in place.
• Each Hadoop service needs a principal for each host it runs on.
• Cloudera Manager makes it easy to enable Kerberos.
• Recent Cloudera blog post has detailed instructions,
http://blog.cloudera.com/blog/2015/03/how-to-quickly-configure-kerberos-for-
your-apache-hadoop-cluster/

• Manages Users, Groups, and Services
• Provides username / password authentication
• Group membership determines Service access
Active Directory
• Trusted and standard third-party
• Authenticated users receive “Tickets”
• “Tickets” gain access to Services
Kerberos
Active Directory and Kerberos
User authenticates
to AD
Authenticated user
gets Kerberos Ticket
Ticket grants access
to Services e.g.
Impala
User [ssmith]
Password[***** ]

Automated Authentication with Cloudera Manager
Direct to AD Kerberos
Integration
Kerberos
Configuration Wizard
Added Tuning and
Monitoring
• Users authenticate directly against AD
• Hadoop Services defined directly in AD Kerberos
• User access to Hadoop services controlled via AD
Groups
• Automates Kerberos configuration for existing Hadoop
clusters simplifying a tedious and error prone process
• Tune interrelated configuration for dual KDC’s
• Service monitoring through CM when Kerberos
enabled

Access Security Requirements
Provide users access to data
needed to do their job
Centrally manage access policies
Leverage a role-based access
control model built on AD
Access
Defining what users and
applications can do
with data
InfoSec Concept:
Authorization
HDFS ACL, Apache Sentry,
HBase ABAC

Manage data access by role, instead of by individual user
• Fraud Analyst Role has read access on ALL transaction data
• Branch Teller Role has read / write access on very limited set of data
• Relationships between users and roles are established via groups
An RBAC policy is then uniformly enforced for all Hadoop services
• Provides unified authorization controls
• As opposed to tools for managing numerous, service specific policies
RBAC and Centralized Authorization

Sentry provides unified authorization via fine-grained RBAC for Impala, Hive,
Search, MapReduce, Pig, HDFS…
Unified Authorization with Apache Sentry
Sentry Perm.
Read Access
to ALL
Transaction
Data
Sentry Role
Fraud Analyst
Role
Group
Fraud
Analysts
Sam Smith

• Sentry can be configured to use AD to determine a user’s group assignments
• Group assignment changes in AD are automatically picked up, resulting in
updated Sentry role assignments
Sentry and Active Directory Groups
Sentry Perm.
Read Access
to ALL
Transaction
Data
Sentry Role
Fraud Analyst
Role
AD Group
Fraud
Analysts
Sam Smith

Sentry enforces each rule across Hadoop components
Hive
Server 2
Enforcement
code
Impala
MapRed
uce, Pig,
HDFS*
Apps:
Datameer,
Platfora,
etc*
Permissions
rules
Common enforcement
code for consistency.
Rule 1: Allow fraud analysts read access
to the transaction table
Permissions specified by
administrators
(top-level and delegated)
Enforcement
code
Enforcement
code
Enforcement
code
Search
Enforcement
code

Visual Policy Management

Visibility Security Requirements
Understand where report data
came from and discover more
data like it
Comply with policies for audit,
data classification, and lineage
Centralize the audit repository;
perform discovery; automate
lineage
Visibility
Reporting on where
data came from and
how it’s being used
InfoSec Concept:
Audit
Cloudera Navigator

Auditing and Access Management
• Full audit and access history for HDFS,
Impala, HIVE, HBase and Sentry
• Review and verify HDFS permissions
Metadata & Discovery
• Easily discover, classify, and locate data to
support governance and compliance
Lineage & Provenance
• Automatic collection and easy visualization
of upstream and downstream data lineage
Lifecycle Management
• Policy-based data management
Visibility through Cloudera Navigator
Data Management for an EDH
HDFS HBASE HIVE
CLOUDERA NAVIGATOR
CDH
Audit & Access
Management
Classification &
Discovery Lineage
Lifecycle
Management
Enterprise Metadata Repository
 Business metadata
 System metadata

Data Security Requirements
Perform analytics on regulated
data
Encrypt data at rest and in
motion, conform to key
management policies, protect
from root
Integrate with existing HSM as
part of key management
infrastructure
Data
Protecting data in the
cluster from
unauthorized visibility
InfoSec Concept:
Compliance
HDFS Encryption, Navigator
Encrypt & Key Trustee

Data: Protection in Hadoop
Data in Motion Data at Rest
“Network Encryption”
• SSL/TLS/HTTPS – web user interfaces,
JDBC
• SASL – most other paths (i.e. network
RPC)
• Centrally enabled and configured in
Cloudera Manager
“Data Encryption”
• HDFS Encryption
• Cloudera Navigator
• OS-level file system encryption
• Certified partner solutions
• Field-level encryption
• Data masking or tokenization

Encryption of Data in Motion using SSL/TLS, HTTPS and SASL
• HDFS – SASL (RPC), SASL (Data Transfer Protocol)
• YARN – SASL (RPC)
• MR – SASL (RPC), HTTPS (shuffle)
• Flume – SSL (Avro RPC)
• HS2 – SASL (Thrift), SASL (JDBC), SSL (JDBC, ODBC)
• Impala - SSL
• Search – SSL
• Hue – HTTPS
Encrypting Data In Motion

• ZK – SASL (RPC)
• Sentry – SASL (RPC)
• Oozie – HTTPS
• Spark – SSL for Akka and HTTP (for broadcast and file server) protocols. No SSL
support for WebUI and block transfer service.
• Kafka – None
Encrypting Data In Motion

• Available in CDH 5.3/Hadoop 2.6 (HDFS-
6134)
• Supports specification of HDFS directories
as “Encryption Zones”
• All subsequent directory contents
encrypted
• Multi-tenant encryption with tenant
specific keys
• Compliments Navigator encrypt for meta-
data encryption
• Key management via Navigator key trustee
HDFS Encryption

• Encryption for HDFS, HBase
• No encryption for metadata, log files,
ingest paths
• No key management
• Complicated, manual command line
configuration
• Incomplete audit trail
Open Source HDFS Encryption
Manager Navigator
Impala Hive
HDFS HBase
Sentry
Log Files
Ingest Paths
Metadata Store
Encrypted Data
Encryption Key
Legend

Cloudera’s Solution:
• ALL data encrypted: HDFS, HBase,
metadata, log files, ingest paths
• Enterprise Key Management via Navigator
Key Trustee
• Configuration support via Cloudera
Manager
• Audit integration to Cloudera Navigator
• Optional root-of-trust integration with
HSMs
Compliance-Ready Encryption & Key Management
Manager Navigator
Impala Hive
HDFS HBase
Sentry
Navigator Key Trustee
Log Files
Metadata Store
Encrypted Data
Encryption Key
Legend
Ingest Paths

Transparent layer between
application and file system
• Compliance-Ready
• Massively Scalable
• High Performance: Optimized for
Intel
• Separation of Duties
• Key Management with Navigator Key
Trustee
Navigator Encrypt

“Virtual safe-deposit box” for managing encryption keys or other
Hadoop security artifact
Navigator Key Trustee
• Separates Keys from Encrypted Data
• Centralized Management with Audit
Controls
• Integration with HSMs from Thales,
RSA, and SafeNet
• Roadmap: Management of SSL
certificates, SSH keys, tokens,
passwords, Kerberos Keytab Files, and
more

What’s Next?
• Log Redaction – Was delivered as part of CDH 5.4
• Highly Available Authorization
• Unified Credential Management
• Simplified Wire Encryption
• Attribute-Based Access Controls & “Follow the Data” Security
• Single fine-grained permissions rule (such as row and column level) to be
enforced across all access paths, including MR and Spark, in addition to Hive and
Impala.
• Continued Cloudera & Intel Efforts

Demo Time

Hadoop security @ Philly Hadoop Meetup May 2015

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Hadoop security @ Philly Hadoop Meetup May 2015

Similar to Hadoop security @ Philly Hadoop Meetup May 2015 (20)

Recently uploaded

Recently uploaded (20)

Hadoop security @ Philly Hadoop Meetup May 2015

Editor's Notes