secure your hadoop cluster with apache sentry incubating
play

Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu - PowerPoint PPT Presentation

Feb 24, 2024 •175 likes •492 views

1 Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer, Cloudera April 07, 2014 2 Outline Introduction Hadoop security primer Authentication Authorization Data Protection Governance

  1. 1 Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer, Cloudera April 07, 2014

  2. 2 Outline • Introduction • Hadoop security primer • Authentication • Authorization • Data Protection • Governance and Auditing • Introducing Apache Sentry • What's Sentry • Sentry Architecture • Sentry Internal • Future work • Q&A

  3. 3 Introduction ● Hadoop gets bigger ... ● Hadoop has been enjoying an increasing adoption rate ● More and more data on Hadoop Cluster ● More and more access to the data ● Data warehouse offload is the most common use case ● Apache Hive, Apache Drill, Cloudera Impala ● SQL on Hadoop is phenomenon

  4. 4 Introduction (cont'd) ● But more encumbrance ... ● Enterprises wants to protect sensitive data ● Government regulations, compliance, like HIPPA, PII, FISMA ● Existing security problems with Hadoop has hindered the adoption ● Security has become the top priority

  5. 5 Introduction (cont'd) ● Reality is ● Different components, different security mechanisms ● Multiple components may access the same data set ● Hadoop was born out of trust, not security ● Thinking of Windows

  6. 6 Outline • Introduction • Hadoop security primer • Authentication • Authorization • Data Protection • Governance and Auditing • Introducing Apache Sentry • What's Sentry • Sentry Architecture • Sentry Internal • Future work • Q&A

  7. 7 Hadoop Security Primer • Authentication ● Identify who you are ● Untrusted users has no access to the cluster network ● Trusted network, every one is good citizen ● Who you are is determined by client host

  8. 8 Hadoop Security Primer • Strong Authentication ● Kerberos ● LDAP, ActiveDirectory ● LDAP, AD integrated with Kerberos, establishing a single point of truth ● Single point of truth

  9. 9 Hadoop Security Primer (cont'd) • Kerberos ● Strong authentication ● Provides mutual authentication ● Protects against eavesdropping and replay attacks ● Every user and service has a Kerberos “principal” ● Credentials: keytabs (service), password (user)

  10. 10 Hadoop Security Primer (cont'd) • Authorization ● HDFS Posix style permission R/W/E for O/G/O, coarse-grained ● Other components have authorization ● MR job queue ● HBase ACLs on table and column family. ● Accumulo provides cell-level access control ● Impersonation

  11. 11 Hadoop Security Primer (cont'd) • Data Protection ● Data at rest and in transit • Hadoop provides encryption on data in transit: DTP, HTTP, RPC, JDBC/ODBC • Hadoop has no native encryption on data at rest • Relying on OS-level encryption

  12. 12 Hadoop Security Primer (cont'd) • Governance and auditing ● Again, component to component ● DFS and MapReduce provide base audit support ● Apache Hive metastore records audit (who/when) information for Hive interactions. ● Apache Oozie provides audit trail for services

  13. 13 Outline • Introduction • Hadoop security primer • Authentication • Authorization • Data Protection • Governance and Auditing • Introducing Apache Sentry • What's Sentry • Sentry Architecture • Sentry Internal • Future work • Q&A

  14. 14 Introducing Apache Sentry ● Hadoop Authorization ● Existing authorization is fragmented, coarse- grained, and manual ● A lot of times data is just unprotected for simplicity ● Enterprises need a centralized authorization component that work across components with ease of use, fine-grained, role based

  15. 15 Introducing Apache Sentry (cont'd) ● What's Sentry ● Sentry is an authorization module for Hive, Search, Impala, and beyond ● It unlocks Key RBAC Requirements: secure, fine- grained, role-based authorization, multi-tenant administration ● Open Source, Apache Incubator project ● Ecosystem Support: Apache SOLR, HiveServer2, & Impala 1.1+

  16. 16 Introducing Apache Sentry (cont'd) ● Key Benefits ● Store Sensitive Data in Hadoop ● Extend Hadoop to More Users ● Comply with Regulations

  17. 17 Introducing Apache Sentry (cont'd) ● Key Capabilities ● Fine-Grained: SERVERS, DATABASES, TABLES & VIEWS; INDEXES, COLLECTIONS ● Role-Based: role including privileges such as SELECT, INSERT, ALL; UPDATE, QUERY ● Multi-T enant administration ● Separate policies for each database/schema ● Can be maintained by separate admins

  18. 18 Introducing Apache Sentry (cont'd) Sentry Architecture HiveServ Impala SOLR er2 Binding Impal Layer Hive Search Pig … a Authorization Policy Engine Provider Policy Provider File Database Local FS/HDFS

  19. 19 Introducing Apache Sentry (cont'd) SQL Validate SQL grammar Parse Construct statement tree Build Sentry Validate statement objects Check • First check : Authorization Forward to execution planner Plan MR Query

  20. 20 Introducing Apache Sentry (cont'd) • Actors ● User ● User group membership ● Resources ● Privilege ● Role

  21. 21 Introducing Apache Sentry (cont'd) • User ● User authenticated ● User identity obtained from session context

  22. 22 Introducing Apache Sentry (cont'd) • User group membership ● Defined outside sentry policy ● Obtained from user directory (LDAP, AD, HDFS) ● Maybe available from session context

  23. 23 Introducing Apache Sentry (cont'd) • Resources ● Data to be protected ● File or directory on HDFS ● T able or views in Hive ● URI ● Resource can be hierarchical

  24. 24 Introducing Apache Sentry (cont'd) • Privilege ● Action or operation on a resource ● Exists in a role only ● SELECT on a given TABLE or VIEW ● CREATE a TABLE or VIEW ● QUERY on a search COLLECTION ● DELETE a FILE or DIRECTORY ● Example collection=customerCol->action=query

  25. 25 Introducing Apache Sentry (cont'd) • Roles ● A collection of privileges ● Defined in Sentry policy ● Example [roles] ana_query_role = collection=sentryColl->action=query ana_update_role = collection=sentryColl->action=update test_role = collection=testColl->action=update full_admin_role = collection=*

  26. 26 Introducing Apache Sentry (cont'd) • (Group, Role) mapping ● Defined in policy ● One-to-Many ● Example [groups] analyts = ana_query_role, ana_update_role admins = full_admin_role testgroup = test_role hbase = full_admin_role

  27. 27 Introducing Apache Sentry (cont'd) • Rule evaluation ● Who's the user? ● Which group(s) does the user belong to? ● What resource to be accessed? ● How the resource is accessed (READ, SELECT, etc.)? ● Does any of the user's groups have a role, which has the right privilege? ● Yes – great! Go head! ● No – sorry! No sufficient privilege!

  28. 28 Outline • Introduction • Hadoop security primer • Authentication • Authorization • Data Protection • Governance and Auditing • Introducing Apache Sentry • What's Sentry • Sentry Architecture • Sentry Internal • Future work • Q&A

  29. 29 Future Work ● Introduce Sentry to more Hadoop components for their authorization needs ● Centralized policy store aiming for the whole enterprise ● Grant/Revoke ● Centralized authorization service for all protected resources including metadata ● We need your contribution or support

  30. 30 Click to edit Master title style

Recommend

Apache Whirr (Incubating) Open Source Cloud Services Tom White, Cloudera, @tom_e_white OSCON

Apache Whirr (Incubating) Open Source Cloud Services Tom White, Cloudera, @tom_e_white OSCON

Apache Whirr (Incubating) Open Source Cloud Services Tom White, Cloudera, @tom_e_white OSCON Data, Portland, OR 25 July 2011 About me Apache Hadoop Committer, PMC Member, Apache Member Engineer at Cloudera working on core Hadoop

794 views • 38 slides
Apache DataFu (incubating) William Vaughan Staff Software Engineer, LinkedIn

Apache DataFu (incubating) William Vaughan Staff Software Engineer, LinkedIn

Apache DataFu (incubating) William Vaughan Staff Software Engineer, LinkedIn www.linkedin.com/in/williamgvaughan Apache DataFu Apache DataFu is a collection of libraries for working with large-scale data in Hadoop. Currently consists of

1.01k views • 59 slides
Apache Sentry - High Availability Hao Hao - hao.hao@cloudera.com Seville, Spain, Nov 14 - 16 2016

Apache Sentry - High Availability Hao Hao - hao.hao@cloudera.com Seville, Spain, Nov 14 - 16 2016

Apache Sentry - High Availability Hao Hao - hao.hao@cloudera.com Seville, Spain, Nov 14 - 16 2016 About me Software engineers at Cloudera Apache Sentry PMC and Committer Presentation Agenda Apache Sentry Overview

593 views • 35 slides
APACHE S2GRAPH (INCUBATING) AS A USER EVENT HUB KAKAO CORP. ABSTRACT Apache S2Graph

APACHE S2GRAPH (INCUBATING) AS A USER EVENT HUB KAKAO CORP. ABSTRACT Apache S2Graph

KAKAO CORP. APACHE S2GRAPH (INCUBATING) AS A USER EVENT HUB KAKAO CORP. ABSTRACT Apache S2Graph (incubating) is a graph database designed to handle transactional graph processing at scale. Its API allows you to store, manage and query

154 views • 13 slides
Writing a BLE application is a snap with Apache Mynewt* (* incubating at ASF) Aditi Hilbert

Writing a BLE application is a snap with Apache Mynewt* (* incubating at ASF) Aditi Hilbert

Writing a BLE application is a snap with Apache Mynewt* (* incubating at ASF) Aditi Hilbert ApacheIoT @ ApacheCon, 2017 An Open Source OS for MCUs Tested, open source networking stacks Pre-emptive power optimized RTOS Secure

340 views • 17 slides
Extension: Combiner Functions import org.apache.hadoop.io.IntWritable; import

Extension: Combiner Functions import org.apache.hadoop.io.IntWritable; import

10/6/2011 import java.io.IOException; import org.apache.hadoop.fs.Path; Extension: Combiner Functions import org.apache.hadoop.io.IntWritable; import org.apache.hadoop.io.Text; import org.apache.hadoop.mapred.FileInputFormat; import

177 views • 7 slides
Apache Hadoop 3.x State of The Union and Upgrade Guidance Wei-Chiu Chuang Wangda Tan

Apache Hadoop 3.x State of The Union and Upgrade Guidance Wei-Chiu Chuang Wangda Tan

Apache Hadoop 3.x State of The Union and Upgrade Guidance Wei-Chiu Chuang Wangda Tan @Cloudera, Sr. Manager, Compute Platform Apache Hadoop PMC @Cloudera, Apache Hadoop PMC Agenda Hadoop Community Updates & Overview Updates

871 views • 47 slides
COMP9313: Big Data Management Hadoop and HDFS Hadoop Apache Hadoop is an open-source

COMP9313: Big Data Management Hadoop and HDFS Hadoop Apache Hadoop is an open-source

COMP9313: Big Data Management Hadoop and HDFS Hadoop Apache Hadoop is an open-source software framework that Stores big data in a distributed manner Processes big data parallelly Builds on large clusters of commodity hardware.

2.93k views • 60 slides
Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache

Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache

Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache Hadoop PMC Member Mapred2010 Dec 1 1 Agenda Introduction A New World Record How to Compute The n th Bits of ? Computing with

759 views • 52 slides
Brief Bio Rohit Jain is the CTO at Esgyn working on Apache Trafodion TM , currently in incubation.

Brief Bio Rohit Jain is the CTO at Esgyn working on Apache Trafodion TM , currently in incubation.

Apache Trafodion TM (incubating) Enterprise-Class Transactional SQL-on-Hadoop DBMS trafodion.apache.org 1 Brief Bio Rohit Jain is the CTO at Esgyn working on Apache Trafodion TM , currently in incubation. Trafodion is a transactional

402 views • 24 slides
Fault Tolerance, Replication, and Consistency 1 Motivation: Hadoop Cluster 2 Motivation:

Fault Tolerance, Replication, and Consistency 1 Motivation: Hadoop Cluster 2 Motivation:

Fault Tolerance, Replication, and Consistency 1 Motivation: Hadoop Cluster 2 Motivation: Hadoop Cluster Mostly retired desktops Intel Core 2: launched in 2008 Support is gathering old servers 3 Motivation: Hadoop Cluster Mostly retired

383 views • 35 slides
Graph Processing with Apache Tinkerpop on Apache S2Graph(incubating) TABLE OF CONTENTS -

Graph Processing with Apache Tinkerpop on Apache S2Graph(incubating) TABLE OF CONTENTS -

Graph Processing with Apache Tinkerpop on Apache S2Graph(incubating) TABLE OF CONTENTS - BACKGROUND - TINKERPOP3 ON S2GRAPH - UNIQUE FEATURES OF S2GRAPH - BENCHMARK - FUTURE WORK BACKGROUND BACKGROUND - OUR GRAPH The most interesting

446 views • 34 slides
Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools Background and Goals: Apache Spot was started recently DNS, Netflow, PCAP data is analyzed The goal is to identify: suspicous

644 views • 19 slides
Apache MRQL (incubating): Advanced Query Processing for Complex, Large-Scale Data Analysis

Apache MRQL (incubating): Advanced Query Processing for Complex, Large-Scale Data Analysis

Apache MRQL (incubating): Advanced Query Processing for Complex, Large-Scale Data Analysis Leonidas Fegaras University of Texas at Arlington http://mrql.incubator.apache.org/ 04/12/2015 Outline Who am I? Motivation Design objectives

576 views • 29 slides
Fundamentals of Stream Processing with Apache Beam (incubating) Frances Perry & Tyler Akidau

Fundamentals of Stream Processing with Apache Beam (incubating) Frances Perry & Tyler Akidau

Google Docs version of slides (including animations): https://goo.gl/yzvLXe Fundamentals of Stream Processing with Apache Beam (incubating) Frances Perry & Tyler Akidau @francesjperry, @takidau Apache Beam Committers & Google Engineers

771 views • 58 slides
The Apache Hadoop Ecosystem Doug Cutting Cloudera & Apache Context: exponential for

The Apache Hadoop Ecosystem Doug Cutting Cloudera & Apache Context: exponential for

The Apache Hadoop Ecosystem Doug Cutting Cloudera & Apache Context: exponential for decades! abundance of computing & storage generated data (8ZB in '15) peta-scale is now affordable (kMGTPEZY) petabytes

329 views • 9 slides
Introduction to Apache Spark Slides from: Patrick Wendell - Databricks What hat is is Sp

Introduction to Apache Spark Slides from: Patrick Wendell - Databricks What hat is is Sp

Introduction to Apache Spark Slides from: Patrick Wendell - Databricks What hat is is Sp Spark? rk? Fast st and Expr pressiv essive Cluster Computing Engine Compatible with Apache Hadoop Efficient ficient Usa sabl ble Rich APIs

1.18k views • 25 slides
Federated SQL on Hadoop and Beyond: Leveraging Apache Geode to Build a Poor Man's SAP HANA by

Federated SQL on Hadoop and Beyond: Leveraging Apache Geode to Build a Poor Man's SAP HANA by

Federated SQL on Hadoop and Beyond: Leveraging Apache Geode to Build a Poor Man's SAP HANA by Christian Tzolov @christzolov Whoami Christian Tzolov Technical Architect at Pivotal, BigData, Hadoop, SpringXD, Apache Committer, Crunch PMC

395 views • 36 slides
Introduction to Apache Spark Slides from: Patrick Wendell - Databricks 1 What is Sp Spark?

Introduction to Apache Spark Slides from: Patrick Wendell - Databricks 1 What is Sp Spark?

Introduction to Apache Spark Slides from: Patrick Wendell - Databricks 1 What is Sp Spark? rk? Fast ast and Ex Expres essiv sive Cluster Computing Engine Compatible with Apache Hadoop Eff fficie cient nt Usabl able Rich APIs in

792 views • 31 slides
Introduction to (incubating) ApacheCon Big Data, September 2015 sblackmon@apache.org Agenda -

Introduction to (incubating) ApacheCon Big Data, September 2015 sblackmon@apache.org Agenda -

Introduction to (incubating) ApacheCon Big Data, September 2015 sblackmon@apache.org Agenda - Problem: Proliferation - Activity Streams - Apache Streams - Compatibility - Schemas - Resources Problem: Proliferation! S Silos S

616 views • 33 slides
Hadoop Scheduling A Hadoop job consists of Map tasks and Reduce tasks Only one job in

Hadoop Scheduling A Hadoop job consists of Map tasks and Reduce tasks Only one job in

Hadoop Scheduling A Hadoop job consists of Map tasks and Reduce tasks Only one job in entire cluster => it occupies cluster Multiple customers with multiple jobs Users/jobs = tenants Multi-tenant system

328 views • 11 slides
The other Apache Technologies your Big Data solution needs! Nick Burch The Apache Software

The other Apache Technologies your Big Data solution needs! Nick Burch The Apache Software

The other Apache Technologies your Big Data solution needs! Nick Burch The Apache Software Foundation Apache T echnologies as in the ASF 91 T op Level Projects 59 Incubating Projects (74 past ones) Y is the only letter we lack

1.03k views • 65 slides
Apache Hadoop YARN: The Next- generation Distributed Operating System Zhijie Shen & Jian He

Apache Hadoop YARN: The Next- generation Distributed Operating System Zhijie Shen & Jian He

Apache Hadoop YARN: The Next- generation Distributed Operating System Zhijie Shen & Jian He @ Hortonworks About Us Software Engineer @ Hortonworks, Inc. Hadoop Committer @ The Apache Foundation Were doing YARN! Agenda

562 views • 29 slides
Streamline Hadoop DevOps with Apache Ambari Alejandro Fernandez May

Streamline Hadoop DevOps with Apache Ambari Alejandro Fernandez May

Streamline Hadoop DevOps with Apache Ambari Alejandro Fernandez May 18, 2017 Speaker Alejandro Fernandez Staff Software Engineer @ Hortonworks Apache Ambari PMC alejandro@apache.org WHY ARE WE

1.33k views • 52 slides

More recommend