DataWorks Summit, profile picture
Uploaded byDataWorks Summit
PPTX, PDF5,504 views

Hadoop Security Today and Tomorrow

The document discusses Hadoop security today and tomorrow. It describes the four pillars of Hadoop security as authentication, authorization, accountability, and data protection. It outlines the current security capabilities in Hadoop like Kerberos authentication and access controls, and future plans to improve security, such as encryption of data at rest and in motion. It also discusses the Apache Knox gateway for perimeter security and provides a demo of using Knox to submit a MapReduce job.

TechnologyBusiness
In this document
Powered by AI

Introduction of Hadoop Security by Vinay Shukla from Hortonworks. Discussion on the importance of security in Hadoop.

Outline of the presentation's key topics including security pillars, current elements, roadmap and Apache Knox.

Introduction of four key pillars: authentication, authorization, accountability, data protection, and the need for compliance.

Security overview of Hadoop with perimeter level security, data protection measures, and authentication methods including Kerberos.

Overview of Kerberos as a standard for authentication in Hadoop, preventing impersonation and integrating with identity management.

Details about Apache Knox as a perimeter security solution offering consolidated API management and enhanced security features.

Details on Hadoop's authorization processes, including access control services and improvements in HDFS and Hive.

Discussion on data protection in Hadoop at multiple layers and current methods of encryption for data at rest and in transit.

Summary of Hadoop security features available today across authentication, authorization, auditing, and data protection.

Introduction to features in phase 2 focusing on REST API security with Knox, and elimination of SSH edge nodes.

Technical aspects of deploying Knox within a Hadoop cluster and its role in securing access.

Detailed explanation of how Knox operates with client requests and its capabilities in terms of managing access points.

Practical examples of operations such as creating directories, uploading files, and running jobs through Knox.

Information on how to get involved, resources for security labs, blogs, and tutorials related to Hadoop.

Conclusion of the presentation by Vinay Shukla with an invitation for further engagement.

Embed presentation

Downloaded 456 times
Hadoop Security: Today and Tomorrow Vinay Shukla Hortonworks
© Hortonworks Inc. 2014 Hadoop Security Today & Tomorrow Amsterdam - April3rd, 2014 Vinay Shukla Twitter: @NeoMythos
© Hortonworks Inc. 2014 Agenda • What is Hadoop Security? – 4 Security Pillars & Rings of Defense • What security elements exists today? – Authentication – Authorization – Audit – Data Protection • What is on the security roadmap? – Coming soon – Longer term projects • Securing Hadoop with Apache Knox Gateway – Knox overview – Demo • How to get involved
© Hortonworks Inc. 2014 What is Apache Hadoop Security? Security in Apache Hadoop is defined by four key pillars: authentication, authorization, accountability, and data protection.
© Hortonworks Inc. 2014 Two Reasons for Security in Hadoop Hadoop Contains Sensitive Data –As Hadoop adoption grows so too has the types of data organizations look to store. Often the data is proprietary or personal and it must be protected. –In this context, Hadoop is governed by the same security requirements as any data center platform. Hadoop is subject to Compliance adherence –Organizations are often subject to comply with regulations such as HIPPA, PCI DSS, FISAM that require protection of personal information. –Adherence to other Corporate security policies. 1 2
© Hortonworks Inc. 2014 Security: Rings of Defense Perimeter Level Security • Network Security (i.e. Firewalls) • Apache Knox (i.e. Gateways) Data Protection • Core Hadoop • Partners Authentication • Kerberos OS Security Authorization • MR ACLs • HDFS Permissions • HDFS ACLs • HiveATZ-NG • HBase ACLs • Accumulo Label Security Page 6
© Hortonworks Inc. 2014 Authentication in Hadoop Today… Authentication Who am I/prove it? Control access to cluster. Authorization Restrict access to explicit data Audit Understand who did what Data Protection Encrypt data at rest & motion Kerberos in native Apache Hadoop Perimeter Security with Apache Knox Gateway
© Hortonworks Inc. 2014 Kerberos Authentication in Hadoop For more than 20 years, Kerberos has been the de-facto standard for strong authentication. …no other option exists. The design and implementation of Kerberos security in native Apache Hadoop was delivered by Hortonworker Owen O’Malley in 2010. What does Kerberos Do? – Establishes identity for clients, hosts and services – Prevents impersonation/passwords are never sent over the wire – Integrates w/ enterprise identity management tools such as LDAP & Active Directory – More granular auditing of data access/job execution
© Hortonworks Inc. 2014 • Single Hadoop access point • REST API hierarchy • Consolidated API calls • Multi-cluster support • Eliminates SSH “edge node” • Central API management • Central audit control • Simple Service level Authorization • SSO Integration – Siteminder, API Key*, OAuth* & SAML* • LDAP & AD integration Perimeter Security with Apache Knox Integrated with existing systems to simplify identity maintenance Incubated and led by Hortonworks, Apache Knox provides a simple and open framework for Hadoop perimeter security. Single, simple point of access for a cluster Central controls ensure consistency across one or more clusters
© Hortonworks Inc. 2014 Authentication & Audit in Hadoop today… Authorization Restrict access to explicit data Audit Understand who did what Data Protection Encrypt data at rest & motion Kerberos in native Apache Hadoop Perimeter Security with Apache Knox Gateway Native in Apache Hadoop • MapReduce Access Control Lists • HDFS Permissions • Process Execution audit trail Cell level access control in Apache Accumulo Authentication Who am I/prove it? Control access to cluster.
© Hortonworks Inc. 2014 Authorization: Who can do what in Hadoop? • Access Control Services exist for each of the Hadoop components –HDFS has file Permissions –YARN, MapReduce, HBase has Access Control Lists (ACL) –Accumulo Proves more granular label/cell level security • Improvements to these services are being led by Hortonworks Team: –HDFS Improvements – Extended ACL, more flexible via multiple policies on the same file or directory –Hive Improvements – Hortonworks initiative called Hive ATZ-NG, better integration allows familiar SQL/database syntax (GRANT/REVOKE) and allows more clients (including partner integrations) to be secure.
© Hortonworks Inc. 2014 Data Protection in Hadoop today… Authorization Restrict access to explicit data Audit Understand who did what Data Protection Encrypt data at rest & motion Kerberos in native Apache Hadoop Perimeter Security with Apache Knox Gateway Native in Apache Hadoop • MapReduce Access Control Lists • HDFS Permissions • Process Execution audit trail Cell level access control in Apache Accumulo Wire encryption in native Apache Hadoop Orchestrated encryption with 3rd party tools Authentication Who am I/prove it? Control access to cluster.
© Hortonworks Inc. 2014 Data Protection in Hadoop must be applied at three different layers in Apache Hadoop Storage: encrypt data while it is at rest Direct data flows “into” and “out of” 3rd party encryption tools and/or rely upon hardware specific techniques (i.e. drive-level encryption). Transmission: encrypt data as it is in motion Native Apache Hadoop 2.0 provides wire encryption. Upon Access: apply restrictions when accessed Direct data flows “into” and “out of” 3rd party encryption tools. Data Protection
© Hortonworks Inc. 2014 Data Protection – Details - Today • Encryption of Data at Rest –Option 1: OS or Hardware Level Encryption (Out of the Box) –Option 2: Custom Development –Option 3: Certified Partners –Work underway for encryption in Hive, HDFS and HBase as core platform capabilities. • Encryption of Data on the Wire –All wire protocols can be encrypted by HDP platform (2.x). Wire-level encryption enhancements led by HWX Team. • Column Level Encryption –No current out of the box support in Hadoop. –Certified Partners provide these capabilities.
© Hortonworks Inc. 2014 What can be done today? Authorization Restrict access to explicit data Audit Understand who did what Data Protection Encrypt data at rest & motion Kerberos in native Apache Hadoop Perimeter Security with Apache Knox Gateway Native in Apache Hadoop • MapReduce Access Control Lists • HDFS Permissions • Process Execution audit trail Cell level access control in Apache Accumulo Service level Authorization with Knox Access Audit with Knox Wire encryption in native Apache Hadoop Wire Encryption with Knox Orchestrated encryption with 3rd party tools Authentication Who am I/prove it? Control access to cluster.
© Hortonworks Inc. 2014 Hadoop Security Hortonworks is Delivering Secure Hadoop for the Enterprise Security for Hadoop must be addressed within every layer of the stack and integrated into existing frameworks For a full description of what is available in Enterprise Hadoop today across Authentication, Authorization, Accountability and Data Protection please visit our security labs page Governance &Integration Security Operations Data Access Data Management HDP 2.1 New: Apache Knox Perimeter security for Hadoop  A common place to preform authentication across Hadoop and all related projects  Integrated to LDAP and AD  Currently supports: WebHDFS, WebHCAT, Oozie, Hive & HBase  Broad community effort, incubated with Microsoft, broad set of developers involved Security Investments Security Phase 3: • Audit event correlation and Audit viewer • Data Encryption in HDFS, Hive & HBase • Knox for HDFS HA, Ambari & Falcon • Support Token-Based AuthN beyond Kerb Security Phase 2: • ACLs for HDFS • Knox: Hadoop REST API Security • SQL-style Hive AuthZ (GRANT, REVOKE) • SSL support for Hive Server 2 • SSL for DN/NN UI & WebHDFS • PAM support for Hive Phase 1 • Strong AuthN with Kerberos • HBase, Hive, HDFS basic AuthZ • Encryption with SSL for NN, JT, etc. • Wire encryption with Shuffle, HDFS, JDBC
© Hortonworks Inc. 2014 Hadoop Security: Phase 2 Page 17 HDP 2.1 Features Release Theme REST API Security, Improve AuthZ, Wire Encryption Specific Features • Hadoop REST API Security with Apache Knox • Eliminates SSH edge node • Single Hadoop access point • LDAP, AD based Authentication • Service-level Authorization • Audit support for REST access • SQL style Hive Authorization with fine grain access • HDFS Access Control Lists • SSL support in HiveServer2 • SSL support in NN/DN UI & WebHDFS • Pluggable Authentication Module (PAM) in Hive Included Components Apache Knox, Hive, HDFS
© Hortonworks Inc. 2014 Why Knox? From fb.com/hadoopmemes Apache Knox Gateway • REST/HTTP API security for Hadoop • Eliminates SSH edge node • Single REST API access point • Centralized Authentication, Authorization, and Audit for Hadoop REST/HTTP services • LDAP/AD Authentication, Service Authorization, Audit etc. Knox Eliminates • Client’s requirements for intimate knowledge of cluster topology
© Hortonworks Inc. 2014 Knox Deployment with Hadoop Cluster Application Tier DMZ Switch Switch …. Master Nodes Rack 1 Switch NN SNN …. Slave Nodes Rack 2 …. Slave Nodes Rack N SwitchSwitch DN DN Web Tier LB Knox Hadoop CLIs
© Hortonworks Inc. 2014 Hadoop REST API Security: Drill-Down REST Client Enterprise Identity Provider LDAP/AD Knox Gateway GW GW Firewall Firewall DMZ L B Edge Node/H adoop CLIs RPC HTTP HTTP HTTP LDAP Hadoop Cluster 1 Masters Slaves RM NN Web HCat Oozie DN NM HS2 Hadoop Cluster 2 Masters Slaves RM NN Web HCat Oozie DN NM HS2 HBase HBase
© Hortonworks Inc. 2014 Selects appropriate service filter chain based on request URL mapping rules REST Client Protocol Listener Listens for requests on the appropriate protocols (e.g. HTTP/HTTPS) Service Selector Service Specific Filter Chain Identity Asserter Filter Dispatch Rewrite Filter AuthN Filter Hadoop Service Enforces propagation of authenticated identity to Hadoop by modifying request Streams request and response to and from Hadoop service based on rewritten URLs Translates URLs in request and response between external and internal URLs based on service specific rules Enterprise Identity Provider Enterprise/Cl oud SSO Provider Challenges client for credentials and authenticates or validates SSO Token Service filter chains are composed and configured at deployment time by service specific plugins What is Knox? Client > Knox > Hadoop Cluster Knox Gateway
© Hortonworks Inc. 2014© Hortonworks Inc. 2014 Knox Gateway in action Submit MR job via Knox
© Hortonworks Inc. 2014 HDFS & MR Operations with Knox • Create a few directories curl -iku guest:guest-password -X PUT 'https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test?op=MKDIRS&permission=777' curl -iku guest:guest-password -X PUT "https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/input?op=MKDIRS&permission=777" curl -iku guest:guest-password -X PUT "https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/lib?op=MKDIRS&permission=777" • Upload files curl -iku guest:guest-password -L -T samples/hadoop-examples.jar -X PUT https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/lib/hadoop- examples.jar?op=CREATE curl -iku guest:guest-password -X PUT -L -T README -X PUT "https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/input/README?op=CREATE" • Run MR job curl -iku guest:guest-password -X POST -d arg=/user/guest/test/input -d arg=/user/guest/test/output -d jar=/user/guest/test/lib/hadoop-examples.jar -d class=org.apache.hadoop.examples.WordCount https://localhost:8443/gateway/sandbox/templeton/v1/mapreduce/jar • Query the jobs for a user curl -iku guest:guest-password https://localhost:8443/gateway/sandbox/templeton/v1/queue • Query the status of a given job curl -iku guest:guest-password https://localhost:8443/gateway/sandbox/templeton/v1/queue/<job_id> • Read the output file curl -iku guest:guest-password -L -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/output/part-r-00000?op=OPEN • Remove a directory curl -iku guest:guest-password -X DELETE "https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test?op=DELETE&recursive=true"
© Hortonworks Inc. 2014 How to get Involved Resource Location Security Labs http://hortonworks.com/labs/security/ Security Blogs http://hortonworks.com/blog/category/innovation/security/ Apache Knox Tutorial http://hortonworks.com/hadoop-tutorial/securing-hadoop- infrastructure-apache-knox/ Need help? http://hortonworks.com/community/forums/forum/security/ or vshukla@hortonworks.com
© Hortonworks Inc. 2014 Thank you! Amsterdam - April3rd, 2014 Vinay Shukla Twitter: @NeoMythos
Hadoop Security Today and Tomorrow

More Related Content

PDF
Apache Kafka Architecture & Fundamentals Explained
byconfluent
 
PDF
Introduction to apache spark
byAakashdata
 
PDF
Dapr - A 10x Developer Framework for Any Language
byBilgin Ibryam
 
PPTX
Hadoop Ecosystem | Hadoop Ecosystem Tutorial | Hadoop Tutorial For Beginners ...
bySimplilearn
 
PPTX
Securing Hadoop with Apache Ranger
byDataWorks Summit
 
PDF
Mastering the MongoDB Shell
byMongoDB
 
PDF
Netflix Global Cloud Architecture
byAdrian Cockcroft
 
PDF
RocksDB Performance and Reliability Practices
byYoshinori Matsunobu
 
Apache Kafka Architecture & Fundamentals Explained
byconfluent
 
Introduction to apache spark
byAakashdata
 
Dapr - A 10x Developer Framework for Any Language
byBilgin Ibryam
 
Hadoop Ecosystem | Hadoop Ecosystem Tutorial | Hadoop Tutorial For Beginners ...
bySimplilearn
 
Securing Hadoop with Apache Ranger
byDataWorks Summit
 
Mastering the MongoDB Shell
byMongoDB
 
Netflix Global Cloud Architecture
byAdrian Cockcroft
 
RocksDB Performance and Reliability Practices
byYoshinori Matsunobu
 

What's hot

PDF
Spark SQL
byJoud Khattab
 
PPT
Hadoop
byMallikarjuna G D
 
PDF
Optimizing Hive Queries
byOwen O'Malley
 
PDF
Pinot: Near Realtime Analytics @ Uber
byXiang Fu
 
PPT
Hadoop Security Architecture
byOwen O'Malley
 
PDF
Solving Enterprise Data Challenges with Apache Arrow
byWes McKinney
 
PDF
Designing Structured Streaming Pipelines—How to Architect Things Right
byDatabricks
 
PPTX
Apache Superset - open source data exploration and visualization (Conclusion ...
byLucas Jellema
 
PDF
Introduction to Spring Cloud
byVMware Tanzu
 
PDF
Amazon S3 Best Practice and Tuning for Hadoop/Spark in the Cloud
byNoritaka Sekiyama
 
PDF
Dive into PySpark
byMateusz Buśkiewicz
 
PPTX
Hadoop Security Today & Tomorrow with Apache Knox
byVinay Shukla
 
PPTX
Hadoop YARN | Hadoop YARN Architecture | Hadoop YARN Tutorial | Hadoop Tutori...
bySimplilearn
 
PDF
MongoDB vs. Postgres Benchmarks
byEDB
 
PPTX
Hadoop Backup and Disaster Recovery
byCloudera, Inc.
 
PPTX
Sharding Methods for MongoDB
byMongoDB
 
PDF
Spark with Delta Lake
byKnoldus Inc.
 
PPTX
Introduction to NoSQL Databases
byDerek Stainer
 
PPTX
HBase Tutorial For Beginners | HBase Architecture | HBase Tutorial | Hadoop T...
bySimplilearn
 
PDF
Running Apache Spark on Kubernetes: Best Practices and Pitfalls
byDatabricks
 
Spark SQL
byJoud Khattab
 
Hadoop
byMallikarjuna G D
 
Optimizing Hive Queries
byOwen O'Malley
 
Pinot: Near Realtime Analytics @ Uber
byXiang Fu
 
Hadoop Security Architecture
byOwen O'Malley
 
Solving Enterprise Data Challenges with Apache Arrow
byWes McKinney
 
Designing Structured Streaming Pipelines—How to Architect Things Right
byDatabricks
 
Apache Superset - open source data exploration and visualization (Conclusion ...
byLucas Jellema
 
Introduction to Spring Cloud
byVMware Tanzu
 
Amazon S3 Best Practice and Tuning for Hadoop/Spark in the Cloud
byNoritaka Sekiyama
 
Dive into PySpark
byMateusz Buśkiewicz
 
Hadoop Security Today & Tomorrow with Apache Knox
byVinay Shukla
 
Hadoop YARN | Hadoop YARN Architecture | Hadoop YARN Tutorial | Hadoop Tutori...
bySimplilearn
 
MongoDB vs. Postgres Benchmarks
byEDB
 
Hadoop Backup and Disaster Recovery
byCloudera, Inc.
 
Sharding Methods for MongoDB
byMongoDB
 
Spark with Delta Lake
byKnoldus Inc.
 
Introduction to NoSQL Databases
byDerek Stainer
 
HBase Tutorial For Beginners | HBase Architecture | HBase Tutorial | Hadoop T...
bySimplilearn
 
Running Apache Spark on Kubernetes: Best Practices and Pitfalls
byDatabricks
 

Viewers also liked

PDF
Simplify and Secure your Hadoop Environment with Hortonworks and Centrify
byHortonworks
 
PPTX
Hdp security overview
byHortonworks
 
PDF
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
byHortonworks
 
PDF
Implementing a Data Lake with Enterprise Grade Data Governance
byHortonworks
 
PDF
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
byCloudIDSummit
 
PPTX
Protecting Enterprise Data in Apache Hadoop
byDataWorks Summit/Hadoop Summit
 
PDF
San Francisco Best Places to Work Roadshow | Centrify
byGlassdoor
 
PDF
Talend Open Studio and Hortonworks Data Platform
byHortonworks
 
PPTX
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
byKevin Minder
 
PPTX
Streamline Hadoop DevOps with Apache Ambari
byDataWorks Summit/Hadoop Summit
 
PPTX
Simplified Cluster Operation & Troubleshooting
byDataWorks Summit/Hadoop Summit
 
PPTX
Security and Governance on Hadoop with Apache Atlas and Apache Ranger by Srik...
byArtem Ervits
 
PDF
Hadoop Security: Overview
byCloudera, Inc.
 
PPTX
Curb your insecurity with HDP
byDataWorks Summit/Hadoop Summit
 
PPTX
Talend Big Data Capabilities Overview
byRajan Kanitkar
 
PDF
Hadoop Security
byTimothy Spann
 
PDF
Big Data Taiwan 2014 Track2-2: Informatica Big Data Solution
byEtu Solution
 
PPTX
Ansible + Hadoop
byMichael Young
 
PPTX
Real-Time Data Flows with Apache NiFi
byManish Gupta
 
PDF
HDP2.5 Updates
byYuta Imai
 
Simplify and Secure your Hadoop Environment with Hortonworks and Centrify
byHortonworks
 
Hdp security overview
byHortonworks
 
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
byHortonworks
 
Implementing a Data Lake with Enterprise Grade Data Governance
byHortonworks
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
byCloudIDSummit
 
Protecting Enterprise Data in Apache Hadoop
byDataWorks Summit/Hadoop Summit
 
San Francisco Best Places to Work Roadshow | Centrify
byGlassdoor
 
Talend Open Studio and Hortonworks Data Platform
byHortonworks
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
byKevin Minder
 
Streamline Hadoop DevOps with Apache Ambari
byDataWorks Summit/Hadoop Summit
 
Simplified Cluster Operation & Troubleshooting
byDataWorks Summit/Hadoop Summit
 
Security and Governance on Hadoop with Apache Atlas and Apache Ranger by Srik...
byArtem Ervits
 
Hadoop Security: Overview
byCloudera, Inc.
 
Curb your insecurity with HDP
byDataWorks Summit/Hadoop Summit
 
Talend Big Data Capabilities Overview
byRajan Kanitkar
 
Hadoop Security
byTimothy Spann
 
Big Data Taiwan 2014 Track2-2: Informatica Big Data Solution
byEtu Solution
 
Ansible + Hadoop
byMichael Young
 
Real-Time Data Flows with Apache NiFi
byManish Gupta
 
HDP2.5 Updates
byYuta Imai
 

Similar to Hadoop Security Today and Tomorrow

PPTX
Improvements in Hadoop Security
byChris Nauroth
 
PPTX
Improvements in Hadoop Security
byDataWorks Summit
 
PPTX
Hadoop security
byShivaji Dutta
 
PDF
Curb your insecurity with HDP - Tips for a Secure Cluster
byahortonworks
 
PDF
Hortonworks Protegrity Webinar: Leverage Security in Hadoop Without Sacrifici...
byHortonworks
 
PPTX
Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!
byPardeep Kumar Mishra (Big Data / Hadoop Consultant)
 
PDF
Hadoop & Security - Past, Present, Future
byUwe Printz
 
PPTX
Open Source Security Tools for Big Data
byGreat Wide Open
 
PPTX
Open Source Security Tools for Big Data
byRommel Garcia
 
PPTX
Treat your enterprise data lake indigestion: Enterprise ready security and go...
byDataWorks Summit
 
PDF
BigData Security - A Point of View
byKaran Alang
 
PDF
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
byHortonworks
 
PPTX
Securing Data in Hadoop at Uber
byDataWorks Summit
 
PDF
2014 sept 4_hadoop_security
byAdam Muise
 
PPTX
Hadoop and Big Data Security
byChicago Hadoop Users Group
 
PDF
Hortonworks and Voltage Security webinar
byHortonworks
 
PPTX
Apache Knox - Hadoop Security Swiss Army Knife
byDataWorks Summit
 
PDF
August 2014 HUG : Comprehensive Security for Hadoop
byYahoo Developer Network
 
PDF
TriHUG October: Apache Ranger
bytrihug
 
PPTX
Saving the elephant—now, not later
byDataWorks Summit
 
Improvements in Hadoop Security
byChris Nauroth
 
Improvements in Hadoop Security
byDataWorks Summit
 
Hadoop security
byShivaji Dutta
 
Curb your insecurity with HDP - Tips for a Secure Cluster
byahortonworks
 
Hortonworks Protegrity Webinar: Leverage Security in Hadoop Without Sacrifici...
byHortonworks
 
Curb Your Insecurity - Tips for a Secure Cluster (with Spark too)!!
byPardeep Kumar Mishra (Big Data / Hadoop Consultant)
 
Hadoop & Security - Past, Present, Future
byUwe Printz
 
Open Source Security Tools for Big Data
byGreat Wide Open
 
Open Source Security Tools for Big Data
byRommel Garcia
 
Treat your enterprise data lake indigestion: Enterprise ready security and go...
byDataWorks Summit
 
BigData Security - A Point of View
byKaran Alang
 
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
byHortonworks
 
Securing Data in Hadoop at Uber
byDataWorks Summit
 
2014 sept 4_hadoop_security
byAdam Muise
 
Hadoop and Big Data Security
byChicago Hadoop Users Group
 
Hortonworks and Voltage Security webinar
byHortonworks
 
Apache Knox - Hadoop Security Swiss Army Knife
byDataWorks Summit
 
August 2014 HUG : Comprehensive Security for Hadoop
byYahoo Developer Network
 
TriHUG October: Apache Ranger
bytrihug
 
Saving the elephant—now, not later
byDataWorks Summit
 

More from DataWorks Summit

PPTX
Data Science Crash Course
byDataWorks Summit
 
PPTX
Floating on a RAFT: HBase Durability with Apache Ratis
byDataWorks Summit
 
PPTX
Tracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFi
byDataWorks Summit
 
PDF
HBase Tales From the Trenches - Short stories about most common HBase operati...
byDataWorks Summit
 
PPTX
Optimizing Geospatial Operations with Server-side Programming in HBase and Ac...
byDataWorks Summit
 
PPTX
Managing the Dewey Decimal System
byDataWorks Summit
 
PPTX
Practical NoSQL: Accumulo's dirlist Example
byDataWorks Summit
 
PPTX
HBase Global Indexing to support large-scale data ingestion at Uber
byDataWorks Summit
 
PPTX
Scaling Cloud-Scale Translytics Workloads with Omid and Phoenix
byDataWorks Summit
 
PPTX
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
byDataWorks Summit
 
PPTX
Supporting Apache HBase : Troubleshooting and Supportability Improvements
byDataWorks Summit
 
PPTX
Security Framework for Multitenant Architecture
byDataWorks Summit
 
PDF
Presto: Optimizing Performance of SQL-on-Anything Engine
byDataWorks Summit
 
PPTX
Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...
byDataWorks Summit
 
PPTX
Extending Twitter's Data Platform to Google Cloud
byDataWorks Summit
 
PPTX
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
byDataWorks Summit
 
PPTX
Securing Data in Hybrid on-premise and Cloud Environments using Apache Ranger
byDataWorks Summit
 
PPTX
Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...
byDataWorks Summit
 
PDF
Computer Vision: Coming to a Store Near You
byDataWorks Summit
 
PPTX
Big Data Genomics: Clustering Billions of DNA Sequences with Apache Spark
byDataWorks Summit
 
Data Science Crash Course
byDataWorks Summit
 
Floating on a RAFT: HBase Durability with Apache Ratis
byDataWorks Summit
 
Tracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFi
byDataWorks Summit
 
HBase Tales From the Trenches - Short stories about most common HBase operati...
byDataWorks Summit
 
Optimizing Geospatial Operations with Server-side Programming in HBase and Ac...
byDataWorks Summit
 
Managing the Dewey Decimal System
byDataWorks Summit
 
Practical NoSQL: Accumulo's dirlist Example
byDataWorks Summit
 
HBase Global Indexing to support large-scale data ingestion at Uber
byDataWorks Summit
 
Scaling Cloud-Scale Translytics Workloads with Omid and Phoenix
byDataWorks Summit
 
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
byDataWorks Summit
 
Supporting Apache HBase : Troubleshooting and Supportability Improvements
byDataWorks Summit
 
Security Framework for Multitenant Architecture
byDataWorks Summit
 
Presto: Optimizing Performance of SQL-on-Anything Engine
byDataWorks Summit
 
Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...
byDataWorks Summit
 
Extending Twitter's Data Platform to Google Cloud
byDataWorks Summit
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
byDataWorks Summit
 
Securing Data in Hybrid on-premise and Cloud Environments using Apache Ranger
byDataWorks Summit
 
Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...
byDataWorks Summit
 
Computer Vision: Coming to a Store Near You
byDataWorks Summit
 
Big Data Genomics: Clustering Billions of DNA Sequences with Apache Spark
byDataWorks Summit
 

Recently uploaded

PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PPTX
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
PPTX
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
Linux Foundation Certified System Administrator (LFCS) Exam.pdf
byLinuxCert Guru
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PPTX
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
Agentic AI presentation with Python Exercises
byParth Mane
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
Linux Foundation Certified System Administrator (LFCS) Exam.pdf
byLinuxCert Guru
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 

Hadoop Security Today and Tomorrow

  • 1.
    Hadoop Security: Todayand Tomorrow Vinay Shukla Hortonworks
  • 2.
    © Hortonworks Inc.2014 Hadoop Security Today & Tomorrow Amsterdam - April3rd, 2014 Vinay Shukla Twitter: @NeoMythos
  • 3.
    © Hortonworks Inc.2014 Agenda • What is Hadoop Security? – 4 Security Pillars & Rings of Defense • What security elements exists today? – Authentication – Authorization – Audit – Data Protection • What is on the security roadmap? – Coming soon – Longer term projects • Securing Hadoop with Apache Knox Gateway – Knox overview – Demo • How to get involved
  • 4.
    © Hortonworks Inc.2014 What is Apache Hadoop Security? Security in Apache Hadoop is defined by four key pillars: authentication, authorization, accountability, and data protection.
  • 5.
    © Hortonworks Inc.2014 Two Reasons for Security in Hadoop Hadoop Contains Sensitive Data –As Hadoop adoption grows so too has the types of data organizations look to store. Often the data is proprietary or personal and it must be protected. –In this context, Hadoop is governed by the same security requirements as any data center platform. Hadoop is subject to Compliance adherence –Organizations are often subject to comply with regulations such as HIPPA, PCI DSS, FISAM that require protection of personal information. –Adherence to other Corporate security policies. 1 2
  • 6.
    © Hortonworks Inc.2014 Security: Rings of Defense Perimeter Level Security • Network Security (i.e. Firewalls) • Apache Knox (i.e. Gateways) Data Protection • Core Hadoop • Partners Authentication • Kerberos OS Security Authorization • MR ACLs • HDFS Permissions • HDFS ACLs • HiveATZ-NG • HBase ACLs • Accumulo Label Security Page 6
  • 7.
    © Hortonworks Inc.2014 Authentication in Hadoop Today… Authentication Who am I/prove it? Control access to cluster. Authorization Restrict access to explicit data Audit Understand who did what Data Protection Encrypt data at rest & motion Kerberos in native Apache Hadoop Perimeter Security with Apache Knox Gateway
  • 8.
    © Hortonworks Inc.2014 Kerberos Authentication in Hadoop For more than 20 years, Kerberos has been the de-facto standard for strong authentication. …no other option exists. The design and implementation of Kerberos security in native Apache Hadoop was delivered by Hortonworker Owen O’Malley in 2010. What does Kerberos Do? – Establishes identity for clients, hosts and services – Prevents impersonation/passwords are never sent over the wire – Integrates w/ enterprise identity management tools such as LDAP & Active Directory – More granular auditing of data access/job execution
  • 9.
    © Hortonworks Inc.2014 • Single Hadoop access point • REST API hierarchy • Consolidated API calls • Multi-cluster support • Eliminates SSH “edge node” • Central API management • Central audit control • Simple Service level Authorization • SSO Integration – Siteminder, API Key*, OAuth* & SAML* • LDAP & AD integration Perimeter Security with Apache Knox Integrated with existing systems to simplify identity maintenance Incubated and led by Hortonworks, Apache Knox provides a simple and open framework for Hadoop perimeter security. Single, simple point of access for a cluster Central controls ensure consistency across one or more clusters
  • 10.
    © Hortonworks Inc.2014 Authentication & Audit in Hadoop today… Authorization Restrict access to explicit data Audit Understand who did what Data Protection Encrypt data at rest & motion Kerberos in native Apache Hadoop Perimeter Security with Apache Knox Gateway Native in Apache Hadoop • MapReduce Access Control Lists • HDFS Permissions • Process Execution audit trail Cell level access control in Apache Accumulo Authentication Who am I/prove it? Control access to cluster.
  • 11.
    © Hortonworks Inc.2014 Authorization: Who can do what in Hadoop? • Access Control Services exist for each of the Hadoop components –HDFS has file Permissions –YARN, MapReduce, HBase has Access Control Lists (ACL) –Accumulo Proves more granular label/cell level security • Improvements to these services are being led by Hortonworks Team: –HDFS Improvements – Extended ACL, more flexible via multiple policies on the same file or directory –Hive Improvements – Hortonworks initiative called Hive ATZ-NG, better integration allows familiar SQL/database syntax (GRANT/REVOKE) and allows more clients (including partner integrations) to be secure.
  • 12.
    © Hortonworks Inc.2014 Data Protection in Hadoop today… Authorization Restrict access to explicit data Audit Understand who did what Data Protection Encrypt data at rest & motion Kerberos in native Apache Hadoop Perimeter Security with Apache Knox Gateway Native in Apache Hadoop • MapReduce Access Control Lists • HDFS Permissions • Process Execution audit trail Cell level access control in Apache Accumulo Wire encryption in native Apache Hadoop Orchestrated encryption with 3rd party tools Authentication Who am I/prove it? Control access to cluster.
  • 13.
    © Hortonworks Inc.2014 Data Protection in Hadoop must be applied at three different layers in Apache Hadoop Storage: encrypt data while it is at rest Direct data flows “into” and “out of” 3rd party encryption tools and/or rely upon hardware specific techniques (i.e. drive-level encryption). Transmission: encrypt data as it is in motion Native Apache Hadoop 2.0 provides wire encryption. Upon Access: apply restrictions when accessed Direct data flows “into” and “out of” 3rd party encryption tools. Data Protection
  • 14.
    © Hortonworks Inc.2014 Data Protection – Details - Today • Encryption of Data at Rest –Option 1: OS or Hardware Level Encryption (Out of the Box) –Option 2: Custom Development –Option 3: Certified Partners –Work underway for encryption in Hive, HDFS and HBase as core platform capabilities. • Encryption of Data on the Wire –All wire protocols can be encrypted by HDP platform (2.x). Wire-level encryption enhancements led by HWX Team. • Column Level Encryption –No current out of the box support in Hadoop. –Certified Partners provide these capabilities.
  • 15.
    © Hortonworks Inc.2014 What can be done today? Authorization Restrict access to explicit data Audit Understand who did what Data Protection Encrypt data at rest & motion Kerberos in native Apache Hadoop Perimeter Security with Apache Knox Gateway Native in Apache Hadoop • MapReduce Access Control Lists • HDFS Permissions • Process Execution audit trail Cell level access control in Apache Accumulo Service level Authorization with Knox Access Audit with Knox Wire encryption in native Apache Hadoop Wire Encryption with Knox Orchestrated encryption with 3rd party tools Authentication Who am I/prove it? Control access to cluster.
  • 16.
    © Hortonworks Inc.2014 Hadoop Security Hortonworks is Delivering Secure Hadoop for the Enterprise Security for Hadoop must be addressed within every layer of the stack and integrated into existing frameworks For a full description of what is available in Enterprise Hadoop today across Authentication, Authorization, Accountability and Data Protection please visit our security labs page Governance &Integration Security Operations Data Access Data Management HDP 2.1 New: Apache Knox Perimeter security for Hadoop  A common place to preform authentication across Hadoop and all related projects  Integrated to LDAP and AD  Currently supports: WebHDFS, WebHCAT, Oozie, Hive & HBase  Broad community effort, incubated with Microsoft, broad set of developers involved Security Investments Security Phase 3: • Audit event correlation and Audit viewer • Data Encryption in HDFS, Hive & HBase • Knox for HDFS HA, Ambari & Falcon • Support Token-Based AuthN beyond Kerb Security Phase 2: • ACLs for HDFS • Knox: Hadoop REST API Security • SQL-style Hive AuthZ (GRANT, REVOKE) • SSL support for Hive Server 2 • SSL for DN/NN UI & WebHDFS • PAM support for Hive Phase 1 • Strong AuthN with Kerberos • HBase, Hive, HDFS basic AuthZ • Encryption with SSL for NN, JT, etc. • Wire encryption with Shuffle, HDFS, JDBC
  • 17.
    © Hortonworks Inc.2014 Hadoop Security: Phase 2 Page 17 HDP 2.1 Features Release Theme REST API Security, Improve AuthZ, Wire Encryption Specific Features • Hadoop REST API Security with Apache Knox • Eliminates SSH edge node • Single Hadoop access point • LDAP, AD based Authentication • Service-level Authorization • Audit support for REST access • SQL style Hive Authorization with fine grain access • HDFS Access Control Lists • SSL support in HiveServer2 • SSL support in NN/DN UI & WebHDFS • Pluggable Authentication Module (PAM) in Hive Included Components Apache Knox, Hive, HDFS
  • 18.
    © Hortonworks Inc.2014 Why Knox? From fb.com/hadoopmemes Apache Knox Gateway • REST/HTTP API security for Hadoop • Eliminates SSH edge node • Single REST API access point • Centralized Authentication, Authorization, and Audit for Hadoop REST/HTTP services • LDAP/AD Authentication, Service Authorization, Audit etc. Knox Eliminates • Client’s requirements for intimate knowledge of cluster topology
  • 19.
    © Hortonworks Inc.2014 Knox Deployment with Hadoop Cluster Application Tier DMZ Switch Switch …. Master Nodes Rack 1 Switch NN SNN …. Slave Nodes Rack 2 …. Slave Nodes Rack N SwitchSwitch DN DN Web Tier LB Knox Hadoop CLIs
  • 20.
    © Hortonworks Inc.2014 Hadoop REST API Security: Drill-Down REST Client Enterprise Identity Provider LDAP/AD Knox Gateway GW GW Firewall Firewall DMZ L B Edge Node/H adoop CLIs RPC HTTP HTTP HTTP LDAP Hadoop Cluster 1 Masters Slaves RM NN Web HCat Oozie DN NM HS2 Hadoop Cluster 2 Masters Slaves RM NN Web HCat Oozie DN NM HS2 HBase HBase
  • 21.
    © Hortonworks Inc.2014 Selects appropriate service filter chain based on request URL mapping rules REST Client Protocol Listener Listens for requests on the appropriate protocols (e.g. HTTP/HTTPS) Service Selector Service Specific Filter Chain Identity Asserter Filter Dispatch Rewrite Filter AuthN Filter Hadoop Service Enforces propagation of authenticated identity to Hadoop by modifying request Streams request and response to and from Hadoop service based on rewritten URLs Translates URLs in request and response between external and internal URLs based on service specific rules Enterprise Identity Provider Enterprise/Cl oud SSO Provider Challenges client for credentials and authenticates or validates SSO Token Service filter chains are composed and configured at deployment time by service specific plugins What is Knox? Client > Knox > Hadoop Cluster Knox Gateway
  • 22.
    © Hortonworks Inc.2014© Hortonworks Inc. 2014 Knox Gateway in action Submit MR job via Knox
  • 23.
    © Hortonworks Inc.2014 HDFS & MR Operations with Knox • Create a few directories curl -iku guest:guest-password -X PUT 'https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test?op=MKDIRS&permission=777' curl -iku guest:guest-password -X PUT "https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/input?op=MKDIRS&permission=777" curl -iku guest:guest-password -X PUT "https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/lib?op=MKDIRS&permission=777" • Upload files curl -iku guest:guest-password -L -T samples/hadoop-examples.jar -X PUT https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/lib/hadoop- examples.jar?op=CREATE curl -iku guest:guest-password -X PUT -L -T README -X PUT "https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/input/README?op=CREATE" • Run MR job curl -iku guest:guest-password -X POST -d arg=/user/guest/test/input -d arg=/user/guest/test/output -d jar=/user/guest/test/lib/hadoop-examples.jar -d class=org.apache.hadoop.examples.WordCount https://localhost:8443/gateway/sandbox/templeton/v1/mapreduce/jar • Query the jobs for a user curl -iku guest:guest-password https://localhost:8443/gateway/sandbox/templeton/v1/queue • Query the status of a given job curl -iku guest:guest-password https://localhost:8443/gateway/sandbox/templeton/v1/queue/<job_id> • Read the output file curl -iku guest:guest-password -L -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test/output/part-r-00000?op=OPEN • Remove a directory curl -iku guest:guest-password -X DELETE "https://localhost:8443/gateway/sandbox/webhdfs/v1/user/guest/test?op=DELETE&recursive=true"
  • 24.
    © Hortonworks Inc.2014 How to get Involved Resource Location Security Labs http://hortonworks.com/labs/security/ Security Blogs http://hortonworks.com/blog/category/innovation/security/ Apache Knox Tutorial http://hortonworks.com/hadoop-tutorial/securing-hadoop- infrastructure-apache-knox/ Need help? http://hortonworks.com/community/forums/forum/security/ or vshukla@hortonworks.com
  • 25.
    © Hortonworks Inc.2014 Thank you! Amsterdam - April3rd, 2014 Vinay Shukla Twitter: @NeoMythos

Editor's Notes

  • #19 BackgroundHortonworks led initiativeUseful for connecting to Hadoop from the outside the clusterWhen more client language flexibility is requiredi.e. Java binding not an optionNot intended for RPC callsCall it REST API Gateway for HadoopDon’t call it a firewallFirewalls are at the network layerDon’t call is perimeter securityPerimeter security is getting discredited as an incomplete security solution
  • #21 Node the arrows to Hadoop Cluster are simplificationsActually there will be multiple arrow – one per port open between Knox and Hadoop Services it supports (WebHDFS, WebHCAT, HiveServer2, HBase, Oozie) &amp; more in future
  • #22 Functions as HTTP reverse proxyRe-writes URLs to protect internal network topologyKnox Gateway embeds Jetty containerReads/Writes HTTP