Hadoop Security Guide
Copyright © 2012-2016 Hortonworks, Inc.
 | Except where otherwise noted, this document is licensed under Creative Commons Attribution ShareAlike 4.0 License |
2016-05-09
Abstract
The Hortonworks Data Platform, powered by Apache Hadoop, is a massively scalable and 100% open source platform for storing, processing and analyzing large volumes of data. It is designed to deal with data from many sources and formats in a very quick, easy and cost-effective manner. The Hortonworks Data Platform consists of the essential set of Apache Hadoop projects including MapReduce, Hadoop Distributed File System (HDFS), HCatalog, Pig, Hive, HBase, ZooKeeper and Ambari. Hortonworks is the major contributor of code and patches to many of these projects. These projects have been integrated and tested as part of the Hortonworks Data Platform release process and installation and configuration tools have also been included.
Unlike other providers of platforms built using Apache Hadoop, Hortonworks contributes 100% of our code back to the Apache Software Foundation. The Hortonworks Data Platform is Apache-licensed and completely open source. We sell only expert technical support, training and partner-enablement services. All of our technology is, and will remain free and open source.
Please visit the Hortonworks Data Platform page for more information on Hortonworks technology. For more information on Hortonworks services, please visit either the Support or Training page. Feel free to Contact Us directly to discuss your specific needs.
Contents
- 1. HDP Security Overview
- 2. Authentication
- Enabling Kerberos Authentication Using Ambari
- Configuring Ambari Authentication with LDAP or AD
- Configuring LDAP Authentication in Hue
- Enabling the LDAP Backend
- Enabling User Authentication with Search Bind
- Setting the Search Base to Find Users and Groups
- Specifying the URL of the LDAP Server
- Specifying LDAPS and StartTLS Support
- Specifying Bind Credentials for LDAP Searches
- Synchronizing Users and Groups
- Setting Search Bind Authentication and Importing Users and Groups
- Setting LDAP Users' Filter
- Setting an LDAP Groups Filter
- Setting Multiple LDAP Servers
- Advanced Security Options for Ambari
- Enabling SPNEGO Authentication for Hadoop
- Setting Up Kerberos Authentication for Non-Ambari Clusters
- Perimeter Security with Apache Knox
- Apache Knox Gateway Overview
- Configuring the Knox Gateway
- Defining Cluster Topologies
- Configuring a Hadoop Server for Knox
- Mapping the Internal Nodes to External URLs
- Configuring Authentication
- Configuring Identity Assertion
- Configuring Service Level Authorization
- Audit Gateway Activity
- Gateway Security
- Setting Up Knox for WebHDFS HA
- Knox CLI Testing Tools
- 3. Configuring Authorization in Hadoop
- Installing Ranger Using Ambari
- Using Ranger to Provide Authorization in Hadoop
- Opening and Closing the Ranger Console
- Console Operations Summary
- Configuring Services
- Policy Management
- Users/Groups and Permissions Administration
- Reports Administration
- Special Requirements for High Availability Environments
- Adding a New Component to Apache Ranger
- Developing a Custom Authorization Module
- Apache Ranger Public REST API
- 4. Data Protection: Wire Encryption
- Enabling RPC Encryption
- Enabling Data Transfer Protocol
- Enabling SSL: Understanding the Hadoop SSL Keystore Factory
- Creating and Managing SSL Certificates
- Enabling SSL for HDP Components
- Enable SSL for WebHDFS, MapReduce Shuffle, and YARN
- Enable SSL for HttpFS
- Enable SSL on Oozie
- Enable SSL on the HBase REST Server
- Enable SSL on the HBase Web UI
- Enable SSL on HiveServer2
- Enable SSL for Kafka Clients
- Enable SSL for Accumulo
- SPNEGO setup for WebHCat
- Configure SSL for Hue
- Configure SSL for Knox
- Securing Phoenix
- Set Up SSL for Ambari
- Configure Ambari Ranger SSL
- Configure Non-Ambari Ranger SSL
- Connecting to SSL-Enabled Components
- 5. Auditing in Hadoop
- 6. Data Protection: HDFS Encryption
List of Figures
List of Tables
- 2.1. UNIX Authentication Settings
- 2.2. Active Directory Authentication Settings
- 2.3. Active Directory Custom ranger-admin-site Settings
- 2.4. LDAP Authentication Settings
- 2.5. LDAP Custom ranger-admin-site Settings
- 2.6. Active Directory Authentication Settings
- 2.7. Service Principals
- 2.8. Service Keytab File Names
- 2.9. General core-site.xml, Knox, and Hue
- 2.10. core-site.xml Master Node Settings -- Knox Gateway
- 2.11. core-site.xml Master Node Settings -- Hue
- 2.12. hdfs-site.xml File Property Settings
- 2.13. yarn-site.xml Property Settings
- 2.14. mapred-site.xml Property Settings
- 2.15. hbase-site.xml Property Settings for HBase Server
- 2.16. hive-site.xml Property Settings
- 2.17. oozie-site.xml Property Settings
- 2.18. webhcat-site.xml Property Settings
- 2.19. Supported Hadoop Services
- 2.20. Apache Service Gateway Directores
- 2.21. Cluster Topology Provider and Service Roles
- 2.22. gateway-site.xml Configuration Elements
- 2.23. LDAP Authentication and Authorization Arguments
- 3.1. Ranger DB Host
- 3.2. Driver Class Name
- 3.3. Ranger DB Username Settings
- 3.4. JDBC Connect String
- 3.5. DBA Credential Settings
- 3.6. UNIX User Sync Properties
- 3.7. LDAP/AD Common Configs
- 3.8. LDAP/AD User Configs
- 3.9. LDAP/AD Group Configs
- 3.10. UNIX Authentication Settings
- 3.11. LDAP Authentication Settings
- 3.12. AD Settings
- 3.13. LDAP Advanced ranger-ugsync-site Settings
- 3.14. AD Advanced ranger-ugsync-site Settings
- 3.15. Advanced ranger-ugsync-site Settings for LDAP and AD
- 3.16. HDFS Plugin Properties
- 3.17. Hive Plugin Properties
- 3.18. HBase Plugin Properties
- 3.19. Knox Plugin Properties
- 3.20. Knox Configuration Properties
- 3.21. Service Details
- 3.22. Config Properties
- 3.23. Service Details
- 3.24. Config Properties
- 3.25. Service Details
- 3.26. Config Properties
- 3.27. Service Details
- 3.28. Config Properties
- 3.29. Service Details
- 3.30. Config Properties
- 3.31. Service Details
- 3.32. Config Properties
- 3.33. Service Details
- 3.34. Config Properties
- 3.35. Service Details
- 3.36. Config Properties
- 3.37. Policy Details
- 3.38. User and Group Permissions
- 3.39. Policy Details
- 3.40. User and Group Permissions
- 3.41. Policy Details
- 3.42. User and Group Permissions
- 3.43. Policy Details
- 3.44. User and Group Permissions
- 3.45. Policy Details
- 3.46. User and Group Permissions
- 3.47. Policy Details
- 3.48. User and Group Permissions
- 3.49. Policy Details
- 3.50. User and Group Permissions
- 3.51. Knox User and Group Permissions
- 3.52. Policy Details
- 3.53. User and Group Permissions
- 4.1. Components that Support SSL
- 4.2. Configure SSL Data Protection for HDP Components
- 4.3. Configuration Properties in ssl-server.xml
- 5.1. Solr install.properties Values
- 5.2. Solr install.properties Values
- 5.3. Search Criteria
- 5.4. Search Criteria
- 5.5. Search Criteria
- 5.6. Agents Search Criteria
- 6.1. Properties in Advanced dbks-site Menu (dbks-site.xml)
- 6.2. Properties in Advanced kms-env
- 6.3. Properties in Advanced kms-properties (install.properties)
- 6.4. Properties in Advanced kms-site (kms-site.xml)
- 6.5. Properties in Advanced ranger-kms-audit (ranger-kms-audit.xml)
- 6.6. Properties in Advanced ranger-kms-policymgr-ssl
- 6.7. Properties in Advanced ranger-kms-security
- 6.8. Troubleshooting Suggestions