Security
Also available as:
PDF
loading table of contents...

What's New in This Release

New features and changes for Apache Ranger and Apache Knox have been introduced in Hortonworks Data Platform, version 2.6.x, along with documentation updates. New features are described in the following sections.

  • Hortonworks Data Platform 2.6.0

    • Authentication

      • New Identity Assertion Provider: HadoopGroupProvider

        The Hadoop Group Lookup identity assertion provider looks up the user’s ‘group membership’ for authenticated users using Hadoop’s group mapping service (GroupMappingServiceProvider).

        This allows existing investments in the Hadoop to be leveraged within Knox and used within the access control policy enforcement at the perimeter.

      • Support for PAM Authentication

        PAM authentication is configured by adding a "ShiroProvider" authentication provider to the cluster's topology file with PAM parameters.

        There are a large number of pluggable authentication modules available for authenticating access to Hadoop through the Knox Gateway. ShiroProvider, in addition to LDAP support, also includes support for PAM-based authentication for unix-based systems.

      • Added support for WebSockets

        WebSocket is a communication protocol that allows full duplex communication over single TCP connection. Knox provides out-of-the-box support for WebSocket protocol, but currently, only text-based messages are supported.

    • Authorization

      • Export and import tag-based and resource-based policies

        Export and import policies from Ranger Admin UI from one cluster to another when launching new clusters or moving policies from test to production clusters. Export/import a specific subset of policies (such as those that pertain to specific resources or user/groups) or clone the entire repository or multiple repositories via Ranger Admin UI.

      • Incremental Usersync

        When enabled, Ranger Usersync saves the latest timestamp of all the objects that are synced previously and uses that timestamp to perform the next sync. Usersync uses a polling mechanism to perform incremental sync by using LDAP attributes uSNChanged (for AD) or modifytimestamp (for LDAP). Recommended for large deployments.

      • Support for {USER} variable in Ranger policies

        The variable {USER} can be used to autofill the accessing user.

    • Auditing

      • New Plugin Status page under Audits

        This tab shows policies in effect for each plugin. Includes the relevant host info and when the plugin downloaded and started enforcing the policies.

    • Miscellaneous

      • Bug fixes