Security
Copyright © 2012-2017 Hortonworks, Inc.
Except where otherwise noted, this document is licensed under Creative Commons Attribution ShareAlike 4.0 License |
2017-10-30
Abstract
The Hortonworks Data Platform, powered by Apache Hadoop, is a massively scalable and 100% open source platform for storing, processing and analyzing large volumes of data. It is designed to deal with data from many sources and formats in a very quick, easy and cost-effective manner. The Hortonworks Data Platform consists of the essential set of Apache Hadoop projects including MapReduce, Hadoop Distributed File System (HDFS), HCatalog, Pig, Hive, HBase, ZooKeeper and Ambari. Hortonworks is the major contributor of code and patches to many of these projects. These projects have been integrated and tested as part of the Hortonworks Data Platform release process and installation and configuration tools have also been included.
Unlike other providers of platforms built using Apache Hadoop, Hortonworks contributes 100% of our code back to the Apache Software Foundation. The Hortonworks Data Platform is Apache-licensed and completely open source. We sell only expert technical support, training and partner-enablement services. All of our technology is, and will remain free and open source.
Please visit the Hortonworks Data Platform page for more information on Hortonworks technology. For more information on Hortonworks services, please visit either the Support or Training page. Feel free to Contact Us directly to discuss your specific needs.
Contents
- 1. HDP Security Overview
- 2. Authentication
- Enabling Kerberos Authentication Using Ambari
- Configuring HDP Components for Kerberos Using Ambari
- Configuring Ambari Authentication with LDAP or AD
- Configuring LDAP Authentication in Hue
- Enabling the LDAP Backend
- Enabling User Authentication with Search Bind
- Setting the Search Base to Find Users and Groups
- Specifying the URL of the LDAP Server
- Specifying LDAPS and StartTLS Support
- Specifying Bind Credentials for LDAP Searches
- Synchronizing Users and Groups
- Setting Search Bind Authentication and Importing Users and Groups
- Setting LDAP Users' Filter
- Setting an LDAP Groups Filter
- Setting Multiple LDAP Servers
- Advanced Security Options for Ambari
- Enabling SPNEGO Authentication for Hadoop
- Setting Up Kerberos Authentication for Non-Ambari Clusters
- Perimeter Security with Apache Knox
- Apache Knox Gateway Overview
- Configuring the Knox Gateway
- Defining Cluster Topologies
- Configuring a Hadoop Server for Knox
- Mapping the Internal Nodes to External URLs
- Configuring Authentication
- Configuring Identity Assertion
- Configuring Service Level Authorization
- Audit Gateway Activity
- Gateway Security
- Setting Up Knox Services for HA
- Knox CLI Testing Tools
- Knox SSO
- 3. Configuring Authorization in Hadoop
- Installing Ranger Using Ambari
- Using Ranger to Provide Authorization in Hadoop
- About Ranger Policies
- Using the Ranger Console
- Configuring Resource-Based Services
- Resource-Based Policy Management
- Row-level Filtering and Column Masking in Hive
- Adding Tag-based Service
- Tag-Based Policy Management
- Users/Groups and Permissions Administration
- Reports Administration
- Special Requirements for High Availability Environments
- Adding a New Component to Apache Ranger
- Developing a Custom Authorization Module
- Apache Ranger Public REST API
- 4. Data Protection: Wire Encryption
- Enabling RPC Encryption
- Enabling Data Transfer Protocol
- Enabling SSL: Understanding the Hadoop SSL Keystore Factory
- Creating and Managing SSL Certificates
- Enabling SSL for HDP Components
- Enable SSL for WebHDFS, MapReduce Shuffle, Tez, and YARN
- Enable SSL for HttpFS
- Enable SSL on Oozie
- Enable SSL on the HBase REST Server
- Enable SSL on the HBase Web UI
- Enable SSL on HiveServer2
- Enable SSL for Kafka Clients
- Enable SSL for Accumulo
- Enable SSL for Apache Atlas
- SPNEGO setup for WebHCat
- Configure SSL for Hue
- Configure SSL for Knox
- Securing Phoenix
- Set Up SSL for Ambari
- Configure Ambari Ranger SSL
- Configure Non-Ambari Ranger SSL
- Connecting to SSL-Enabled Components
- 5. Auditing in Hadoop
- 6. ACLs on HDFS
- 7. Data Protection: HDFS Encryption
- 8. Running DataNodes as Non-Root
- 9. Addendum
List of Figures
List of Tables
- 2.1. Browser Settings for Storm UI
- 2.2. UNIX Authentication Settings
- 2.3. Active Directory Authentication Settings
- 2.4. Active Directory Custom ranger-admin-site Settings
- 2.5. LDAP Authentication Settings
- 2.6. LDAP Custom ranger-admin-site Settings
- 2.7. Active Directory Authentication Settings
- 2.8. Service Principals
- 2.9. Service Keytab File Names
- 2.10. General core-site.xml, Knox, and Hue
- 2.11. core-site.xml Master Node Settings -- Knox Gateway
- 2.12. core-site.xml Master Node Settings -- Hue
- 2.13. hdfs-site.xml File Property Settings
- 2.14. yarn-site.xml Property Settings
- 2.15. mapred-site.xml Property Settings
- 2.16.
hbase-site.xml
Property Settings for HBase Server and Phoenix Query Server - 2.17. hive-site.xml Property Settings
- 2.18. oozie-site.xml Property Settings
- 2.19. webhcat-site.xml Property Settings
- 2.20. Supported Component APIs: Proxy
- 2.21. Supported Component UIs: Proxy
- 2.22. Apache Service Gateway Directories
- 2.23. Cluster Topology Provider and Service Roles
- 2.24. gateway-site.xml Configuration Elements
- 2.25. Identity Assertion Providers
- 2.26. LDAP Authentication and Authorization Arguments
- 2.27. Supported Component UIs: SSO
- 3.1. Ranger DB Host
- 3.2. Driver Class Name
- 3.3. Ranger DB Username Settings
- 3.4. JDBC Connect String
- 3.5. DBA Credential Settings
- 3.6. UNIX User Sync Properties
- 3.7. LDAP/AD Common Configs
- 3.8. LDAP/AD User Configs
- 3.9. LDAP/AD Group Configs
- 3.10. Atlas Tag Source Properties
- 3.11. AtlasREST Source Properties
- 3.12. File Tag Source Properties
- 3.13. UNIX Authentication Settings
- 3.14. LDAP Authentication Settings
- 3.15. AD Settings
- 3.16. LDAP Advanced ranger-ugsync-site Settings
- 3.17. AD Advanced ranger-ugsync-site Settings
- 3.18. Advanced ranger-ugsync-site Settings for LDAP and AD
- 3.19. HDFS Plugin Properties
- 3.20. Hive Plugin Properties
- 3.21. HBase Plugin Properties
- 3.22. Knox Plugin Properties
- 3.23. Knox Configuration Properties
- 3.24. Service Details
- 3.25. Config Properties
- 3.26. Service Details
- 3.27. Config Properties
- 3.28. Service Details
- 3.29. Config Properties
- 3.30. Service Details
- 3.31. Config Properties
- 3.32. Service Details
- 3.33. Config Properties
- 3.34. Service Details
- 3.35. Config Properties
- 3.36. Service Details
- 3.37. Config Properties
- 3.38. Service Details
- 3.39. Config Properties
- 3.40. Service Details
- 3.41. Config Properties
- 3.42. Policy Details
- 3.43. Allow Conditions
- 3.44. Policy Details
- 3.45. Allow Conditions
- 3.46. Policy Details
- 3.47. Allow Conditions
- 3.48. Policy Details
- 3.49. Allow Conditions
- 3.50. Policy Details
- 3.51. Allow Conditions
- 3.52. Policy Details
- 3.53. Allow Conditions
- 3.54. Policy Details
- 3.55. Allow Conditions
- 3.56. Storm User and Group Permissions
- 3.57. Policy Details
- 3.58. Allow Conditions
- 3.59. Policy Details
- 3.60. Allow Conditions
- 3.61. Export Policy Options
- 3.62. Policy Details
- 3.63. Row Filter Conditions
- 3.64. Policy Details
- 3.65. Mask Conditions
- 3.66. Policy Details
- 3.67. Mask Conditions
- 3.68. Policy Details
- 3.69. Allow, Exclude from Allow, Deny, and Exclude from Deny Conditions
- 3.70. Policy Details
- 3.71. Allow Conditions
- 3.72. Deny Conditions
- 3.73. Exclude from Allow Conditions
- 3.74. Export Policy Options
- 4.1. Components that Support SSL
- 4.2. Configure SSL Data Protection for HDP Components
- 4.3. Configuration Properties in ssl-server.xml
- 4.4. Atlas Advanced application-properties
- 4.5. Atlas Custom application-properties
- 5.1. Solr install.properties Values for setup.sh script
- 5.2. Solr install.properties Values
- 5.3. Solr install.properties Values
- 5.4. JDBC Audit String
- 5.5. Search Criteria
- 5.6. Search Criteria
- 5.7. Search Criteria
- 5.8. Agents Search Criteria
- 5.9. Plugin Status Search Criteria
- 6.1. ACL Options
- 6.2. getfacl Options
- 7.1. Properties in Advanced dbks-site Menu (dbks-site.xml)
- 7.2. Properties in Advanced kms-env
- 7.3. Properties in Advanced kms-properties (install.properties)
- 7.4. Properties in Advanced kms-site (kms-site.xml)
- 7.5. Properties in Advanced ranger-kms-audit (ranger-kms-audit.xml)
- 7.6. Properties in Advanced ranger-kms-policymgr-ssl
- 7.7. Properties in Advanced ranger-kms-security
- 7.8. Troubleshooting Suggestions
List of Examples