Cloudera Security

Continue reading:

• Authentication
  • Configuring Authentication in Cloudera Manager
    • Why Use Cloudera Manager to Implement Kerberos Authentication?
    • Ways to Configure Kerberos Authentication Using Cloudera Manager
    • Cloudera Manager User Accounts
      • User Authentication
      • User Roles
      • Determining the Role of the Currently Logged in User
      • Changing the Logged-In Internal User Password
      • Adding an Internal User Account
      • Assigning User Roles
      • Changing an Internal User Account Password
      • Deleting Internal User Accounts
    • Configuring External Authentication for Cloudera Manager
      • Configuring Authentication Using Active Directory
      • Configuring Authentication Using an OpenLDAP-compatible Server
        • Configuring Cloudera Manager to Use LDAPS
      • Configuring Authentication Using an External Program
      • Configuring Authentication Using SAML
        • Preparing Files
        • Configuring Cloudera Manager
        • Configuring the IDP
        • Verifying Authentication and Authorization
    • Kerberos Principals and Keytabs
      • Kerberos Principals
      • Kerberos Keytabs
    • Enabling Kerberos Authentication Using the Wizard
      • Considerations when using an Active Directory KDC
      • Step 1: Install Cloudera Manager and CDH
        • Overview of the User Accounts and Groups in CDH and Cloudera Manager to Support Security
          • If you installed CDH and Cloudera Manager at the Same Time
          • If you Installed and Used CDH Before Installing Cloudera Manager
      • Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File
      • Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server
        • Creating the Cloudera Manager Principal
          • If you are using Active Directory:
          • If you are using MIT KDC:
      • Step 4: Enabling Kerberos Using the Wizard
        • Before you Begin Using the Wizard
        • KDC Information
        • KRB5 Configuration
        • Import KDC Account Manager Credentials
        • Configure HDFS DataNode Ports
        • Enabling Kerberos
        • Congratulations
      • Step 5: Create the HDFS Superuser
        • If you are using Active Directory
        • If you are using MIT KDC
      • Step 6: Get or Create a Kerberos Principal for Each User Account
        • If you are using Active Directory
        • If you are using MIT KDC
      • Step 7: Prepare the Cluster for Each User
      • Step 8: Verify that Kerberos Security is Working
      • Step 9: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles
        • Enabling SPNEGO as an Authentication Backend for Hue
    • Viewing and Regenerating Kerberos Principals
      • The Security Inspector
    • Mapping Kerberos Principals to Short Names
    • Enabling Kerberos Authentication Without the Wizard
      • Step 1: Install Cloudera Manager and CDH
        • Overview of the User Accounts and Groups in CDH and Cloudera Manager to Support Security
          • If you installed CDH and Cloudera Manager at the Same Time
          • If you Installed and Used CDH Before Installing Cloudera Manager
      • Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File
      • Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server
        • Creating the Cloudera Manager Principal
          • If you are using Active Directory
          • If you are using MIT KDC
      • Step 4: Import KDC Account Manager Credentials
      • Step 5: Configure the Kerberos Default Realm in the Cloudera Manager Admin Console
      • Step 6: Stop All Services
        • Stopping All Services
        • Stopping the Cloudera Management Service
      • Step 7: Enable Hadoop Security
      • Step 8: Wait for the Generate Credentials Command to Finish
      • Step 9: Enable Hue to Work with Hadoop Security using Cloudera Manager
      • Step 10: (Flume Only) Use Substitution Variables for the Kerberos Principal and Keytab
      • Step 11: (CDH 4.0 and 4.1 only) Configure Hue to Use a Local Hive Metastore
      • Step 12: Start All Services
        • Starting All Services
        • Starting the Cloudera Management Service
      • Step 13: Deploy Client Configurations
      • Step 14: Create the HDFS Superuser Principal
        • If you are using Active Directory
        • If you are using MIT KDC
        • Designating a Superuser Group
      • Step 15: Get or Create a Kerberos Principal for Each User Account
        • If you are using Active Directory
        • If you are using MIT KDC
      • Step 16: Prepare the Cluster for Each User
      • Step 17: Verify that Kerberos Security is Working
      • Step 18: (Optional) Enable Authentication for HTTP Web Consoles for Hadoop Roles
  • Configuring Authentication in Cloudera Navigator
    • Configuring External Authentication for Cloudera Navigator
      • Configuring Cloudera Navigator Authentication Using Active Directory
      • Configuring Cloudera Navigator Authentication Using an OpenLDAP-compatible Server
        • Configuring Cloudera Navigator to Use LDAPS
    • Managing Users and Groups for Cloudera Navigator
      • Assigning Cloudera Navigator User Roles to LDAP or Active Directory Groups
  • Configuring Authentication in CDH Using the Command Line
    • Enabling Kerberos Authentication for Hadoop Using the Command Line
      • Step 1: Install CDH 5
      • Step 2: Verify User Accounts and Groups in CDH 5 Due to Security
        • Step 2a (MRv1 only): Verify User Accounts and Groups in MRv1
        • MRv1: Directory Ownership in the Local File System
        • MRv1: Directory Ownership on HDFS
          • MRv1: Changing the Directory Ownership on HDFS
        • Step 2b (YARN only): Verify User Accounts and Groups in YARN
        • YARN: Directory Ownership in the Local File System
        • YARN: Directory Ownership on HDFS
          • YARN: Changing the Directory Ownership on HDFS
      • Step 3: If you are Using AES-256 Encryption, Install the JCE Policy File
      • Step 4: Create and Deploy the Kerberos Principals and Keytab Files
        • When to Use kadmin.local and kadmin
        • To create the Kerberos principals
        • To create the Kerberos keytab files
        • To deploy the Kerberos keytab files
      • Step 5: Shut Down the Cluster
      • Step 6: Enable Hadoop Security
        • Enabling Service-Level Authorization for Hadoop Services
      • Step 7: Configure Secure HDFS
        • To configure secure HDFS
        • To enable SSL for HDFS
      • Optional Step 8: Configuring Security for HDFS High Availability
      • Optional Step 9: Configure secure WebHDFS
      • Optional Step 10: Configuring a secure HDFS NFS Gateway
      • Step 11: Set Variables for Secure DataNodes
      • Step 12: Start up the NameNode
        • Information about the kinit Command
      • Step 12: Start up a DataNode
      • Step 14: Set the Sticky Bit on HDFS Directories
      • Step 15: Start up the Secondary NameNode (if used)
      • Step 16: Configure Either MRv1 Security or YARN Security
        • Configuring MRv1 Security
          • Step 1: Configure Secure MRv1
          • Step 2: Start up the JobTracker
          • Step 3: Start up a TaskTracker
          • Step 4: Try Running a Map/Reduce Job
        • Configuring YARN Security
          • Step 1: Configure Secure YARN
          • Step 2: Start up the ResourceManager
          • Step 3: Start up the NodeManager
          • Step 4: Start up the MapReduce Job History Server
          • Step 5: Try Running a Map/Reduce YARN Job
    • Flume Authentication
      • Configuring Flume's Security Properties
        • Writing as a single user for all HDFS sinks in a given Flume agent
        • Writing as different users across multiple HDFS sinks in a single Flume agent
        • Limitations
      • Flume Account Requirements
      • Testing the Flume HDFS Sink Configuration
      • Writing to a Secure HBase cluster
    • HBase Authentication
      • Configuring Kerberos Authentication for HBase
        • Step 1: Configure HBase Servers to Authenticate with a Secure HDFS Cluster
          • Enabling HBase Authentication
          • Configuring HBase's Kerberos Principals
        • Step 2: Configure HBase Servers and Clients to Authenticate with a Secure ZooKeeper
          • Configure HBase JVMs (all Masters, Region Servers, and clients) to use JAAS
          • Configure the HBase Servers (Masters and Region Servers) to use Authentication to connect to ZooKeeper
          • Start HBase
      • Configuring Secure HBase Replication
      • Configuring the HBase Client TGT Renewal Period
    • HCatalog Authentication
      • Before You Start
      • Step 1: Create the HTTP keytab file
      • Step 2: Configure WebHCat to Use Security
      • Step 3: Create Proxy Users
      • Step 4: Verify the Configuration
    • Hive Authentication
      • HiveServer2 Security Configuration
        • Enabling Kerberos Authentication for HiveServer2
          • Configuring HiveServer2 for Kerberos-Secured Clusters
          • Configuring JDBC Clients for Kerberos Authentication with HiveServer2
          • Using Beeline to Connect to a Secure HiveServer2
        • Encrypted Communication with Client Drivers
          • Configuring Encrypted Client/Server Communication for non-Kerberos HiveServer2 Connections
        • Using LDAP Username/Password Authentication with HiveServer2
          • Enabling LDAP Authentication with HiveServer2 using Active Directory
          • Enabling LDAP Authentication with HiveServer2 using OpenLDAP
          • Configuring JDBC Clients for LDAP Authentication with HiveServer2
        • Configuring LDAPS Authentication with HiveServer2
        • Pluggable Authentication
        • Trusted Delegation with HiveServer2
        • HiveServer2 Impersonation
        • Securing the Hive Metastore
        • Disabling the Hive Security Configuration
          • Disable Client/Server Authentication
          • Disable Hive Metastore security
          • Disable Underlying Hadoop Security
      • Hive Metastore Server Security Configuration
      • Using Hive to Run Queries on a Secure HBase Server
    • HttpFS Authentication
      • Configuring the HttpFS Server to Support Kerberos Security
      • Using curl to access an URL Protected by Kerberos HTTP SPNEGO
    • Hue Authentication
      • Hue Security Enhancements
        • Enabling SSL Communication with HiveServer2
        • Secure Database Connection
        • Session Timeout
        • Secure Cookies
        • Allowed HTTP Methods
        • Restricting the Cipher List
        • URL Redirect Whitelist
      • Configuring Kerberos Authentication for Hue
      • Integrating Hue with LDAP
        • Search Bind
        • Direct Bind
        • Importing LDAP Users and Groups
        • Synchronizing LDAP Users and Groups
          • Attributes Synchronized
          • User Admin interface
          • Synchronize Using a Command-Line Interface
        • LDAPS/StartTLS support
      • Configuring Hue for SAML
        • Step 1: Install swig and openssl packages
        • Step 2: Install libraries to support SAML in Hue
        • Step 3: Update the Hue configuration file
          • Step 3a: Update the SAML metadata file
          • Step 3b: Private key and certificate files
          • Step 3c: Configure Hue to use SAML Backend
        • Step 4: Restart the Hue server
    • Impala Authentication
      • Enabling Kerberos Authentication for Impala
        • Requirements for Using Impala with Kerberos
        • Configuring Impala to Support Kerberos Security
          • Enabling Kerberos for Impala
        • Enabling Kerberos for Impala with a Proxy Server
        • Enabling Impala Delegation for Kerberos Users
        • Using TLS/SSL with Business Intelligence Tools
      • Enabling LDAP Authentication for Impala
        • Requirements for Using Impala with LDAP
          • Kerberos Authentication for Connections Between Impala Components
        • Server-Side LDAP Setup
        • Support for Custom Bind Strings
        • Secure LDAP Connections
        • LDAP Authentication for impala-shell Interpreter
        • Enabling Impala Delegation for LDAP Users
        • LDAP Restrictions for Impala
      • Using Multiple Authentication Methods with Impala
      • Configuring Impala Delegation for Hue and BI Tools
        • Enabling Delegation in Cloudera Manager
    • Llama Authentication
      • Configuring Llama to Support Kerberos Security
    • Oozie Authentication
      • Configuring Kerberos Authentication for the Oozie Server
      • Configuring Oozie HA with Kerberos
    • Search Authentication
      • Configuring Search to Use Kerberos
      • Using Kerberos
        • Using Kerberos and curl
        • Using solrctl
        • Configuring SolrJ Library Usage
        • Configuring Flume Morphline Solr Sink Usage
    • ZooKeeper Authentication
      • Configuring ZooKeeper Server for Kerberos Authentication
        • Using Cloudera Manager to Configure ZooKeeper Server for Kerberos Authentication
        • Using the Command Line to Configure ZooKeeper Server for Kerberos Authentication
      • Configuring the ZooKeeper Client Shell to Support Kerberos Security
      • Verifying the Configuration
    • FUSE Kerberos Configuration
    • Using kadmin to Create Kerberos Keytab Files
      • To create the Kerberos keytab files
    • Configuring the Mapping from Kerberos Principals to Short Names
      • Mapping Rule Syntax
        • Principal Translation
        • Acceptance Filter
        • Short Name Substitution
        • Converting Principal Names to Lowercase
        • Example Rules
        • Default Rule
        • Testing Mapping Rules
    • Enabling Debugging Output for the Sun Kerberos Classes
  • Configuring a Cluster-dedicated MIT KDC and Default Domain for a Cluster
    • When to use kadmin.local and kadmin
    • Setting up a Cluster-Dedicated KDC and Default Realm for the Hadoop Cluster
      • Using a Cluster-Dedicated KDC with a Central MIT KDC
      • Using a Cluster-Dedicated MIT KDC with Active Directory
        • On the Active Directory Server
        • On the MIT KDC server
        • On all of the cluster hosts
  • Integrating Hadoop Security with Active Directory
    • Considerations when using an Active Directory KDC
    • Configuring a Local MIT Kerberos Realm to Trust Active Directory
      • On the Active Directory Server
      • On the MIT KDC Server
      • On All of the Cluster Hosts
  • Integrating Hadoop Security with Alternate Authentication
    • Configuring the AuthenticationFilter to use Kerberos
    • Creating an AltKerberosAuthenticationHandler Subclass
    • Enabling Your AltKerberosAuthenticationHandler Subclass
      • Enabling Your AltKerberosAuthenticationHandler Subclass on Hadoop Web UIs
      • Enabling Your AltKerberosAuthenticationHandler Subclass on Oozie Web UI
    • Example Implementation for Oozie
  • Configuring LDAP Group Mappings
    • Using Cloudera Manager
    • Using the Command Line
  • Hadoop Users in Cloudera Manager and CDH
    • Keytabs and Keytab File Permissions
  • Authenticating Kerberos Principals in Java Code
  • Using a Web Browser to Access an URL Protected by Kerberos HTTP SPNEGO
    • To configure Mozilla Firefox:
    • To configure Internet Explorer:
    • To configure Google Chrome:
  • Troubleshooting Authentication Issues
    • Sample Kerberos Configuration files: krb5.conf, kdc.conf, kadm5.acl
      • kdc.conf:
      • krb5.conf:
      • kadm5.acl:
    • Potential Security Problems and Their Solutions
      • Issues with Generate Credentials
      • Running any Hadoop command fails after enabling security.
        • Description:
        • Solution:
      • Java is unable to read the Kerberos credentials cache created by versions of MIT Kerberos 1.8.1 or higher.
        • Description:
        • Solution:
      • java.io.IOException: Incorrect permission
        • Description:
        • Solution:
      • A cluster fails to run jobs after security is enabled.
        • Description:
        • Solution:
      • The NameNode does not start and KrbException Messages (906) and (31) are displayed.
        • Description:
        • Solution:
      • The NameNode starts but clients cannot connect to it and error message contains enctype code 18.
        • Description:
        • Solution:
      • (MRv1 Only) Jobs won't run and TaskTracker is unable to create a local mapred directory.
        • Description:
        • Solution:
      • (MRv1 Only) Jobs will not run and TaskTracker is unable to create a Hadoop logs directory.
        • Description:
        • Solution:
      • After you enable cross-realm trust, you can run Hadoop commands in the local realm but not in the remote realm.
        • Description:
        • Solution:
      • (MRv1 Only) Jobs won't run and cannot access files in mapred.local.dir
        • Description:
        • Solution:
      • Users are unable to obtain credentials when running Hadoop jobs or commands.
        • Description:
        • Solution:
      • Request is a replay exceptions in the logs.
        • Description:
      • CDH services fail to start
• Encryption
  • SSL Certificates Overview
    • Creating Certificates
      • Using Keytool
      • Using OpenSSL
      • Obtaining a Production Certificate from a Commercial CA
      • Creating Self-Signed Test Certificates
    • Creating Java Keystores and Truststores
      • Security Considerations for Keystores and Truststores
      • Creating Keystores
      • Creating Truststores
        • Example 1: Adding a CA Certificate to the alternative Default Truststore
        • Example 2: Creating a Custom Truststore Containing a Single CA Certificate Chain
        • Example 3: Creating a Custom Truststore Containing Self-Signed Test Certificates
    • Private Key and Certificate Reuse Across Java Keystores and OpenSSL
      • Why Reuse a Private Key?
      • Conversion from Java Keystore to OpenSSL
      • Conversion from OpenSSL to Java Keystore
  • Configuring TLS Security for Cloudera Manager
    • Configuring TLS Encryption Only for Cloudera Manager
      • Step 1: Create the Cloudera Manager Server Keystore, Generate a Certificate Request, and Install the Certificate
      • Step 2: Enable HTTPS for the Cloudera Manager Admin Console and Specify Server Keystore Properties
    • Level 1: Configuring TLS Encryption for Cloudera Manager Agents
      • Step 1: Enable Agent Connections to Cloudera Manager to use TLS
      • Step 2: Enable and Configure TLS on the Agent Hosts
      • Step 3: Restart the Cloudera Manager Server
      • Step 4: Restart the Cloudera Manager Agents
      • Step 5: Verify that the Server and Agents are Communicating
    • Level 2: Configuring TLS Verification of Cloudera Manager Server by the Agents
      • Step 1: Configure TLS encryption
      • Step 2: Copy the CA Certificate or Cloudera Manager Server's .pem file to the Agents
      • Step 3: Restart the Cloudera Manager Agents
      • Step 4: Restart the Cloudera Management Services
      • Step 5: Verify that the Server and Agents are communicating
    • Level 3: Configuring TLS Authentication of Agents to the Cloudera Manager Server
      • Step 1: Configure TLS encryption
      • Step 2: Configure TLS Verification of Server Trust by Agents
      • Approach A: Using OpenSSL to Create Private Keys and Request Agent Certificates
        • Approach A - Step 3. Generate the private key and certificate signing request for the Agent using OpenSSL.
        • Approach A - Step 4: Submit the certificate signing request to your CA and distribute the issued certificates.
        • Approach A - (Optional) Step 5: Import the OpenSSL private key and certificate into the per-host Java keystore.
      • Approach B: Creating a Java Keystore and Importing Signed Agent Certificates into it
        • Approach B - Step 3: Create a Java Keystore and private key for a host
        • Approach B - Step 4: Generate a certificate signing request and install the issued certificate into the Java Keystore
        • Approach B - Step 5: Export private key from Java keystore and convert with OpenSSL for reuse by Agent.
      • Step 6: Create a File that Contains the Password for the Key
      • Step 7: Configure the Agent with its Private Key and Certificate
      • Step 8: Verify that steps 3-7 Were Completed for every Agent Host in Your Cluster
      • Step 9: Create a Truststore by Importing CA and Agent Certificates
      • Step 10: Enable Agent Authentication and Configure the Cloudera Manager Server to Use the New Truststore
      • Step 12: Restart the Cloudera Manager Server
      • Step 13: Restart the Cloudera Manager Agents
      • Step 14: Verify that the Server and Agents Are Communicating
    • HTTPS Communication in Cloudera Manager
      • Cloudera Manager Agent
        • User Impact
      • Cloudera Management Services
        • User Impact
  • Configuring SSL/TLS Encryption for CDH Services
    • Prerequisites
    • Hadoop Services as SSL Servers and Clients
    • Configuring SSL for HDFS, YARN and MapReduce
      • Before You Begin
      • Configuring SSL for HDFS
      • Configuring SSL for YARN and MapReduce
    • Configuring SSL for HBase
      • Before You Begin
      • Procedure
    • Configuring SSL for Oozie
      • Before You Begin
      • Using Cloudera Manager
      • Using the Command Line
      • Additional Considerations when Configuring SSL for Oozie HA
    • Configuring SSL for Hue
      • Hue as an SSL Client
      • Hue as an SSL Server
    • Configuring SSL for Impala
      • Using Cloudera Manager
      • Using the Command Line
        • Configuring SSL Communication for the Impala Shell
      • Using TLS/SSL with Business Intelligence Tools
    • Configuring HttpFS to use SSL
    • Encrypted Shuffle and Encrypted Web UIs
      • Configuring Encrypted Shuffle and Encrypted Web UIs
        • core-site.xml Properties
        • mapred-site.xml Property (MRv2 only)
        • Keystore and Truststore Settings
      • Activating Encrypted Shuffle
      • Client Certificates
      • Reloading Truststores
      • Debugging
  • HDFS Data At Rest Encryption
    • Use Cases
    • Architecture
      • Encryption Zones
      • Key Management Server
      • Navigator Key Trustee
    • crypto Command Line Interface
      • createZone
      • listZones
    • Enabling HDFS Encryption on a Cluster
      • Adding the KMS Service
      • Enabling KMS for the HDFS Service
      • Configuring Encryption Properties for the HDFS and NameNode
      • Creating Encryption Zones
      • Adding Files to an Encryption Zone
    • DistCp Considerations
      • Copying between encrypted and unencrypted locations
    • Attack Vectors
    • Configuring the Key Management Server (KMS)
      • Setup Configuration
        • KeyProvider Configuration
        • KMS Cache
        • KMS Client Configuration
        • Starting/Stopping the KMS
        • KMS Aggregated Audit logs
        • Configuring the Embedded Tomcat Server
      • Configuring KMS High Availability/Multiple KMSs
        • HTTP Kerberos Principals Configuration
        • HTTP Authentication Signature
    • Securing the Key Management Server (KMS)
      • Enabling Kerberos Authentication
        • Using Cloudera Manager
        • Using the Command Line
      • Configuring the KMS Proxyuser
      • Configuring SSL for the KMS
        • Using Cloudera Manager
        • Using the Command Line
      • Configuring Access Control Lists for the KMS
        • Using Cloudera Manager
        • Using the Command Line
      • Configuring Key Access Control
      • KMS Delegation Token Configuration
    • Configuring CDH Services for HDFS Encryption
      • Hive
        • Single Encryption Zone
        • Separate HiveServer2 For Each Encryption Zone
        • Other Encrypted Directories
      • Impala
        • Recommendations
        • Steps
      • HBase
        • Recommendations
        • Steps
      • Search
        • Recommendations
        • Steps
      • Sqoop
        • Recommendations
      • Hue
        • Recommendations
        • Steps
      • Spark
        • Recommendations
      • MapReduce and YARN
        • MapReduce v1
          • Recommendations
        • MapReduce v2 (YARN)
          • Recommendations
          • Steps
  • Configuring Encrypted HDFS Data Transport
    • Using Cloudera Manager
    • Using the Command Line
  • Troubleshooting SSL/TLS Connectivity
• Authorization
  • Cloudera Manager User Roles
    • User Roles
    • Determining the Role of the Currently Logged in User
    • Removing the Full Administrator User Role
  • Cloudera Navigator User Roles
    • User Roles
    • Determining the Roles of the Currently Logged in User
  • Enabling HDFS Extended ACLs
    • Enabling ACLs
    • Commands
      • getfacl
      • setfacl
  • The Sentry Service
    • Prerequisites
    • Privilege Model
    • Users and Groups
      • Configuring User to Group Mappings
    • Appendix: Authorization Privilege Model for Hive and Impala
      • Object Hierarchy in Hive
    • Installing and Upgrading the Sentry Service
      • Adding the Sentry Service
        • Adding the Sentry Service Using Cloudera Manager
        • Installing Sentry Using the Command Line
      • Upgrading the Sentry Service
        • Upgrading the Sentry Service Using Cloudera Manager
        • Upgrading the Sentry Service Using the Command Line
    • Migrating from Sentry Policy Files to the Sentry Service
    • Configuring the Sentry Service
      • Enabling the Sentry Service for Hive
        • Prerequisites
        • Enabling the Sentry service for Hive
      • Configuring HiveServer2 for the Sentry Service
      • Configuring the Hive Metastore for the Sentry Service
        • Configuring Pig and HCatalog for the Sentry Service
        • Configuring the Hive Metastore to Communicate with Sentry
        • Securing the Hive Metastore
      • Configuring Impala for the Sentry Service
        • Enabling the Sentry Service for Impala
        • Configuring Impala as a Client for the Sentry Service
    • Hive SQL Syntax for Use with Sentry
      • CREATE ROLE Statement
      • DROP ROLE Statement
      • GRANT ROLE Statement
      • REVOKE ROLE Statement
      • GRANT <PRIVILEGE> Statement
      • REVOKE <PRIVILEGE> Statement
      • GRANT <PRIVILEGE> ... WITH GRANT OPTION
      • SET ROLE Statement
      • SHOW Statement
      • Example: Using Grant/Revoke Statements to Match an Existing Policy File
  • Sentry Policy File Authorization
    • Prerequisites
    • Roles and Privileges
    • Privilege Model
    • Users and Groups
      • User to Group Mapping
    • Policy File
      • Storing the Policy File
      • Defining Roles
      • URIs
      • Loading Data
      • External Tables
    • Sample Sentry Configuration Files
      • Policy Files
      • Sentry Configuration File
    • Accessing Sentry-Secured Data Outside Hive/Impala
      • Scenario One: Authorizing Jobs
      • Scenario Two: Authorizing Group Access to Databases
    • Debugging Failed Sentry Authorization Requests
    • Authorization Privilege Model for Hive and Impala
      • Object Hierarchy in Hive
    • Installing and Upgrading Sentry for Policy File Authorization
      • Installing Sentry
      • Upgrading Sentry
    • Configuring Sentry Policy File Authorization Using Cloudera Manager
      • Configuring User to Group Mappings
        • Hadoop Groups
        • Local Groups
      • Enabling URIs for Per-DB Policy Files
      • Using User-Defined Functions with HiveServer2
      • Enabling Policy File Authorization for Hive
      • Configuring Group Access to the Hive Metastore
      • Enabling Policy File Authorization for Impala
      • Enabling Sentry Authorization for Solr
      • Configuring Sentry to Enable BDR Replication
    • Configuring Sentry Policy File Authorization Using the Command Line
      • Configuring User to Group Mappings
        • Hadoop Groups
        • Local Groups
      • Enabling URIs for Per-DB Policy Files
      • Using User-Defined Functions with HiveServer2
      • Enabling Policy File Authorization for Hive
        • Prerequisites
        • Configuration Changes Required
      • Securing the Hive Metastore
      • Enabling Policy File Authorization for Impala
      • Enabling Sentry in Cloudera Search
  • Enabling Sentry Authorization for Impala
    • The Sentry Privilege Model
    • Starting the impalad Daemon with Sentry Authorization Enabled
    • Using Impala with the Sentry Service (CDH 5.1 or higher only)
    • Using Impala with the Sentry Policy File
      • Policy File Location and Format
      • Examples of Policy File Rules for Security Scenarios
        • A User with No Privileges
        • Examples of Privileges for Administrative Users
        • A User with Privileges for Specific Databases and Tables
        • Privileges for Working with External Data Files
        • Controlling Access at the Column Level through Views
        • Separating Administrator Responsibility from Read and Write Privileges
      • Using Multiple Policy Files for Different Databases
    • Setting Up Schema Objects for a Secure Impala Deployment
    • Privilege Model and Object Hierarchy
    • Debugging Failed Sentry Authorization Requests
    • Managing Sentry for Impala through Cloudera Manager
    • The DEFAULT Database in a Secure Deployment
  • Enabling Sentry Authorization for Search
    • Roles and Collection-Level Privileges
    • Users and Groups
      • User to Group Mapping
    • Setup and Configuration
    • Policy File
      • Storing the Policy File
      • Defining Roles
    • Sample Configuration
      • Policy File
      • Sentry Configuration File
    • Enabling Sentry in Cloudera Search for CDH 5
    • Providing Document-Level Security Using Sentry
      • Best Practices
    • Enabling Secure Impersonation
    • Debugging Failed Sentry Authorization Requests
    • Appendix: Authorization Privilege Model for Search
  • Configuring HBase Authorization
    • Understanding HBase Access Levels
      • Further Reading
    • Enable HBase Authorization
    • Configure Access Control Lists for Authorization
• Overview of Impala Security
  • Security Guidelines for Impala
  • Securing Impala Data and Log Files
  • Installation Considerations for Impala Security
  • Securing the Hive Metastore Database
  • Securing the Impala Web User Interface
    • Configuring Secure Access for Impala Web Servers
    • Configuring Password Authentication
    • Configuring TLS/SSL Certificate Authentication
• Miscellaneous Topics
  • Jsvc, Task Controller and Container Executor Programs
    • MRv1 and YARN: The jsvc Program
    • MRv1 Only: The Linux TaskController Program
    • YARN Only: The Linux Container Executor Program
    • Task-controller and Container-executor Error Codes
    • MRv1 ONLY: Task-controller Error Codes
    • YARN ONLY: Container-executor Error Codes
  • Sqoop, Pig, and Whirr Security Support Status
  • Setting Up a Gateway Node to Restrict Cluster Access
    • Installing and Configuring the Firewall and Gateway
    • Accessing HDFS
    • Submitting and Monitoring Jobs
  • Logging a Security Support Case
    • Kerberos Issues
    • SSL/TLS Issues
    • LDAP Issues
  • Using Antivirus Software on CDH Hosts