SlideShare a Scribd company logo

Hadoop security

B
Biju Nair

This document provides an overview of securing Hadoop applications and clusters. It discusses authentication using Kerberos, authorization using POSIX permissions and HDFS ACLs, encrypting HDFS data at rest, and configuring secure communication between Hadoop services and clients. The principles of least privilege and separating duties are important to apply for a secure Hadoop deployment. Application code may need changes to use Kerberos authentication when accessing Hadoop services.

Technology
1 of 25
Downloaded 33 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Secure Hadoop Application Ecosystem Boston Application Security Conference Oct 3 2015
Google Trends – Big Data Big Data Job Trends 2
3
Hadoop EcosystemFlumeSqoop ZooKeeper HBase Hive Pig MapReduce Spark YARN – Resource Manager HDFS – Distributed File System Kafka Storm 4
Why • Hadoop is a storage/processing infrastructure – Whether Big Data is hype or not • Fits well for lot of use cases • Inherent distributed storage/processing – Provides scalability at a relatively low cost • There is lot of backing – IBM, Microsoft, Amazon, Google, Intel … • Various distributions and companies 5
Hadoop Distributed File System FileA FileB FileC H1:blk0, H2:blk1 H3:blk0,H1:blk1 H2:blk0;H3:blk1 HDFS Directory Master Host (NN) DISK Local File System File FileA0 FileB1 Inode-x Inode-y Local FS Directory Host 1 FileA1 FileC0 Inode-a Inode-n Local FS Directory Host 2 FileB0 FileC1 Inode-r Inode-c Local FS Directory Host 3 In-x In-y In-a In-n In-r In-c DISK DISK DISK Files created are of size equal to the HDFS blksize 6
HDFS - Write Flow Client Namespace MetaData Blockmap (Fsimage Edit files) Name Node Data Node Data Node Data Node 1 2 3 4 5 6 6 77 8 1. Client requests to open a file to write through fs.create() call. This will overwrite existing file. 2. Name node responds with a lease to the file path 3. Client writes to local and when data reaches block size, requests Name Node for write 4. Name Node responds with a new blockid and the destination data nodes for write and replication 5. Client sends the first data node the data and the checksum generated on the data to be written 6. First data node writes the data and checksum and in parallel pipelines the replications to other DN 7. Each data node where the data is replicated responds back with success /failure to the first DN 8. First data node in turn informs to the Name node that the write request for the block is complete which in turn will update its block map Note: There can be only one write at a time on a file 7
HDFS - Read Flow Client Namespace MetaData Blockmap (Fsimage Edit files) Name Node Data Node Data Node Data Node 1 2 3 4 5 6 1. Client requests to open a file to read through fs.open() call 2. Name node responds with a lease to the file path 3. Client requests for read the data in the file 4. Name Node responds with block ids in sequence and the corresponding data nodes 5. Client reaches out directly to the DNs for each block of data in the file 6. When DNs sends back data along with check sum, client performs a checksum verification by generating a checksum 7. If the checksum verification fails client reaches out to other DNs where the re is a replication 7 8
Authorization • POSIX model for file and directory permissions – Associated with an owner and a group – Permission for owner, group and others – r for read, w for append to files – r for listing files, w for delete/create files in dirs – x to access child directories – Sticky bit on dirs prevents deletions by others 9
Kerberos 10 TGS AS KDB KDC 1 Create Principal User 2 - kinit 3 – Receive TGT 4 – Request Service Ticket Service 5 – Receive Service Ticket For service principals Keytabs are used
Secure HDFS Cluster - Authentication Master Namenode Slave Datanode Slave Datanode Slave Datanode KDC Keytab Keytab Keytab Keytab 11
Secure HDFS - Client Authentication Namenode Slave Datanode Slave Datanode Slave Datanode KDC HDFS Client KRB Token 1 Deleg Token 2 3 Block Tokens Deleg Token Key Key Key Key 4 12
Authentication Configuration • Set up Kerberos infrastructure – It may be already available through AD • Define service principals • Create Keytabs for service principals – E.g. HDFS, YARN • Copy keytabs to the master and slave nodes • Update site.xml files • Restart the services 13
HDFS Data Encryption HDFS Client Key Mgmt Server Key Trusty Namenode Datenode 1 - EZ 2 – EZ Key 2 - Create EZ EDEK 3 EDEK 4 – R/W 5 14
YARN 15 Resource Manager Node Manager Node Manager Node Manager Keytab Keytab Keytab Keytab Client submits MapRed Job App Master Container Container
Controlling Resource Usage • Schedulers – Fair – Capacity • Queues defined to use percentage of resource – Hierarchy with in queues • Users and groups attached to groups – Administer – Submit 16
YARN Queue 17 Root 100% Sec 70% sadmin, suser Adhoc 30% Aadmin, auser
Hadoop Cluster - Secure Perimeter Master Slave Slave Slave IPS/IDS/Firewall IPS/IDS/Firewall Clients DMZ/Separate Network 18
HDFS Services & Ports HDFS Service Port Name Node 8020 Name Node UI 50070 Secondary Name Node UI 50090 Data Node 50020 Data Node UI 50075 Journal Node 8480, 8485 HttpFS 14000, 14001 19
Principle of Least Priviledge • hdfs-site xml – dfs.permissions.superusergroup – dfs.cluster.administrators • core-site.xml – Hadoop.security.authorization to true • hadoop-policy.xml – security.client.protocol.acl – security.client.datanode.protocol.acl – security.get.user.mappings.protocol.acl 20
Application Code Change Configuration conf = new Configuration(); conf.set("fs.defaultFS", "hdfs://NN:PORT/user/hbase"); conf.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("ubuntu/hostname@REALM", ”ubuntu.keytab"); FileSystem fs = FileSystem.get(conf); 21 Configuration conf = new Configuration(); conf.set("fs.defaultFS", "hdfs://NN:PORT/user/hbase"); conf.set("hadoop.security.authentication", "Kerberos"); FileSystem fs = FileSystem.get(conf); Unsecure Hadoop Secure Hadoop
Key Takeaways • New infrastructure will be part of enterprises – May not be as big as the hype • Adherence to application security principles – Complexity and maturity may be a roadblock • Constant follow-up on latest developments 22
References & Acknowledgements • Hadoop Security – https://issues.apache.org/jira/browse/HADOOP-4487 – Hadoop Project – Securing Hadoop Page • HDFS Encryption – https://issues.apache.org/jira/browse/HDFS-6134 – Hadoop Project Transparent Encryption Page – http://www.slideshare.net/Hadoop_Summit/transparent-encryption-in-hdfs • Hadoop service level authorization • YARN – Fair Scheduler – Capacity Scheduler • Hadoop Security Book 23
Thank You!! 24
bnair@asquareb.com blog.asquareb.com https://github.com/bijugs @gsbiju http://www.slideshare.net/bijugs

More Related Content

PDF
2014 sept 4_hadoop_security
Adam Muise
 
PDF
Hadoop security
shrey mehrotra
 
PDF
Hadoop & Security - Past, Present, Future
Uwe Printz
 
PPTX
Open Source Security Tools for Big Data
Rommel Garcia
 
PPTX
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
Abhiraj Butala
 
PDF
Hadoop security overview_hit2012_1117rev
Jason Shih
 
PPTX
Hadoop security
Kashif Khan
 
PPTX
Hdp security overview
Hortonworks
 
2014 sept 4_hadoop_security
Adam Muise
 
Hadoop security
shrey mehrotra
 
Hadoop & Security - Past, Present, Future
Uwe Printz
 
Open Source Security Tools for Big Data
Rommel Garcia
 
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
Abhiraj Butala
 
Hadoop security overview_hit2012_1117rev
Jason Shih
 
Hadoop security
Kashif Khan
 
Hdp security overview
Hortonworks
 

What's hot (20)

PPTX
Hadoop security @ Philly Hadoop Meetup May 2015
Shravan (Sean) Pabba
 
PDF
Hadoop Security: Overview
Cloudera, Inc.
 
PPTX
Hadoop security
Shivaji Dutta
 
PPT
Hadoop Security Architecture
Owen O'Malley
 
PPTX
Hadoop Security Today and Tomorrow
DataWorks Summit
 
PPTX
Hadoop ClusterClient Security Using Kerberos
Sarvesh Meena
 
PPTX
Managing enterprise users in Hadoop ecosystem
DataWorks Summit
 
PPTX
Data protection for hadoop environments
DataWorks Summit
 
PPTX
Hadoop Security Features That make your risk officer happy
DataWorks Summit
 
PDF
Hadoop Operations - Best practices from the field
Uwe Printz
 
PPT
Hadoop Operations: How to Secure and Control Cluster Access
Cloudera, Inc.
 
PPTX
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
PPTX
Hadoop and Kerberos: the Madness Beyond the Gate
Steve Loughran
 
PPTX
Improvements in Hadoop Security
DataWorks Summit
 
PDF
Nl HUG 2016 Feb Hadoop security from the trenches
Bolke de Bruin
 
PPTX
Hadoop Security Features that make your risk officer happy
Anurag Shrivastava
 
PPTX
Hadoop REST API Security with Apache Knox Gateway
DataWorks Summit
 
PPTX
Securing the Hadoop Ecosystem
DataWorks Summit
 
PDF
Apache Sentry for Hadoop security
bigdatagurus_meetup
 
PPTX
Running secured Spark job in Kubernetes compute cluster and integrating with ...
DataWorks Summit
 
Hadoop security @ Philly Hadoop Meetup May 2015
Shravan (Sean) Pabba
 
Hadoop Security: Overview
Cloudera, Inc.
 
Hadoop security
Shivaji Dutta
 
Hadoop Security Architecture
Owen O'Malley
 
Hadoop Security Today and Tomorrow
DataWorks Summit
 
Hadoop ClusterClient Security Using Kerberos
Sarvesh Meena
 
Managing enterprise users in Hadoop ecosystem
DataWorks Summit
 
Data protection for hadoop environments
DataWorks Summit
 
Hadoop Security Features That make your risk officer happy
DataWorks Summit
 
Hadoop Operations - Best practices from the field
Uwe Printz
 
Hadoop Operations: How to Secure and Control Cluster Access
Cloudera, Inc.
 
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
Hadoop and Kerberos: the Madness Beyond the Gate
Steve Loughran
 
Improvements in Hadoop Security
DataWorks Summit
 
Nl HUG 2016 Feb Hadoop security from the trenches
Bolke de Bruin
 
Hadoop Security Features that make your risk officer happy
Anurag Shrivastava
 
Hadoop REST API Security with Apache Knox Gateway
DataWorks Summit
 
Securing the Hadoop Ecosystem
DataWorks Summit
 
Apache Sentry for Hadoop security
bigdatagurus_meetup
 
Running secured Spark job in Kubernetes compute cluster and integrating with ...
DataWorks Summit
 
Ad

Viewers also liked (20)

PDF
NENUG Apr14 Talk - data modeling for netezza
Biju Nair
 
PDF
Websphere MQ (MQSeries) fundamentals
Biju Nair
 
PDF
Chef patterns
Biju Nair
 
PDF
Concurrency
Biju Nair
 
PDF
Project Risk Management
Biju Nair
 
PDF
HDFS User Reference
Biju Nair
 
PDF
HBase Application Performance Improvement
Biju Nair
 
PDF
Netezza workload management
Biju Nair
 
PPTX
Hadoop and Big Data Security
Chicago Hadoop Users Group
 
PDF
Using Netezza Query Plan to Improve Performace
Biju Nair
 
PDF
Netezza fundamentals for developers
Biju Nair
 
PDF
Managing Websphere Application Server certificates
Piyush Chordia
 
PDF
It was just Open Source - TEDx Novara
Fabio Mora
 
PPT
THE BIG PRINT - Showing the Action
Billy Marshall Stoneking
 
PDF
Hadoop Security Now and Future
tcloudcomputing-tw
 
PDF
Row or Columnar Database
Biju Nair
 
PDF
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Blue Coat
 
PDF
Advanced Security In Hadoop Cluster
Edureka!
 
PPT
WebSphere Message Broker Training | IBM WebSphere Message Broker Online Training
ecorptraining2
 
PPTX
GSM/UMTS network architecture tutorial (Indonesia)
ejlp12
 
NENUG Apr14 Talk - data modeling for netezza
Biju Nair
 
Websphere MQ (MQSeries) fundamentals
Biju Nair
 
Chef patterns
Biju Nair
 
Concurrency
Biju Nair
 
Project Risk Management
Biju Nair
 
HDFS User Reference
Biju Nair
 
HBase Application Performance Improvement
Biju Nair
 
Netezza workload management
Biju Nair
 
Hadoop and Big Data Security
Chicago Hadoop Users Group
 
Using Netezza Query Plan to Improve Performace
Biju Nair
 
Netezza fundamentals for developers
Biju Nair
 
Managing Websphere Application Server certificates
Piyush Chordia
 
It was just Open Source - TEDx Novara
Fabio Mora
 
THE BIG PRINT - Showing the Action
Billy Marshall Stoneking
 
Hadoop Security Now and Future
tcloudcomputing-tw
 
Row or Columnar Database
Biju Nair
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Blue Coat
 
Advanced Security In Hadoop Cluster
Edureka!
 
WebSphere Message Broker Training | IBM WebSphere Message Broker Online Training
ecorptraining2
 
GSM/UMTS network architecture tutorial (Indonesia)
ejlp12
 
Ad

Similar to Hadoop security (20)

PPTX
Understanding Hadoop
Mahendran Ponnusamy
 
PDF
Aziksa hadoop architecture santosh jha
Data Con LA
 
PDF
hdfs readrmation ghghg bigdats analytics info.pdf
ssuser2d043c
 
PPTX
Hadoop and HDFS
SatyaHadoop
 
PPTX
Hadoop
Syed Measum Haider Bokhari
 
PPTX
Hadoop BRamamurthy ajjaahdvddvdnsmsjdjfj
Prateek Rathore
 
PPTX
Unit-3.pptx
JasmineMichael1
 
PPT
Borthakur hadoop univ-research
saintdevil163
 
PDF
HDFS Design Principles
Konstantin V. Shvachko
 
PPTX
Giraffa - November 2014
Plamen Jeliazkov
 
PPTX
HDFS tiered storage
DataWorks Summit
 
PDF
Unit 3 Big Data àaaaaaaaaaaaTutorial.pdf
VarunTyagi624957
 
PPTX
Introduction to hadoop and hdfs
shrey mehrotra
 
PPTX
Introduction to HDFS
Siddharth Mathur
 
PDF
Tutorial Haddop 2.3
Atanu Chatterjee
 
ODP
Hadoop HDFS by rohitkapa
kapa rohit
 
PPTX
HDFS: Hadoop Distributed Filesystem
Steve Loughran
 
PPTX
Hadoop File System.pptx
AakashBerlia1
 
PDF
Hadoop Introduction
tutorialvillage
 
PPTX
Big data- HDFS(2nd presentation)
Takrim Ul Islam Laskar
 
Understanding Hadoop
Mahendran Ponnusamy
 
Aziksa hadoop architecture santosh jha
Data Con LA
 
hdfs readrmation ghghg bigdats analytics info.pdf
ssuser2d043c
 
Hadoop and HDFS
SatyaHadoop
 
Hadoop
Syed Measum Haider Bokhari
 
Hadoop BRamamurthy ajjaahdvddvdnsmsjdjfj
Prateek Rathore
 
Unit-3.pptx
JasmineMichael1
 
Borthakur hadoop univ-research
saintdevil163
 
HDFS Design Principles
Konstantin V. Shvachko
 
Giraffa - November 2014
Plamen Jeliazkov
 
HDFS tiered storage
DataWorks Summit
 
Unit 3 Big Data àaaaaaaaaaaaTutorial.pdf
VarunTyagi624957
 
Introduction to hadoop and hdfs
shrey mehrotra
 
Introduction to HDFS
Siddharth Mathur
 
Tutorial Haddop 2.3
Atanu Chatterjee
 
Hadoop HDFS by rohitkapa
kapa rohit
 
HDFS: Hadoop Distributed Filesystem
Steve Loughran
 
Hadoop File System.pptx
AakashBerlia1
 
Hadoop Introduction
tutorialvillage
 
Big data- HDFS(2nd presentation)
Takrim Ul Islam Laskar
 

More from Biju Nair (6)

PDF
Chef conf-2015-chef-patterns-at-bloomberg-scale
Biju Nair
 
PDF
HBase Internals And Operations
Biju Nair
 
PDF
Apache Kafka Reference
Biju Nair
 
PDF
Serving queries at low latency using HBase
Biju Nair
 
PDF
Multi-Tenant HBase Cluster - HBaseCon2018-final
Biju Nair
 
PDF
Cursor Implementation in Apache Phoenix
Biju Nair
 
Chef conf-2015-chef-patterns-at-bloomberg-scale
Biju Nair
 
HBase Internals And Operations
Biju Nair
 
Apache Kafka Reference
Biju Nair
 
Serving queries at low latency using HBase
Biju Nair
 
Multi-Tenant HBase Cluster - HBaseCon2018-final
Biju Nair
 
Cursor Implementation in Apache Phoenix
Biju Nair
 

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Cloud computing and distributed systems.
kkkkkhan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Approach and Philosophy of On baking technology
30anthuong17
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Hadoop security

  • 1. Secure Hadoop Application Ecosystem Boston Application Security Conference Oct 3 2015
  • 2. Google Trends – Big Data Big Data Job Trends 2
  • 3. 3
  • 4. Hadoop EcosystemFlumeSqoop ZooKeeper HBase Hive Pig MapReduce Spark YARN – Resource Manager HDFS – Distributed File System Kafka Storm 4
  • 5. Why • Hadoop is a storage/processing infrastructure – Whether Big Data is hype or not • Fits well for lot of use cases • Inherent distributed storage/processing – Provides scalability at a relatively low cost • There is lot of backing – IBM, Microsoft, Amazon, Google, Intel … • Various distributions and companies 5
  • 6. Hadoop Distributed File System FileA FileB FileC H1:blk0, H2:blk1 H3:blk0,H1:blk1 H2:blk0;H3:blk1 HDFS Directory Master Host (NN) DISK Local File System File FileA0 FileB1 Inode-x Inode-y Local FS Directory Host 1 FileA1 FileC0 Inode-a Inode-n Local FS Directory Host 2 FileB0 FileC1 Inode-r Inode-c Local FS Directory Host 3 In-x In-y In-a In-n In-r In-c DISK DISK DISK Files created are of size equal to the HDFS blksize 6
  • 7. HDFS - Write Flow Client Namespace MetaData Blockmap (Fsimage Edit files) Name Node Data Node Data Node Data Node 1 2 3 4 5 6 6 77 8 1. Client requests to open a file to write through fs.create() call. This will overwrite existing file. 2. Name node responds with a lease to the file path 3. Client writes to local and when data reaches block size, requests Name Node for write 4. Name Node responds with a new blockid and the destination data nodes for write and replication 5. Client sends the first data node the data and the checksum generated on the data to be written 6. First data node writes the data and checksum and in parallel pipelines the replications to other DN 7. Each data node where the data is replicated responds back with success /failure to the first DN 8. First data node in turn informs to the Name node that the write request for the block is complete which in turn will update its block map Note: There can be only one write at a time on a file 7
  • 8. HDFS - Read Flow Client Namespace MetaData Blockmap (Fsimage Edit files) Name Node Data Node Data Node Data Node 1 2 3 4 5 6 1. Client requests to open a file to read through fs.open() call 2. Name node responds with a lease to the file path 3. Client requests for read the data in the file 4. Name Node responds with block ids in sequence and the corresponding data nodes 5. Client reaches out directly to the DNs for each block of data in the file 6. When DNs sends back data along with check sum, client performs a checksum verification by generating a checksum 7. If the checksum verification fails client reaches out to other DNs where the re is a replication 7 8
  • 9. Authorization • POSIX model for file and directory permissions – Associated with an owner and a group – Permission for owner, group and others – r for read, w for append to files – r for listing files, w for delete/create files in dirs – x to access child directories – Sticky bit on dirs prevents deletions by others 9
  • 10. Kerberos 10 TGS AS KDB KDC 1 Create Principal User 2 - kinit 3 – Receive TGT 4 – Request Service Ticket Service 5 – Receive Service Ticket For service principals Keytabs are used
  • 11. Secure HDFS Cluster - Authentication Master Namenode Slave Datanode Slave Datanode Slave Datanode KDC Keytab Keytab Keytab Keytab 11
  • 12. Secure HDFS - Client Authentication Namenode Slave Datanode Slave Datanode Slave Datanode KDC HDFS Client KRB Token 1 Deleg Token 2 3 Block Tokens Deleg Token Key Key Key Key 4 12
  • 13. Authentication Configuration • Set up Kerberos infrastructure – It may be already available through AD • Define service principals • Create Keytabs for service principals – E.g. HDFS, YARN • Copy keytabs to the master and slave nodes • Update site.xml files • Restart the services 13
  • 14. HDFS Data Encryption HDFS Client Key Mgmt Server Key Trusty Namenode Datenode 1 - EZ 2 – EZ Key 2 - Create EZ EDEK 3 EDEK 4 – R/W 5 14
  • 16. Controlling Resource Usage • Schedulers – Fair – Capacity • Queues defined to use percentage of resource – Hierarchy with in queues • Users and groups attached to groups – Administer – Submit 16
  • 17. YARN Queue 17 Root 100% Sec 70% sadmin, suser Adhoc 30% Aadmin, auser
  • 18. Hadoop Cluster - Secure Perimeter Master Slave Slave Slave IPS/IDS/Firewall IPS/IDS/Firewall Clients DMZ/Separate Network 18
  • 19. HDFS Services & Ports HDFS Service Port Name Node 8020 Name Node UI 50070 Secondary Name Node UI 50090 Data Node 50020 Data Node UI 50075 Journal Node 8480, 8485 HttpFS 14000, 14001 19
  • 20. Principle of Least Priviledge • hdfs-site xml – dfs.permissions.superusergroup – dfs.cluster.administrators • core-site.xml – Hadoop.security.authorization to true • hadoop-policy.xml – security.client.protocol.acl – security.client.datanode.protocol.acl – security.get.user.mappings.protocol.acl 20
  • 21. Application Code Change Configuration conf = new Configuration(); conf.set("fs.defaultFS", "hdfs://NN:PORT/user/hbase"); conf.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab("ubuntu/hostname@REALM", ”ubuntu.keytab"); FileSystem fs = FileSystem.get(conf); 21 Configuration conf = new Configuration(); conf.set("fs.defaultFS", "hdfs://NN:PORT/user/hbase"); conf.set("hadoop.security.authentication", "Kerberos"); FileSystem fs = FileSystem.get(conf); Unsecure Hadoop Secure Hadoop
  • 22. Key Takeaways • New infrastructure will be part of enterprises – May not be as big as the hype • Adherence to application security principles – Complexity and maturity may be a roadblock • Constant follow-up on latest developments 22
  • 23. References & Acknowledgements • Hadoop Security – https://issues.apache.org/jira/browse/HADOOP-4487 – Hadoop Project – Securing Hadoop Page • HDFS Encryption – https://issues.apache.org/jira/browse/HDFS-6134 – Hadoop Project Transparent Encryption Page – http://www.slideshare.net/Hadoop_Summit/transparent-encryption-in-hdfs • Hadoop service level authorization • YARN – Fair Scheduler – Capacity Scheduler • Hadoop Security Book 23