Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj Das
Download as PPTX, PDF1 like842 views
Making Apache Hadoop Secure summarizes how Yahoo! implemented security features in Apache Hadoop, including authentication using Kerberos, authorization with access control lists, and auditing of user activity. It addresses the challenges of securing a distributed system where tasks run on behalf of users. Key points are integrating Hadoop with Kerberos for authentication, adding ACLs for authorization in HDFS and MapReduce, and using delegation tokens and task isolation for secure job execution.
Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj Das
- 1. Making Apache HadoopSecureDevaraj [email protected]’s Hadoop TeamApache Hadoop India Summit 2011
- 2. Who am IPrincipal Engineer at Yahoo! SunnyvaleWorking on Hadoop and related projectsApache Hadoop Committer/PMC memberBefore Yahoo!, Sunnyvale – Yahoo! BangaloreBefore Yahoo! – HP, Bangalore
- 3. What is Hadoop?HDFS – Distributed File SystemCombines cluster’s local storage into a single namespace.All data is replicated to multiple machines.Provides locality information to clientsMapReduceBatch computation frameworkJobs divided into tasks. Tasks re-executed on failureOptimizes for data locality of input
- 4. ProblemDifferent yahoos need different data.PII versus financial
- 5. Need assurance that only the right people can see data.
- 6. Need to log who looked at the data.Yahoo! has more yahoos than clusters.Requires isolation or trust.
- 7. Security improves ability to share clusters between groups4
- 8. Why is Security Hard?Hadoop is Distributedruns on a cluster of computers.Can’t determine the user on client computer.OS doesn’t tell you, must be done by applicationClient needs to authenticate to each computerClient needs to protect against fake servers
- 9. Need DelegationNot just client-server, the servers access other services on behalf of others.MapReduce need to have user’s permissionsEven if the user logs outMapReduce jobs need to:Get and keep the necessary credentialsRenew them while the job is runningDestroy them when the job finishes
- 10. SolutionPrevent unauthorized HDFS accessAll HDFS clients must be authenticated.
- 11. Including tasks running as part of MapReduce jobs
- 12. And jobs submitted through Oozie.Users must also authenticate serversOtherwise fraudulent servers could steal credentialsIntegrate Hadoop with KerberosProvides well tested open source distributed authentication system.7
- 13. RequirementsSecurity must be optional.Not all clusters are shared between users.Hadoop must not prompt for passwordsMakes it easy to make trojan horse versions.Must have single sign on.Must handle the launch of a MapReduce job on 4,000 NodesPerformance / Reliability must not be compromised
- 14. Security DefinitionsAuthentication – Determining the userHadoop 0.20 completely trusted the userSent user and groups over wireWe need it on both RPC and Web UI.Authorization – What can that user do?HDFS had owners and permissions since 0.16.Auditing – Who did that?
- 15. AuthenticationChanges low-level transportRPC authentication using SASLKerberos (GSSAPI)TokenSimpleBrowser HTTP secured via pluginConfigurable translation from Kerberos principals to user names
- 16. AuthorizationHDFSCommand line and semantics unchangedMapReduce added Access Control ListsLists of users and groups that have access.mapreduce.job.acl-view-job – view jobmapreduce.job.acl-modify-job – kill or modify jobCode for determining group membership is pluggable.Checked on the masters.
- 17. AuditingHDFS can track access to filesMapReduce can track who ran each jobProvides fine grain logs of who did whatWith strong authentication, logs provide audit trails
- 18. Delegation TokensTo prevent authentication flood at the start of a job, NameNode creates delegation tokens.Allows user to authenticate once and pass credentials to all tasks of a job.JobTracker automatically renews tokens while job is running.Max lifetime of delegation tokens is 7 days.Cancels tokens when job finishes.
- 20. Kerberos and Single Sign-onKerberos allows user to sign in onceObtains Ticket Granting Ticket (TGT)kinit – get a new Kerberos ticketklist – list your Kerberos ticketskdestroy – destroy your Kerberos ticketTGT’s last for 10 hours, renewable for 7 days by defaultOnce you have a TGT, Hadoop commands just workhadoop fs –ls /hadoop jar wordcount.jar in-dir out-dir15
- 22. Task IsolationTasks now run as the user.Via a small setuid programCan’t signal other user’s tasks or TaskTrackerCan’t read other tasks jobconf, files, outputs, or logsDistributed cachePublic files shared between jobs and usersPrivate files shared between jobs
- 23. Web UIsHadoop relies on the Web UIs.These need to be authenticated also…Web UI authentication is pluggable.Yahoo uses an internal packageWe have written a very simple static auth plug-inSPNEGO plugin being developedAll servlets enforce permissions.
- 24. Proxy-UsersOozie (and other trusted services) run as headless user on behalf of other usersConfigure HDFS and MapReduce with the oozie user as a proxy:Group of users that the proxy can impersonateWhich hosts they can impersonate from19
- 25. Questions?Questions should be sent to:common/hdfs/[email protected] holes should be sent to:[email protected] from (in production at Yahoo!)Hadoop Commonhttp://svn.apache.org/repos/asf/hadoop/common/branches/branch-0.20-security/Thanks!