SlideShare a Scribd company logo

TriHUG October: Apache Ranger

T
trihug

This document discusses security in Hadoop clusters using Apache Ranger. It provides an overview of Hadoop security, describes the components of Ranger and how it implements authorization, auditing and central policy management. The document demonstrates typical authorization workflows with Ranger for HDFS and Hive, and best practices for configuring Ranger and its integration with LDAP. It also includes a demo of Ranger controlling access to HDFS directories and Hive tables.

Technology
1 of 28
Downloaded 127 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Hadoop Data Security with Apache Ranger Biren Saini © Hortonworks Inc. 2011 – 2015. All Rights Reserved
Page 2 © Hortonworks Inc. 2015 About me •  Biren Saini •  Senior Solutions Engineer •  Governance SME Lead •  Overall 15 years of technology experience @ Hortonworks}
Page 3 © Hortonworks Inc. 2015 Agenda •  Hadoop Security Overview •  Apache Ranger – Introduction – Architecture – Sample Flow – Best Practices – Ranger Stacks – Demo
Page 4 © Hortonworks Inc. 2015 Overview of Security in Hadoop
Page 5 © Hortonworks Inc. 2015 5 Pillars of Security •  Authentication •  Authorization •  Audit •  Encryption •  Centralized Administration
Page 6 © Hortonworks Inc. 2015 Security Tools in Hadoop world •  Kerberos (authentication) •  Apache Knox (authentication) •  AD/LDAP (authentication) •  Apache Ranger (authorization, audit, kms) •  HDFS TDE (data encryption) •  Wire Encryption (data protection)
Page 7 © Hortonworks Inc. 2015 HDFS Typical Flow – SQL Access through Beeline client HiveServer 2 A B C Beeline Client
Page 8 © Hortonworks Inc. 2015 HDFS Typical Flow – Authenticate through Kerberos HiveServer 2 A B C KDC Login into Hive using AD password Hive gets Namenode (NN) service ticket Hive creates map reduce using NN ST Client gets service ticket for Hive Beeline Client Active Directory
Page 9 © Hortonworks Inc. 2015 HDFS Typical Flow – Add Authorization through Apache Ranger HiveServer 2 A B C KDC Hive gets Namenode (NN) service ticket Column level access control, auditing Ranger Beeline Client File level access control Active Directory Import users/groups from LDAP Login into Hive using AD password
Page 10 © Hortonworks Inc. 2015 HDFS Typical Flow – Firewall, Route through Knox Gateway HiveServer 2 A B C KDC Use Hive ST, submit query Hive gets Namenode (NN) service ticket Hive creates map reduce using NN ST Ranger Knox gets service ticket for Hive Knox runs as proxy user using Hive ST Original request w/user id/password Client gets query result Beeline Client Apache Knox Active Directory
Page 11 © Hortonworks Inc. 2015 HDFS Typical Flow – Add Wire and File Encryption HiveServer 2 A B C KDC Use Hive ST, submit query Hive gets Namenode (NN) service ticket Hive creates map reduce using NN ST Ranger Knox gets service ticket for Hive Knox runs as proxy user using Hive ST Original request w/user id/password Client gets query result SSL Beeline Client SSL SASL SSL SSL Apache Knox Active Directory
Page 12 © Hortonworks Inc. 2015 Apache Ranger
Page 13 © Hortonworks Inc. 2015 Apache Ranger •  Provides centralized policy definition for authorizing & auditing access to resources in a consistent manner. •  Supported components as of v0.5 •  HDFS •  HBase •  Hive •  YARN •  Knox •  Storm •  Solr •  Kafka
Page 14 © Hortonworks Inc. 2015 Setup Authorization Policies 14 file level access control, flexible definition Control permissions
Page 15 © Hortonworks Inc. 2015 Monitor through Auditing
Page 16 © Hortonworks Inc. 2015 Agent AgentAgent AgentAgent Agent Apache Ranger authZ Architecture HBase Hive YARN Knox Storm Solr Kafka Agent HDFS Agent Administration Portal (Ranger UI) REST APIs DB SOLR HDFS Policy Server LDAP/AD user/group sync Log4j KMS Audit Server User Sync Server
Page 17 © Hortonworks Inc. 2015 Hadoop Cluster Sample Simplified Workflow - HDFS Policy Server Audit Server Administration Portal Agent Namenode Audit Store Ranger Policy Store Unauthorized user attempts to access the data User access is denied No Policy defined.
Page 18 © Hortonworks Inc. 2015 Hadoop Cluster Sample Simplified Workflow - HDFS Policy Server Audit Server Administration Portal Admin sets policies for HDFS files/ folder1a 1b 1d Agent Namenode Audit Store Ranger Policy Store 1c
Page 19 © Hortonworks Inc. 2015 Hadoop Cluster Sample Simplified Workflow - HDFS Policy Server Audit Server Administration Portal Admin sets policies for HDFS files/ folder1a Data scientist runs a map reduce job User Application Analysts access HDFS data through application IT users access HDFS through CLI 1b 2a 2a 2a Agent Namenode Namenode provides resource access to user/client Namenode uses Agent for Authorization2b Audit Store 2d 2c Ranger Policy Store 1d 1c
Page 20 © Hortonworks Inc. 2015 Hadoop Cluster Sample Simplified Workflow - HDFS Policy Server Audit Server Administration Portal Admin sets policies for HDFS files/ folder1a Data scientist runs a map reduce job User Application Analysts access HDFS data through application IT users access HDFS through CLI 1b 2a 2a 2a Agent Namenode Namenode provides resource access to user/client Namenode uses Agent for Authorization2b Audit Store Admin requests the Audit report3a 3b 3c 2d 2c Ranger Policy Store 1d 1c
Page 21 © Hortonworks Inc. 2015 Ranger UserSync Best Practice 21 •  Ensure LDAPS is used to integrate with Ranger •  Create OU ONLY for Hadoop users for performance •  Only run usersync when necessary – How much users are being added and how often – How much users are changing roles – Too much syncing can degrade LDAP performance •  Do not sync anonymously
Page 22 © Hortonworks Inc. 2015 Ranger Audit Best Practices 22 •  HDFS – Long term storage that can be used to understand user event trends and predict anomaly •  RDBMS – When SQL is preferred by auditors – MySQL, Oracle, Postgres, SQL Server •  Solr – Nice quick reporting metrics to understand user event trends •  Log4j Appenders
Page 23 © Hortonworks Inc. 2015 Ranger Stacks •  Apache Ranger v0.5 supports stack-model to enable easier onboarding of new components, without requiring code changes in Apache Ranger. Ranger Side Changes Define Service-type Secured Components Side Changes Develop Ranger Authorization Plugin •  Create a JSON file with following details : - Resources - Access types - Config to connect •  Load the JSON into Ranger. •  Include plugin library in the secure component. •  During initialization of the service: Init RangerBasePlugIn & RangerDefaultAuditHandler class. •  To authorize access to a resource: Use RangerAccessRequest.isAccessAllowed() •  To support resource lookup: Implement RangerBaseService.lookupResource() & RangerBaseService.validateConfig() https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
Page 24 © Hortonworks Inc. 2015 Summary & Misc. points 24 •  All functions are available as Rest API •  Ranger integrates with AD/LDAP for ranger login as well as user sync. •  Support for High Availability (HA) •  Support for Transparent Data Encryption with KMS implementation •  Tighter integration with Apache Ambari •  Stack based implementation of Plugins •  Ranger also has the KMS for HDFS TDE. •  Some features in development are –  Spark support –  Time based authorization –  Geo Location based authorization
Page 25 © Hortonworks Inc. 2015 Demo - HDFS Admin SamTom /demo/data/trihug /demo/data/trihugRanger UI WRITE Access denied READ Access denied 1 2 SamTom /demo/data/trihug WRITE Access allowed READ Access allowed 3 Grants access READ for Sam WRITE for Tom Ranger Plugin gets the update WRITE Access denied hdfs:hdfs rwx --- --- Elevated Privileges Restricted Privileges Directory already exists
Page 26 © Hortonworks Inc. 2015 Demo - Hive Admin SamTom tickers eod Ranger UI WRITE Access denied READ Access denied 1 2 SamTom WRITE Access allowed READ Access to SOME COLUMNS allowed 3 Grants access READ for Sam ALL for Tom Ranger Plugin gets the update WRITE Access denied hive tables tickers eod hive tables tickers eod hive tables SOME COLUMNS READ Access to ALL COLUMNS denied Created by “hive” user in trihug schema Elevated Privileges Restricted Privileges GRANT Access allowed DB already exists
Page 27 © Hortonworks Inc. 2015 Demo time..
Page 28 © Hortonworks Inc. 2015 Thank you. Questions?

More Related Content

What's hot (20)

PDF
Zabbix Performance Tuning
Ricardo Santos
 
PDF
Using Spark Streaming and NiFi for the next generation of ETL in the enterprise
DataWorks Summit
 
PDF
An overview of Neo4j Internals
Tobias Lindaaker
 
PPTX
Role-Based Access Control (RBAC) in Neo4j
Neo4j
 
PPTX
Managing enterprise users in Hadoop ecosystem
DataWorks Summit
 
PDF
Spark with Delta Lake
Knoldus Inc.
 
PDF
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Nelson Calero
 
PPTX
CCNA Wireless Lan (WLAN)
Networkel
 
PDF
Neutron packet logging framework
Vietnam Open Infrastructure User Group
 
PDF
Diving into Delta Lake: Unpacking the Transaction Log
Databricks
 
PDF
Server monitoring using grafana and prometheus
Celine George
 
PPTX
Netflix Data Pipeline With Kafka
Allen (Xiaozhong) Wang
 
PDF
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Ludovico Caldara
 
PDF
Productizing Structured Streaming Jobs
Databricks
 
PPTX
Palo Alto Networks 28.5.2013
Belsoft
 
PDF
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
Databricks
 
PDF
Deep Dive into the New Features of Apache Spark 3.1
Databricks
 
PPTX
Overview of HDFS Transparent Encryption
Cloudera, Inc.
 
PDF
OpenStack Architecture
Mirantis
 
PDF
Hadoop Overview & Architecture
EMC
 
Zabbix Performance Tuning
Ricardo Santos
 
Using Spark Streaming and NiFi for the next generation of ETL in the enterprise
DataWorks Summit
 
An overview of Neo4j Internals
Tobias Lindaaker
 
Role-Based Access Control (RBAC) in Neo4j
Neo4j
 
Managing enterprise users in Hadoop ecosystem
DataWorks Summit
 
Spark with Delta Lake
Knoldus Inc.
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Nelson Calero
 
CCNA Wireless Lan (WLAN)
Networkel
 
Neutron packet logging framework
Vietnam Open Infrastructure User Group
 
Diving into Delta Lake: Unpacking the Transaction Log
Databricks
 
Server monitoring using grafana and prometheus
Celine George
 
Netflix Data Pipeline With Kafka
Allen (Xiaozhong) Wang
 
Oracle Fleet Patching and Provisioning Deep Dive Webcast Slides
Ludovico Caldara
 
Productizing Structured Streaming Jobs
Databricks
 
Palo Alto Networks 28.5.2013
Belsoft
 
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
Databricks
 
Deep Dive into the New Features of Apache Spark 3.1
Databricks
 
Overview of HDFS Transparent Encryption
Cloudera, Inc.
 
OpenStack Architecture
Mirantis
 
Hadoop Overview & Architecture
EMC
 

Viewers also liked (19)

PPTX
Ranger admin dev overview
Tushar Dudhatra
 
PDF
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Hortonworks
 
PPTX
Hdp security overview
Hortonworks
 
PDF
Curb your insecurity with HDP - Tips for a Secure Cluster
ahortonworks
 
PPTX
Security needs in Hadoop’s Current and Future – How Apache Ranger can help?
DataWorks Summit
 
PDF
Simplify and Secure your Hadoop Environment with Hortonworks and Centrify
Hortonworks
 
PPTX
Hadoop bootcamp getting started
JWORKS powered by Ordina
 
PPTX
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Kevin Minder
 
PDF
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Hortonworks
 
PPTX
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
PDF
Deep learning with Hortonworks and Apache Spark - Hortonworks technical workshop
Hortonworks
 
PPTX
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
PPTX
Protecting Enterprise Data in Apache Hadoop
Hortonworks
 
PPTX
Security and Data Governance using Apache Ranger and Apache Atlas
DataWorks Summit/Hadoop Summit
 
PDF
Hadoop and Data Virtualization - A Case Study by VHA
Hortonworks
 
PDF
The Emerging Data Lake IT Strategy
Thomas Kelly, PMP
 
PPTX
Hortonworks Data in Motion Webinar Series Part 7 Apache Kafka Nifi Better Tog...
Hortonworks
 
PPTX
Hadoop security
Shivaji Dutta
 
PPTX
Enabling the Real Time Analytical Enterprise
Hortonworks
 
Ranger admin dev overview
Tushar Dudhatra
 
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Hortonworks
 
Hdp security overview
Hortonworks
 
Curb your insecurity with HDP - Tips for a Secure Cluster
ahortonworks
 
Security needs in Hadoop’s Current and Future – How Apache Ranger can help?
DataWorks Summit
 
Simplify and Secure your Hadoop Environment with Hortonworks and Centrify
Hortonworks
 
Hadoop bootcamp getting started
JWORKS powered by Ordina
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Kevin Minder
 
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Hortonworks
 
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
Deep learning with Hortonworks and Apache Spark - Hortonworks technical workshop
Hortonworks
 
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
Protecting Enterprise Data in Apache Hadoop
Hortonworks
 
Security and Data Governance using Apache Ranger and Apache Atlas
DataWorks Summit/Hadoop Summit
 
Hadoop and Data Virtualization - A Case Study by VHA
Hortonworks
 
The Emerging Data Lake IT Strategy
Thomas Kelly, PMP
 
Hortonworks Data in Motion Webinar Series Part 7 Apache Kafka Nifi Better Tog...
Hortonworks
 
Hadoop security
Shivaji Dutta
 
Enabling the Real Time Analytical Enterprise
Hortonworks
 
Ad

Similar to TriHUG October: Apache Ranger (20)

PDF
2014 sept 4_hadoop_security
Adam Muise
 
PDF
August 2014 HUG : Comprehensive Security for Hadoop
Yahoo Developer Network
 
PPTX
Hadoop Security Today and Tomorrow
DataWorks Summit
 
PDF
Hadoop & Security - Past, Present, Future
Uwe Printz
 
PPTX
Improvements in Hadoop Security
DataWorks Summit
 
PDF
Discover HDP 2.1: Apache Falcon for Data Governance in Hadoop
Hortonworks
 
PDF
大数据数据治理及数据安全
Jianwei Li
 
PPTX
Fortifying Multi-Cluster Hybrid Cloud Data Lakes using Apache Knox
DataWorks Summit
 
PDF
Discover HDP 2.1: Apache Hadoop 2.4.0, YARN & HDFS
Hortonworks
 
PDF
Apache Argus - How do I secure my entire Hadoop cluster? Olivier Renault @ Ho...
huguk
 
PPTX
Saving the elephant—now, not later
DataWorks Summit
 
PPTX
Improvements in Hadoop Security
Chris Nauroth
 
PPTX
Hadoop and Data Access Security
Cloudera, Inc.
 
PPTX
Hadoop security @ Philly Hadoop Meetup May 2015
Shravan (Sean) Pabba
 
PPTX
Treat your enterprise data lake indigestion: Enterprise ready security and go...
DataWorks Summit
 
PPTX
Securing the Hadoop Ecosystem
DataWorks Summit
 
PDF
August 2014 HUG : Hive 13 Security
Yahoo Developer Network
 
PPTX
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
DataWorks Summit
 
PPTX
Bridle your Flying Islands and Castles in the Sky: Built-in Governance and Se...
DataWorks Summit
 
PPTX
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Cloudera, Inc.
 
2014 sept 4_hadoop_security
Adam Muise
 
August 2014 HUG : Comprehensive Security for Hadoop
Yahoo Developer Network
 
Hadoop Security Today and Tomorrow
DataWorks Summit
 
Hadoop & Security - Past, Present, Future
Uwe Printz
 
Improvements in Hadoop Security
DataWorks Summit
 
Discover HDP 2.1: Apache Falcon for Data Governance in Hadoop
Hortonworks
 
大数据数据治理及数据安全
Jianwei Li
 
Fortifying Multi-Cluster Hybrid Cloud Data Lakes using Apache Knox
DataWorks Summit
 
Discover HDP 2.1: Apache Hadoop 2.4.0, YARN & HDFS
Hortonworks
 
Apache Argus - How do I secure my entire Hadoop cluster? Olivier Renault @ Ho...
huguk
 
Saving the elephant—now, not later
DataWorks Summit
 
Improvements in Hadoop Security
Chris Nauroth
 
Hadoop and Data Access Security
Cloudera, Inc.
 
Hadoop security @ Philly Hadoop Meetup May 2015
Shravan (Sean) Pabba
 
Treat your enterprise data lake indigestion: Enterprise ready security and go...
DataWorks Summit
 
Securing the Hadoop Ecosystem
DataWorks Summit
 
August 2014 HUG : Hive 13 Security
Yahoo Developer Network
 
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
DataWorks Summit
 
Bridle your Flying Islands and Castles in the Sky: Built-in Governance and Se...
DataWorks Summit
 
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Cloudera, Inc.
 
Ad

More from trihug (11)

PDF
TriHUG Feb: Hive on spark
trihug
 
PDF
TriHUG 3/14: HBase in Production
trihug
 
PDF
TriHUG 2/14: Apache Sentry
trihug
 
PDF
TriHUG talk on Spark and Shark
trihug
 
PPTX
Impala presentation
trihug
 
PDF
Practical pig
trihug
 
PPT
Financial services trihug
trihug
 
PPTX
TriHUG January 2012 Talk by Chris Shain
trihug
 
PPTX
TriHUG November HCatalog Talk by Alan Gates
trihug
 
PPTX
TriHUG November Pig Talk by Alan Gates
trihug
 
PPTX
MapR, Implications for Integration
trihug
 
TriHUG Feb: Hive on spark
trihug
 
TriHUG 3/14: HBase in Production
trihug
 
TriHUG 2/14: Apache Sentry
trihug
 
TriHUG talk on Spark and Shark
trihug
 
Impala presentation
trihug
 
Practical pig
trihug
 
Financial services trihug
trihug
 
TriHUG January 2012 Talk by Chris Shain
trihug
 
TriHUG November HCatalog Talk by Alan Gates
trihug
 
TriHUG November Pig Talk by Alan Gates
trihug
 
MapR, Implications for Integration
trihug
 

Recently uploaded (20)

PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Python basic programing language for automation
DanialHabibi2
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
July Patch Tuesday
Ivanti
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Python basic programing language for automation
DanialHabibi2
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 

TriHUG October: Apache Ranger

  • 1. Hadoop Data Security with Apache Ranger Biren Saini © Hortonworks Inc. 2011 – 2015. All Rights Reserved
  • 2. Page 2 © Hortonworks Inc. 2015 About me •  Biren Saini •  Senior Solutions Engineer •  Governance SME Lead •  Overall 15 years of technology experience @ Hortonworks}
  • 3. Page 3 © Hortonworks Inc. 2015 Agenda •  Hadoop Security Overview •  Apache Ranger – Introduction – Architecture – Sample Flow – Best Practices – Ranger Stacks – Demo
  • 4. Page 4 © Hortonworks Inc. 2015 Overview of Security in Hadoop
  • 5. Page 5 © Hortonworks Inc. 2015 5 Pillars of Security •  Authentication •  Authorization •  Audit •  Encryption •  Centralized Administration
  • 6. Page 6 © Hortonworks Inc. 2015 Security Tools in Hadoop world •  Kerberos (authentication) •  Apache Knox (authentication) •  AD/LDAP (authentication) •  Apache Ranger (authorization, audit, kms) •  HDFS TDE (data encryption) •  Wire Encryption (data protection)
  • 7. Page 7 © Hortonworks Inc. 2015 HDFS Typical Flow – SQL Access through Beeline client HiveServer 2 A B C Beeline Client
  • 8. Page 8 © Hortonworks Inc. 2015 HDFS Typical Flow – Authenticate through Kerberos HiveServer 2 A B C KDC Login into Hive using AD password Hive gets Namenode (NN) service ticket Hive creates map reduce using NN ST Client gets service ticket for Hive Beeline Client Active Directory
  • 9. Page 9 © Hortonworks Inc. 2015 HDFS Typical Flow – Add Authorization through Apache Ranger HiveServer 2 A B C KDC Hive gets Namenode (NN) service ticket Column level access control, auditing Ranger Beeline Client File level access control Active Directory Import users/groups from LDAP Login into Hive using AD password
  • 10. Page 10 © Hortonworks Inc. 2015 HDFS Typical Flow – Firewall, Route through Knox Gateway HiveServer 2 A B C KDC Use Hive ST, submit query Hive gets Namenode (NN) service ticket Hive creates map reduce using NN ST Ranger Knox gets service ticket for Hive Knox runs as proxy user using Hive ST Original request w/user id/password Client gets query result Beeline Client Apache Knox Active Directory
  • 11. Page 11 © Hortonworks Inc. 2015 HDFS Typical Flow – Add Wire and File Encryption HiveServer 2 A B C KDC Use Hive ST, submit query Hive gets Namenode (NN) service ticket Hive creates map reduce using NN ST Ranger Knox gets service ticket for Hive Knox runs as proxy user using Hive ST Original request w/user id/password Client gets query result SSL Beeline Client SSL SASL SSL SSL Apache Knox Active Directory
  • 12. Page 12 © Hortonworks Inc. 2015 Apache Ranger
  • 13. Page 13 © Hortonworks Inc. 2015 Apache Ranger •  Provides centralized policy definition for authorizing & auditing access to resources in a consistent manner. •  Supported components as of v0.5 •  HDFS •  HBase •  Hive •  YARN •  Knox •  Storm •  Solr •  Kafka
  • 14. Page 14 © Hortonworks Inc. 2015 Setup Authorization Policies 14 file level access control, flexible definition Control permissions
  • 15. Page 15 © Hortonworks Inc. 2015 Monitor through Auditing
  • 16. Page 16 © Hortonworks Inc. 2015 Agent AgentAgent AgentAgent Agent Apache Ranger authZ Architecture HBase Hive YARN Knox Storm Solr Kafka Agent HDFS Agent Administration Portal (Ranger UI) REST APIs DB SOLR HDFS Policy Server LDAP/AD user/group sync Log4j KMS Audit Server User Sync Server
  • 17. Page 17 © Hortonworks Inc. 2015 Hadoop Cluster Sample Simplified Workflow - HDFS Policy Server Audit Server Administration Portal Agent Namenode Audit Store Ranger Policy Store Unauthorized user attempts to access the data User access is denied No Policy defined.
  • 18. Page 18 © Hortonworks Inc. 2015 Hadoop Cluster Sample Simplified Workflow - HDFS Policy Server Audit Server Administration Portal Admin sets policies for HDFS files/ folder1a 1b 1d Agent Namenode Audit Store Ranger Policy Store 1c
  • 19. Page 19 © Hortonworks Inc. 2015 Hadoop Cluster Sample Simplified Workflow - HDFS Policy Server Audit Server Administration Portal Admin sets policies for HDFS files/ folder1a Data scientist runs a map reduce job User Application Analysts access HDFS data through application IT users access HDFS through CLI 1b 2a 2a 2a Agent Namenode Namenode provides resource access to user/client Namenode uses Agent for Authorization2b Audit Store 2d 2c Ranger Policy Store 1d 1c
  • 20. Page 20 © Hortonworks Inc. 2015 Hadoop Cluster Sample Simplified Workflow - HDFS Policy Server Audit Server Administration Portal Admin sets policies for HDFS files/ folder1a Data scientist runs a map reduce job User Application Analysts access HDFS data through application IT users access HDFS through CLI 1b 2a 2a 2a Agent Namenode Namenode provides resource access to user/client Namenode uses Agent for Authorization2b Audit Store Admin requests the Audit report3a 3b 3c 2d 2c Ranger Policy Store 1d 1c
  • 21. Page 21 © Hortonworks Inc. 2015 Ranger UserSync Best Practice 21 •  Ensure LDAPS is used to integrate with Ranger •  Create OU ONLY for Hadoop users for performance •  Only run usersync when necessary – How much users are being added and how often – How much users are changing roles – Too much syncing can degrade LDAP performance •  Do not sync anonymously
  • 22. Page 22 © Hortonworks Inc. 2015 Ranger Audit Best Practices 22 •  HDFS – Long term storage that can be used to understand user event trends and predict anomaly •  RDBMS – When SQL is preferred by auditors – MySQL, Oracle, Postgres, SQL Server •  Solr – Nice quick reporting metrics to understand user event trends •  Log4j Appenders
  • 23. Page 23 © Hortonworks Inc. 2015 Ranger Stacks •  Apache Ranger v0.5 supports stack-model to enable easier onboarding of new components, without requiring code changes in Apache Ranger. Ranger Side Changes Define Service-type Secured Components Side Changes Develop Ranger Authorization Plugin •  Create a JSON file with following details : - Resources - Access types - Config to connect •  Load the JSON into Ranger. •  Include plugin library in the secure component. •  During initialization of the service: Init RangerBasePlugIn & RangerDefaultAuditHandler class. •  To authorize access to a resource: Use RangerAccessRequest.isAccessAllowed() •  To support resource lookup: Implement RangerBaseService.lookupResource() & RangerBaseService.validateConfig() https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
  • 24. Page 24 © Hortonworks Inc. 2015 Summary & Misc. points 24 •  All functions are available as Rest API •  Ranger integrates with AD/LDAP for ranger login as well as user sync. •  Support for High Availability (HA) •  Support for Transparent Data Encryption with KMS implementation •  Tighter integration with Apache Ambari •  Stack based implementation of Plugins •  Ranger also has the KMS for HDFS TDE. •  Some features in development are –  Spark support –  Time based authorization –  Geo Location based authorization
  • 25. Page 25 © Hortonworks Inc. 2015 Demo - HDFS Admin SamTom /demo/data/trihug /demo/data/trihugRanger UI WRITE Access denied READ Access denied 1 2 SamTom /demo/data/trihug WRITE Access allowed READ Access allowed 3 Grants access READ for Sam WRITE for Tom Ranger Plugin gets the update WRITE Access denied hdfs:hdfs rwx --- --- Elevated Privileges Restricted Privileges Directory already exists
  • 26. Page 26 © Hortonworks Inc. 2015 Demo - Hive Admin SamTom tickers eod Ranger UI WRITE Access denied READ Access denied 1 2 SamTom WRITE Access allowed READ Access to SOME COLUMNS allowed 3 Grants access READ for Sam ALL for Tom Ranger Plugin gets the update WRITE Access denied hive tables tickers eod hive tables tickers eod hive tables SOME COLUMNS READ Access to ALL COLUMNS denied Created by “hive” user in trihug schema Elevated Privileges Restricted Privileges GRANT Access allowed DB already exists
  • 27. Page 27 © Hortonworks Inc. 2015 Demo time..
  • 28. Page 28 © Hortonworks Inc. 2015 Thank you. Questions?