SlideShare a Scribd company logo

Hadoop security

shrey mehrotra
shrey mehrotra

- Kerberos is used to authenticate Hadoop services and clients running on different nodes communicating over a non-secure network. It uses tickets for authentication. - Key configuration changes are required to enable Kerberos authentication in Hadoop including setting hadoop.security.authentication to kerberos and generating keytabs containing principal keys for HDFS services. - Services are associated with Kerberos principles using keytabs which are then configured for use by the relevant Hadoop processes and services.

1 of 31
Download to read offline
By: Shrey Mehrotra
 A form of protection where a separation is created between the assets and the threat.  Security in IT realm: Application security Computing security Data security Information security Network security
Data : We have critical data in HDFS. Resources : Each node of Hadoop cluster has resources required for executing applications. Applications : Web Applications and REST APIs to access cluster details. Services : HDFS, YARN and other services running on the cluster nodes. Network Security : Services and Application communications over network.
 Configuration  Data confidentiality  Service Level Authorization  Encryption  Authentication for Hadoop HTTP web-consoles  Delegation Tokens  Kerberos
core-site.xml Parameter Value Notes hadoop.security.authentication kerberos simple : No authentication. (default) kerberos : Enable authentication by Kerberos. hadoop.security.authorization true Enable RPC service-level authorization. hadoop.rpc.protection authentication authentication : authentication only (default) integrity : integrity check in addition to authentication privacy : data encryption in addition to integrity hadoop.proxyuser.superuser.hosts comma separated hosts from which superuser access are allowd to impersonation. * means wildcard. hadoop.proxyuser.superuser.groups comma separated groups to which users impersonated by superuser belongs. * means wildcard. hdfs-site.xml Parameter Value Notes dfs.block.access.token.enable true Enable HDFS block access tokens for secure operations. dfs.https.enable true This value is deprecated. Use dfs.http.policy dfs.namenode.https-address nn_host_fqdn:50470 dfs.https.port 50470 dfs.namenode.keytab.file /etc/security/keytab/nn.service.keytab Kerberos keytab file for the NameNode. dfs.namenode.kerberos.principal nn/_HOST@REALM.TLD Kerberos principal name for the NameNode. dfs.namenode.kerberos.internal.spnego.principal HTTP/_HOST@REALM.TLD HTTP Kerberos principal name for the NameNode.
 Superuser can submit jobs or access hdfs on behalf of another user in a secured way.  Superuser must have kerberos credentials to be able to impersonate another user. Ex. A superuser “bob” wants to submit job or access hdfs cluster as “alice” //Create ugi for joe. The login user is 'super'. UserGroupInformation ugi = UserGroupInformation.createProxyUser(“alice", UserGroupInformation.getLoginUser()); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { //Submit a job JobClient jc = new JobClient(conf); jc.submitJob(conf); //OR access hdfs FileSystem fs = FileSystem.get(conf); fs.mkdir(someFilePath); } }
 The superuser must be configured on Namenode and ResourceManager to be allowed to impersonate another user. Following configurations are required. <property> <name>hadoop.proxyuser.super.groups</name> <value>group1,group2</value> <description>Allow the superuser super to impersonate any members of the group group1 and group2</description> </property> <property> <name>hadoop.proxyuser.super.hosts</name> <value>host1,host2</value> <description>The superuser can connect only from host1 and host2 to impersonate a user</description> </property>
 Initial authorization mechanism to ensure clients connecting to a particular Hadoop service have the necessary, pre-configured, permissions and are authorized to access the given service.  For example, a MapReduce cluster can use this mechanism to allow a configured list of users/groups to submit jobs.  By default, service-level authorization is disabled for Hadoop.  To enable it set following configuration property in core-site.xml : <property> <name>hadoop.security.authorization</name> <value> true</value> </property>
 hadoop-policy.xml defines an access control list for each Hadoop service.  Every ACL has simple format, a comma separated list of users and groups separated by space. Example: user1,user2 group1,group2.  Blocked Access Control Lists security.client.protocol.acl  security.client.protocol.acl.blocked  Refreshing Service Level Authorization Configuration hadoop dfsadmin –refreshServiceAcl
<property> <name>security.job.submission.protocol.acl</name> <value>alice,bob mapreduce</value> </property>  Allow only users alice, bob and users in the mapreduce group to submit jobs to the MapReduce cluster:  Allow only DataNodes running as the users who belong to the group datanodes to communicate with the NameNode: <property> <name>security.datanode.protocol.acl</name> <value>datanodes</value> </property>  Allow any user to talk to the HDFS cluster as a DFSClient: <property> <name>security.client.protocol.acl</name> <value>*</value> </property>
 Data Encryption on RPC • The data transfered between hadoop services and clients. • Setting hadoop.rpc.protection to "privacy" in the core-site.xml activate data encryption.  Data Encryption on Block data transfer • set dfs.encrypt.data.transfer to "true" in the hdfs-site.xml. • set dfs.encrypt.data.transfer.algorithm to either "3des" or "rc4" to choose the specific encryption algorithm. • By default, 3DES is used.  Data Encryption on HTTP • Data transfer between Web-console and clients are protected by using SSL(HTTPS).
 It implements a permissions model for files and directories that shares much of the POSIX model.  User Identity  simple : In this mode of operation, the identity of a client process is determined by the host operating system.  kerberos : In Kerberized operation, the identity of a client process is determined by its Kerberos credentials.  Group Mapping  org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback  org.apache.hadoop.security.ShellBasedUnixGroupsMapping  HDFS stores the user and group of a file or directory as strings; there is no conversion from user and group identity numbers as is conventional in Unix.
 Shell Operations • hadoop fs -chmod [-R] mode file • hadoop fs -chgrp [-R] group file • chown [-R] [owner][:[group]] file  The Super-User  The super-user is the user with the same identity as name node process itself.  Permissions checks never fail for the super-user.  There is no persistent notion of who was the super-user  When the name node is started the process identity determines who is the super-user for now. WebHDFS  Uses Kerberos (SPNEGO) and Hadoop delegation tokens for authentication.
An ACL provides a way to set different permissions for specific named users or named groups, not only the file's owner and the file's group.  By default, support for ACLs is disabled.  Enable ACLs by adding the following configuration property to hdfs-site.xml and restarting the NameNode <property> <name>dfs.namenode.acls.enabled</name> <value>true</value> </property>
ACLs Shell Commands  hdfs dfs -getfacl [-R] <path>  hdfs dfs -setfacl [-R] [-b|-k -m|-x <acl_spec> <path>]|[--set <acl_spec> <path>] -R : Recursive -m : Modify ACL. -b : Remove all but the base ACL entries. The entries for user, group and others are retained for compatibility with permission bits. -k : Remove the default ACL. -x : Remove specified ACL entries. <acl_spec> : Comma separated list of ACL entries. --set : Fully replace the ACL, discarding all existing entries.  hdfs dfs -ls <args> ls will append a '+' character to the permissions string of any file or directory that has an ACL.
Source : Apache
 Tokens are generated for applications, containers.  Use HMAC_ALGORITHM to generate password for tokens.  YARN interfaces for secret manager tokens BaseNMTokenSecretManager AMRMTokenSecretManager BaseClientToAMTokenSecretManager BaseContainerTokenSecretManager Source : Hortonworks
 Enable ACL check in YARN Queues ACL  QueueACLsManager check for access of each user against the ACL defined in the queue.  Following would restrict access to the "support" queue to the users “shrey” and the members of the “sales" group:  yarn.scheduler.capacity.root.<queue-path>.acl_administer_queue <property> <name>yarn.acl.enable</name> <value>true</value> <property> <property> <name>yarn.scheduler.capacity.root.<queue-path>.acl_submit_applications</name> <value>shrey sales</value> <property> <property> <name>yarn.scheduler.capacity.root.<queue-path>.acl_administer_queue s</name> <value>sales</value> <property>
Hadoop security
Services Client Plain Text or Encrypted Password
 Kerberos is a network authentication protocol.  It is used to authenticate the identity of the services running on different nodes (machines) communicating over a non-secure network.  It uses “tickets” as basic unit for authentication.
 Authentication Server It is a service used to authenticate or verify clients. It usually checks for username of the requested client in the system  Ticket Granting Server It generates Ticket Granting Tickets (TGTs) based on target service name, initial ticket (if any) and authenticator.  Principles It is the unique identity to which Kerberos could assign tickets provided by Ticket Granting Server.
Hadoop security
Hadoop security
Hadoop security
Hadoop security
Hadoop security
Hadoop security
To enable Kerberos authentication in Hadoop, we need to configure following properties in core-site.xml <property> <name>hadoop.security.authentication</name> <value>kerberos</value> </property> <property> <name>hadoop.security.authorization</name> <value>true</value> </property>
 Keytab is a file containing Kerberos principals and encrypted keys. These files are used to login directly to Kerberos without being prompted for the password.  Enabling kerberos for HDFS services: A. Generating KeyTab Create the hdfs keytab file that will contain the hdfs principal and HTTP principal. This keytab file is used for the Namenode and Datanode B. Associate KeyTab with YARN principle kadmin: xst -norandkey -k yarn.keytab hdfs/fully.qualified.domain.name HTTP/fully.qualified.domain.name sudo mv hdfs.keytab /etc/hadoop/conf/
<property> <name>dfs.namenode.keytab.file</name> <value>/etc/hadoop/hdfs.keytab</value> </property> <property> <name>dfs.namenode.kerberos.principal</name> <value>hdfs/_HOST@YOUR-REALM.COM</value> </property>  Add the following properties to the hdfs-site.xml file <property> <name>dfs.datanode.keytab.file</name> <value>/etc/hadoop/hdfs.keytab</value> </property> <property> <name>dfs.datanode.kerberos.principal</name> <value>hdfs/_HOST@YOUR-REALM.COM</value> </property>

More Related Content

Hadoop security

  • 2.  A form of protection where a separation is created between the assets and the threat.  Security in IT realm: Application security Computing security Data security Information security Network security
  • 3. Data : We have critical data in HDFS. Resources : Each node of Hadoop cluster has resources required for executing applications. Applications : Web Applications and REST APIs to access cluster details. Services : HDFS, YARN and other services running on the cluster nodes. Network Security : Services and Application communications over network.
  • 4.  Configuration  Data confidentiality  Service Level Authorization  Encryption  Authentication for Hadoop HTTP web-consoles  Delegation Tokens  Kerberos
  • 5. core-site.xml Parameter Value Notes hadoop.security.authentication kerberos simple : No authentication. (default) kerberos : Enable authentication by Kerberos. hadoop.security.authorization true Enable RPC service-level authorization. hadoop.rpc.protection authentication authentication : authentication only (default) integrity : integrity check in addition to authentication privacy : data encryption in addition to integrity hadoop.proxyuser.superuser.hosts comma separated hosts from which superuser access are allowd to impersonation. * means wildcard. hadoop.proxyuser.superuser.groups comma separated groups to which users impersonated by superuser belongs. * means wildcard. hdfs-site.xml Parameter Value Notes dfs.block.access.token.enable true Enable HDFS block access tokens for secure operations. dfs.https.enable true This value is deprecated. Use dfs.http.policy dfs.namenode.https-address nn_host_fqdn:50470 dfs.https.port 50470 dfs.namenode.keytab.file /etc/security/keytab/nn.service.keytab Kerberos keytab file for the NameNode. dfs.namenode.kerberos.principal nn/_HOST@REALM.TLD Kerberos principal name for the NameNode. dfs.namenode.kerberos.internal.spnego.principal HTTP/_HOST@REALM.TLD HTTP Kerberos principal name for the NameNode.
  • 6.  Superuser can submit jobs or access hdfs on behalf of another user in a secured way.  Superuser must have kerberos credentials to be able to impersonate another user. Ex. A superuser “bob” wants to submit job or access hdfs cluster as “alice” //Create ugi for joe. The login user is 'super'. UserGroupInformation ugi = UserGroupInformation.createProxyUser(“alice", UserGroupInformation.getLoginUser()); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { //Submit a job JobClient jc = new JobClient(conf); jc.submitJob(conf); //OR access hdfs FileSystem fs = FileSystem.get(conf); fs.mkdir(someFilePath); } }
  • 7.  The superuser must be configured on Namenode and ResourceManager to be allowed to impersonate another user. Following configurations are required. <property> <name>hadoop.proxyuser.super.groups</name> <value>group1,group2</value> <description>Allow the superuser super to impersonate any members of the group group1 and group2</description> </property> <property> <name>hadoop.proxyuser.super.hosts</name> <value>host1,host2</value> <description>The superuser can connect only from host1 and host2 to impersonate a user</description> </property>
  • 8.  Initial authorization mechanism to ensure clients connecting to a particular Hadoop service have the necessary, pre-configured, permissions and are authorized to access the given service.  For example, a MapReduce cluster can use this mechanism to allow a configured list of users/groups to submit jobs.  By default, service-level authorization is disabled for Hadoop.  To enable it set following configuration property in core-site.xml : <property> <name>hadoop.security.authorization</name> <value> true</value> </property>
  • 9.  hadoop-policy.xml defines an access control list for each Hadoop service.  Every ACL has simple format, a comma separated list of users and groups separated by space. Example: user1,user2 group1,group2.  Blocked Access Control Lists security.client.protocol.acl  security.client.protocol.acl.blocked  Refreshing Service Level Authorization Configuration hadoop dfsadmin –refreshServiceAcl
  • 10. <property> <name>security.job.submission.protocol.acl</name> <value>alice,bob mapreduce</value> </property>  Allow only users alice, bob and users in the mapreduce group to submit jobs to the MapReduce cluster:  Allow only DataNodes running as the users who belong to the group datanodes to communicate with the NameNode: <property> <name>security.datanode.protocol.acl</name> <value>datanodes</value> </property>  Allow any user to talk to the HDFS cluster as a DFSClient: <property> <name>security.client.protocol.acl</name> <value>*</value> </property>
  • 11.  Data Encryption on RPC • The data transfered between hadoop services and clients. • Setting hadoop.rpc.protection to "privacy" in the core-site.xml activate data encryption.  Data Encryption on Block data transfer • set dfs.encrypt.data.transfer to "true" in the hdfs-site.xml. • set dfs.encrypt.data.transfer.algorithm to either "3des" or "rc4" to choose the specific encryption algorithm. • By default, 3DES is used.  Data Encryption on HTTP • Data transfer between Web-console and clients are protected by using SSL(HTTPS).
  • 12.  It implements a permissions model for files and directories that shares much of the POSIX model.  User Identity  simple : In this mode of operation, the identity of a client process is determined by the host operating system.  kerberos : In Kerberized operation, the identity of a client process is determined by its Kerberos credentials.  Group Mapping  org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback  org.apache.hadoop.security.ShellBasedUnixGroupsMapping  HDFS stores the user and group of a file or directory as strings; there is no conversion from user and group identity numbers as is conventional in Unix.
  • 13.  Shell Operations • hadoop fs -chmod [-R] mode file • hadoop fs -chgrp [-R] group file • chown [-R] [owner][:[group]] file  The Super-User  The super-user is the user with the same identity as name node process itself.  Permissions checks never fail for the super-user.  There is no persistent notion of who was the super-user  When the name node is started the process identity determines who is the super-user for now. WebHDFS  Uses Kerberos (SPNEGO) and Hadoop delegation tokens for authentication.
  • 14. An ACL provides a way to set different permissions for specific named users or named groups, not only the file's owner and the file's group.  By default, support for ACLs is disabled.  Enable ACLs by adding the following configuration property to hdfs-site.xml and restarting the NameNode <property> <name>dfs.namenode.acls.enabled</name> <value>true</value> </property>
  • 15. ACLs Shell Commands  hdfs dfs -getfacl [-R] <path>  hdfs dfs -setfacl [-R] [-b|-k -m|-x <acl_spec> <path>]|[--set <acl_spec> <path>] -R : Recursive -m : Modify ACL. -b : Remove all but the base ACL entries. The entries for user, group and others are retained for compatibility with permission bits. -k : Remove the default ACL. -x : Remove specified ACL entries. <acl_spec> : Comma separated list of ACL entries. --set : Fully replace the ACL, discarding all existing entries.  hdfs dfs -ls <args> ls will append a '+' character to the permissions string of any file or directory that has an ACL.
  • 17.  Tokens are generated for applications, containers.  Use HMAC_ALGORITHM to generate password for tokens.  YARN interfaces for secret manager tokens BaseNMTokenSecretManager AMRMTokenSecretManager BaseClientToAMTokenSecretManager BaseContainerTokenSecretManager Source : Hortonworks
  • 18.  Enable ACL check in YARN Queues ACL  QueueACLsManager check for access of each user against the ACL defined in the queue.  Following would restrict access to the "support" queue to the users “shrey” and the members of the “sales" group:  yarn.scheduler.capacity.root.<queue-path>.acl_administer_queue <property> <name>yarn.acl.enable</name> <value>true</value> <property> <property> <name>yarn.scheduler.capacity.root.<queue-path>.acl_submit_applications</name> <value>shrey sales</value> <property> <property> <name>yarn.scheduler.capacity.root.<queue-path>.acl_administer_queue s</name> <value>sales</value> <property>
  • 20. Services Client Plain Text or Encrypted Password
  • 21.  Kerberos is a network authentication protocol.  It is used to authenticate the identity of the services running on different nodes (machines) communicating over a non-secure network.  It uses “tickets” as basic unit for authentication.
  • 22.  Authentication Server It is a service used to authenticate or verify clients. It usually checks for username of the requested client in the system  Ticket Granting Server It generates Ticket Granting Tickets (TGTs) based on target service name, initial ticket (if any) and authenticator.  Principles It is the unique identity to which Kerberos could assign tickets provided by Ticket Granting Server.
  • 29. To enable Kerberos authentication in Hadoop, we need to configure following properties in core-site.xml <property> <name>hadoop.security.authentication</name> <value>kerberos</value> <!-- Giving value as "simple" disables security.--> </property> <property> <name>hadoop.security.authorization</name> <value>true</value> </property>
  • 30.  Keytab is a file containing Kerberos principals and encrypted keys. These files are used to login directly to Kerberos without being prompted for the password.  Enabling kerberos for HDFS services: A. Generating KeyTab Create the hdfs keytab file that will contain the hdfs principal and HTTP principal. This keytab file is used for the Namenode and Datanode B. Associate KeyTab with YARN principle kadmin: xst -norandkey -k yarn.keytab hdfs/fully.qualified.domain.name HTTP/fully.qualified.domain.name sudo mv hdfs.keytab /etc/hadoop/conf/
  • 31. <!-- Namenode security configs --> <property> <name>dfs.namenode.keytab.file</name> <value>/etc/hadoop/hdfs.keytab</value> <!-- path to the HDFS keytab --> </property> <property> <name>dfs.namenode.kerberos.principal</name> <value>hdfs/_HOST@YOUR-REALM.COM</value> </property>  Add the following properties to the hdfs-site.xml file <!-- Datanode security configs --> <property> <name>dfs.datanode.keytab.file</name> <value>/etc/hadoop/hdfs.keytab</value> <!-- path to the HDFS keytab --> </property> <property> <name>dfs.datanode.kerberos.principal</name> <value>hdfs/_HOST@YOUR-REALM.COM</value> </property>