By: Shrey Mehrotra

A form of protection where a separation is created between the assets and the threat.

Security in IT realm:

Application security

Computing security

Data security

Information security

Network security

Data : We have critical data in HDFS.

Resources : Each node of Hadoop cluster has resources required for executing applications.

Applications : Web Applications and REST APIs to access cluster details.

Services : HDFS, YARN and other services running on the cluster nodes.

Network Security : Services and Application communications over network.

Configuration

Data confidentiality

Service Level Authorization

Encryption

Authentication for Hadoop HTTP web-consoles

Delegation Tokens

Kerberos

core-site.xml

Parameter Value Notes

hadoop.security.authentication kerberossimple : No authentication. (default)

kerberos : Enable authentication by Kerberos.

hadoop.security.authorization true Enable RPC service-level authorization.

hadoop.rpc.protection authentication

authentication : authentication only (default)

integrity : integrity check in addition to authentication

privacy : data encryption in addition to integrity

hadoop.proxyuser.superuser.hosts comma separated hosts from which superuser access are allowd to impersonation. * means wildcard.

hadoop.proxyuser.superuser.groups comma separated groups to which users impersonated by superuser belongs. * means wildcard.

hdfs-site.xml

Parameter Value Notes

dfs.block.access.token.enable true Enable HDFS block access tokens for secure operations.

dfs.https.enable true This value is deprecated. Use dfs.http.policy

dfs.namenode.https-address nn_host_fqdn:50470

dfs.https.port 50470

dfs.namenode.keytab.file /etc/security/keytab/nn.service.keytab Kerberos keytab file for the NameNode.

dfs.namenode.kerberos.principal nn/_HOST@REALM.TLD Kerberos principal name for the NameNode.

dfs.namenode.kerberos.internal.spnego.principal HTTP/_HOST@REALM.TLD HTTP Kerberos principal name for the NameNode.

Superuser can submit jobs or access hdfs on behalf of another user in a secured

way.

Superuser must have kerberos credentials to be able to impersonate another user.

Ex. A superuser “bob” wants to submit job or access hdfs cluster as “alice”

//Create ugi for joe. The login user is 'super'.

UserGroupInformation ugi =

UserGroupInformation.createProxyUser(“alice", UserGroupInformation.getLoginUser());

ugi.doAs(new PrivilegedExceptionAction<Void>() {

public Void run() throws Exception {

//Submit a job

JobClient jc = new JobClient(conf);

jc.submitJob(conf);

//OR access hdfs

FileSystem fs = FileSystem.get(conf);

fs.mkdir(someFilePath);

}

}

The superuser must be configured on Namenode and ResourceManager to be

allowed to impersonate another user. Following configurations are required.

<property>

<name>hadoop.proxyuser.super.groups</name>

<value>group1,group2</value>

<description>Allow the superuser super to impersonate any members of the group group1 and group2</description>

</property>

<property>

<name>hadoop.proxyuser.super.hosts</name>

<value>host1,host2</value>

<description>The superuser can connect only from host1 and host2 to impersonate a user</description>

</property>

Initial authorization mechanism to ensure clients connecting to a particular Hadoop service have the

necessary, pre-configured, permissions and are authorized to access the given service.

For example, a MapReduce cluster can use this mechanism to allow a configured list of users/groups to

submit jobs.

By default, service-level authorization is disabled for Hadoop.

To enable it set following configuration property in core-site.xml :

<property>

<name>hadoop.security.authorization</name>

<value> true</value>

</property>

hadoop-policy.xml defines an access control list for each Hadoop service.

Every ACL has simple format, a comma separated list of users and groups separated by space.

Example: user1,user2 group1,group2.

Blocked Access Control Lists

security.client.protocol.acl security.client.protocol.acl.blocked

Refreshing Service Level Authorization Configuration

hadoop dfsadmin –refreshServiceAcl

<property>

<name>security.job.submission.protocol.acl</name>

<value>alice,bob mapreduce</value>

</property>

Allow only users alice, bob and users in the mapreduce group to submit jobs to the MapReduce cluster:

Allow only DataNodes running as the users who belong to the group datanodes to communicate with the NameNode:

<property>

<name>security.datanode.protocol.acl</name>

<value>datanodes</value>

</property>

Allow any user to talk to the HDFS cluster as a DFSClient:

<property>

<name>security.client.protocol.acl</name>

<value>*</value>

</property>

Data Encryption on RPC• The data transfered between hadoop services and clients.

• Setting hadoop.rpc.protection to "privacy" in the core-site.xml activate data encryption.

Data Encryption on Block data transfer• set dfs.encrypt.data.transfer to "true" in the hdfs-site.xml.

• set dfs.encrypt.data.transfer.algorithm to either "3des" or "rc4" to choose the specific encryption

algorithm.

• By default, 3DES is used.

Data Encryption on HTTP

• Data transfer between Web-console and clients are protected by using SSL(HTTPS).

It implements a permissions model for files and directories that shares much of the POSIX model.

User Identity

simple : In this mode of operation, the identity of a client process is determined by the host operating system.

kerberos : In Kerberized operation, the identity of a client process is determined by its Kerberos credentials.

Group Mapping

org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback

org.apache.hadoop.security.ShellBasedUnixGroupsMapping

HDFS stores the user and group of a file or directory as strings; there is no conversion from user and group identity

numbers as is conventional in Unix.

Shell Operations• hadoop fs -chmod [-R] mode file

• hadoop fs -chgrp [-R] group file

• chown [-R] [owner][:[group]] file

The Super-User

The super-user is the user with the same identity as name node process itself.

Permissions checks never fail for the super-user.

There is no persistent notion of who was the super-user

When the name node is started the process identity determines who is the super-user for now.

WebHDFS

Uses Kerberos (SPNEGO) and Hadoop delegation tokens for authentication.

An ACL provides a way to set different permissions for specific named users or named groups, not only the file's owner and

the file's group.

By default, support for ACLs is disabled.

Enable ACLs by adding the following configuration property to hdfs-site.xml and restarting the NameNode

<property>

<name>dfs.namenode.acls.enabled</name>

<value>true</value>

</property>

ACLs Shell Commands

hdfs dfs -getfacl [-R] <path>

hdfs dfs -setfacl [-R] [-b|-k -m|-x <acl_spec> <path>]|[--set <acl_spec> <path>]

-R : Recursive

-m : Modify ACL.

-b : Remove all but the base ACL entries. The entries for user, group and others are retained for compatibility

with permission bits.-k : Remove the default ACL.

-x : Remove specified ACL entries.

<acl_spec> : Comma separated list of ACL entries.

--set : Fully replace the ACL, discarding all existing entries.

hdfs dfs -ls <args>

ls will append a '+' character to the permissions string of any file or directory that has an ACL.

Source : Apache

Tokens are generated for applications, containers.

Use HMAC_ALGORITHM to generate password

for tokens.

YARN interfaces for secret manager tokensBaseNMTokenSecretManager

AMRMTokenSecretManager

BaseClientToAMTokenSecretManager

BaseContainerTokenSecretManager

Source : Hortonworks

Enable ACL check in YARN

Queues ACL

QueueACLsManager check for access of each user against the ACL defined in the queue.

Following would restrict access to the "support" queue to the users “shrey” and the

members of the “sales" group:

yarn.scheduler.capacity.root.<queue-path>.acl_administer_queue

<property>

<name>yarn.acl.enable</name>

<value>true</value>

<property>

<property>

<name>yarn.scheduler.capacity.root.<queue-path>.acl_submit_applications</name>

<value>shrey sales</value>

<property>

<property>

<name>yarn.scheduler.capacity.root.<queue-path>.acl_administer_queue s</name>

<value>sales</value>

<property>

Services

Client

Plain Text or Encrypted

Password

Kerberos is a network authentication protocol.

It is used to authenticate the identity of the services running on different

nodes (machines) communicating over a non-secure network.

It uses “tickets” as basic unit for authentication.

Authentication ServerIt is a service used to authenticate or verify clients. It usually checks for username of the requested client

in the system

Ticket Granting Server

It generates Ticket Granting Tickets (TGTs) based on target service name, initial

ticket (if any) and authenticator.

Principles

It is the unique identity to which Kerberos could assign tickets provided by Ticket

Granting Server.

To enable Kerberos authentication in Hadoop, we need to configure following properties

in core-site.xml

<property>

<name>hadoop.security.authentication</name>

<value>kerberos</value>

<!-- Giving value as "simple" disables security.-->

</property>

<property>

<name>hadoop.security.authorization</name>

<value>true</value>

</property>

Keytab is a file containing Kerberos principals and encrypted keys. These files are used to

login directly to Kerberos without being prompted for the password.

Enabling kerberos for HDFS services:

A. Generating KeyTabCreate the hdfs keytab file that will contain the hdfs principal and HTTP principal. This keytab file is used for the

Namenode and Datanode

B. Associate KeyTab with YARN principle

kadmin: xst -norandkey -k yarn.keytab hdfs/fully.qualified.domain.name HTTP/fully.qualified.domain.name

sudo mv hdfs.keytab /etc/hadoop/conf/

<!-- Namenode security configs -->

<property>

<name>dfs.namenode.keytab.file</name>

<value>/etc/hadoop/hdfs.keytab</value>

<!-- path to the HDFS keytab -->

</property>

<property>

<name>dfs.namenode.kerberos.principal</name>

<value>hdfs/_HOST@YOUR-REALM.COM</value>

</property>

Add the following properties to the hdfs-site.xml file

<!-- Datanode security configs -->

<property>

<name>dfs.datanode.keytab.file</name>

<value>/etc/hadoop/hdfs.keytab</value>

<!-- path to the HDFS keytab -->

</property>

<property>

<name>dfs.datanode.kerberos.principal</name>

<value>hdfs/_HOST@YOUR-REALM.COM</value>

</property>