Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.

Published byMichael Perry Modified over 8 years ago

Similar presentations

Presentation on theme: "Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team."— Presentation transcript:

1 Making Apache Hadoop Secure Devaraj Das ddas@apache.org Yahoo’s Hadoop Team

2 Berlin Buzzwords 2011 Introductions Who I am –Principal Engineer at Yahoo! Sunnyvale Working on Apache Hadoop and related projects –MapReduce, Hadoop Security, HCatalog Apache Hadoop Committer/PMC member Apache HCatalog Committer

3 Berlin Buzzwords 2011 Problem Different yahoos need different data. PII versus financial Need assurance that only the right people can see data. Need to log who looked at the data. Yahoo! has more yahoos than clusters. Requires isolation or trust. Security improves ability to share clusters between groups 3

4 Berlin Buzzwords 2011 History Originally, Hadoop had no security. –Only used by small teams who trusted each other –On data all of them had access to Users and groups were added in 0.16 –Prevented accidents, but easy to bypass –hadoop fs –Dhadoop.job.ugi=joe –rmr /user/joe We needed more… 4

5 Berlin Buzzwords 2011 Why is Security Hard? Hadoop is Distributed –runs on a cluster of computers. Trust must be mutual between Hadoop Servers and the clients

6 Berlin Buzzwords 2011 Need Delegation Not just client-server, the servers access other services on behalf of others. MapReduce need to have user’s permissions –Even if the user logs out MapReduce jobs need to: –Get and keep the necessary credentials –Renew them while the job is running –Destroy them when the job finishes

7 Berlin Buzzwords 2011 Solution Prevent unauthorized HDFS access All HDFS clients must be authenticated. Including tasks running as part of MapReduce jobs And jobs submitted through Oozie. Users must also authenticate servers Otherwise fraudulent servers could steal credentials Integrate Hadoop with Kerberos Proven open source distributed authentication system. 7

8 Berlin Buzzwords 2011 Requirements Security must be optional. –Not all clusters are shared between users. Hadoop must not prompt for passwords –Makes it easy to make trojan horse versions. –Must have single sign on. Must handle the launch of a MapReduce job on 4,000 Nodes Performance / Reliability must not be compromised

9 Berlin Buzzwords 2011 Security Definitions Authentication – Who is the user? –Hadoop 0.20 completely trusted the user Sent user and groups over wire –We need it on both RPC and Web UI. Authorization – What can that user do? –HDFS had owners and permissions since 0.16. Auditing – Who did that?

10 Berlin Buzzwords 2011 Authentication RPC authentication using Java SASL (Simple Authentication and Security Layer) –Changes low-level transport –GSSAPI (supports Kerberos v5) –Digest-MD5 (needed for authentication using various Hadoop Tokens) –Simple WebUI authentication done via plugin –Yahoo! uses internal plugin, SPNEGO, etc.

11 Berlin Buzzwords 2011 Authorization HDFS –Command line and semantics unchanged MapReduce added Access Control Lists –Lists of users and groups that have access. –mapreduce.job.acl-view-job – view job –mapreduce.job.acl-modify-job – kill or modify job Code for determining group membership is pluggable. –Checked on the masters. All servlets enforce permissions.

12 Berlin Buzzwords 2011 Auditing HDFS can track access to files MapReduce can track who ran each job Provides fine grain logs of who did what With strong authentication, logs provide audit trails

13 Berlin Buzzwords 2011 Kerberos and Single Sign-on Kerberos allows user to sign in once –Obtains Ticket Granting Ticket (TGT) kinit – get a new Kerberos ticket klist – list your Kerberos tickets kdestroy – destroy your Kerberos ticket TGT’s last for 10 hours, renewable for 7 days by default –Once you have a TGT, Hadoop commands just work hadoop fs –ls / hadoop jar wordcount.jar in-dir out-dir 13

14 Berlin Buzzwords 2011 Kerberos Dataflow 14

15 Berlin Buzzwords 2011 HDFS Delegation Tokens To prevent authentication flood at the start of a job, NameNode creates delegation tokens. –Krb credentials are not passed to the JT Allows user to authenticate once and pass credentials to all tasks of a job. JobTracker automatically renews tokens while job is running. –Max lifetime of delegation tokens is 7 days. Cancels tokens when job finishes.

16 Berlin Buzzwords 2011 Other tokens…. Block Access Token –Short-lived tokens for securely accessing the DataNodes from HDFS Clients doing I/O –Generated by NameNode Job Token –For Task to TaskTracker Shuffle (HTTP) of intermediate data –For Task to TaskTracker RPC –Generated by JobTracker MapReduce Delegation Token –For accessing the JobTracker from tasks –Generated by JobTracker

17 Berlin Buzzwords 2011 Proxy-Users Oozie (and other trusted services) run operations on Hadoop clusters on behalf of other users Configure HDFS and MapReduce with the oozie user as a proxy: –Group of users that the proxy can impersonate –Which hosts they can impersonate from 17

18 Berlin Buzzwords 2011 Primary Communication Paths 18

19 Berlin Buzzwords 2011 Task Isolation Tasks now run as the user. –Via a small setuid program –Can’t signal other user’s tasks or TaskTracker –Can’t read other tasks jobconf, files, outputs, or logs Distributed cache –Public files shared between jobs and users –Private files shared between jobs

20 Berlin Buzzwords 2011 Questions? Questions should be sent to: –common/hdfs/mapreduce-user@hadoop.apache.org Security holes should be sent to: –security@hadoop.apache.org Available from –0.20.203 release of Apache Hadoop –http://svn.apache.org/repos/asf/hadoop/common/branches/bran ch-0.20-security/http://svn.apache.org/repos/asf/hadoop/common/branches/bran ch-0.20-security/ Thanks! (also thanks to Owen O’Malley for the slides)

21 Berlin Buzzwords 2011 If time permits…

22 Berlin Buzzwords 2011 Upgrading to Security Need a KDC with all of the user accounts. Need service principals for all of the servers. Need user accounts on all of the slaves If you use the default group mapping, you need user accounts on the masters too. Need to install policy files for stronger encryption for Java –http://bit.ly/dhM6qW

23 Berlin Buzzwords 2011 Mapping to Usernames Kerberos principals need to be mapped to usernames on servers. Examples: –ddas@APACHE.ORG -> ddas –jt/jobtracker.apache.org@APACHE.ORG -> mapred Operator can define translation.

Download ppt "Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
The map and reduce functions in MapReduce are easy to test in isolation, which is a consequence of their functional style. For known inputs, they produce.

The map and reduce functions in MapReduce are easy to test in isolation, which is a consequence of their functional style. For known inputs, they produce.
Cloud Computing: hadoop Security Design -2009

Cloud Computing: hadoop Security Design -2009
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Mapreduce and Hadoop Introduce Mapreduce and Hadoop

Mapreduce and Hadoop Introduce Mapreduce and Hadoop
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
A Hadoop Overview. Outline Progress Report MapReduce Programming Hadoop Cluster Overview HBase Overview Q & A.

A Hadoop Overview. Outline Progress Report MapReduce Programming Hadoop Cluster Overview HBase Overview Q & A.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
Securing the Hadoop Ecosystem

Securing the Hadoop Ecosystem
Resource Management with YARN: YARN Past, Present and Future

Resource Management with YARN: YARN Past, Present and Future
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
 Need for a new processing platform (BigData)  Origin of Hadoop  What is Hadoop & what it is not ?  Hadoop architecture  Hadoop components (Common/HDFS/MapReduce)

 Need for a new processing platform (BigData)  Origin of Hadoop  What is Hadoop & what it is not ?  Hadoop architecture  Hadoop components (Common/HDFS/MapReduce)
Hortonworks. We do Hadoop.

Hortonworks. We do Hadoop.

Similar presentations

Ads by Google