SlideShare ist ein Scribd-Unternehmen logo

Secure Hadoop Data with Encryption and Kerberos

T
tcloudcomputing-tw

This document discusses data encryption in Hadoop. It describes two common cases for encrypting data: using a Crypto API to encrypt/decrypt with an AES key stored in a keystore, and encrypting MapReduce outputs using a CryptoContext. It also covers the Hadoop Encryption Framework APIs, HBase encryption via HBASE-7544, and related JIRAs around Hive and Pig encryption. Key management tools like keytool and potential future improvements like Knox gateway integration are also mentioned.

TechnologieBildung
1 von 56
Downloaden Sie, um offline zu lesen
A TCloud Trender 徐啟超
WITHOUT KERBEROS • Authorization Ensuring the user can only do things that they are allowed to do • Yes: Owner/Group Permission • Authentication Ensuring the user is who they claim to be • NO
WITH KERBEROS
WITH KERBEROS
KERBEROS CONFIG BECOMING EASY • Cloudera • Cloudera Manager • HDP • Ambari – Security Wizard --- ambari-1.2.5
HADOOP GATEWAYS client Firewall Gateway Hadoop Cluster
HADOOP GATEWAY - NOW • Webhdfs • Rest: curl "http://GATEWAYHOST/webhdfs/v1/PATH?[user.name=USER&]op=…” • Hadoop: hadoop fs -fs webhdfs://GATEWAYHOST:14000 -cat FILe_PATH • Oozie • REST API , supports direct submission of MapReduce, Pig, and Hive jobs • Steps • Use webhdfs to upload your files and jars • create an oozie workflow • Hbase • Hbase Stargate Rest Gateway • Hbase Thrift server
HADOOP GATEWAY - FUTURE • Apache Knox Gateway Provides a single point of authentication and access for Apache™ Hadoop® services in a cluster
HADOOP GATEWAY - FUTURE • Apache Knox Gateway • Integrate with the existing frameworks for Active Directory /LDAP • Shell and Rest Interface support • Currently working on kerberized cluster support
HADOOP DATA ENCRYPTION • Disk Encryption • Partition Encryption  dm-crypt • File System Encryption • Folder Encryption  encryptfs • Hadoop Encryption Framework • Just encrypt what it should be
HADOOP ENCRYPTION FRAMEWORK - API Local File HDFS encrypt/ decrypt HDFS File Encrypt/decry pt
HADOOP ENCRYPTION FRAMEWORK - MR File Map File Reduce HDFS HDFS File Encryption/Decryption All the Path(Stages)
JIRAS • hadoop-9331: Hadoop crypto codec framework and crypto codec implementations • hadoop-9332: Crypto codec implementations for AES • hadoop-9333: Hadoop crypto codec framework based on compression codec • mapreduce-5025: Key Distribution and Management for supporting crypto codec in Map Reduce • hbase-7544: Transparent table/CF encryption
Brief • Two Crypto Typical Case in Hadoop • Crypto API Case: Using AES Key (Store in KeyStore) to Encrypt/Decrypt Data • MR CryptoContext Case: Encrypt the MR output • Tool – Distcrypto • Hbase Encryption • Other Related JIRAs and Security Key Store(Manager) • TODOs
KEY STORE TOOL - KEYTOOL A key and certificate management utility. • Create & Store an AES key • keytool -keystore /tmp/hbase.jks -storetype jceks -storepass 123456 -genseckey - keyalg AES -keysize 256 -alias hbase • Create & Store an RSA Private Key • keytool -genkey -keyalg RSA -keysize 2048 -storetype jceks -storepass 123456 - keystore privateKeyStore.jks -alias testPrivate • Export Certificate from KeyStore to a cert file • keytool -export -keystore privateKeyStore.jks -storetype jceks -storepass 123456 - alias testPrivate -file publicKey.crt • Import a cert file to a KeyStore • keytool -import -trustcacerts -file publicKey.crt -storetype jceks -storepass 123456 - alias testPublic -keystore publicKeyStore.jks
CRYPTO API CASE: USING AES KEY (STORE IN KEYSTORE) TO ENCRYPT/DECRYPT DATA
CRYPTO API CASE: USING AES KEY (STORE IN KEYSTORE) TO ENCRYPT/DECRYPT DATA Use Crypto API to retrieve AES secret key from a key store file and use the key to encrypt/decrypt data • KeyProvider • CryptoContext • CryptoCodec • Sample Code
KeyProvider - KeyStoreKeyProvider • To retrieve secret key from specified Key Store File • Parameters • keyStoreUrl & password • keyStoreType: JCE, JCEKS …… • keyPasswordFile & sharePassword • Initial: keyProvider.init(String parameters) • String parameters = “file:///etc/keystore/mapred.jks&keyStoreType=JCEKS &password=123456” • String parameters = KeyStoreKeyProvider.getKeyStoreParameterString(fileUrl, StoreType, StorePassword, null, true); • Get: keyProvider.getKeys(String [])
CryptoContext • To store key related info • Key Attributes • Raw Key Data • Key Type: SYMMETRIC_KEY, PUBLIC_KEY, PRIVATE_KEY, CERTIFICATE • Cryptographic Algorithm: e.g AES • Cryptographic Length
CryptoCodec • A wrap, contain CryptoContext and provide Crypto IO Stream • Major member • CryptoContext • Crypto IO Stream Method • createOutputStream(……) • createInputStream(……)
SAMPLE CODE --- FILE ENCRYPTION
SAMPLE CODE --- FILE ENCRYPTION - conti
MR CRYPTOCONTEXT CASE: ENCRYPT THE MR OUTPUT
MR CRYPTOCONTEXT CASE: ENCRYPT THE MR OUTPUT Using provided CryptoContext to encrypt the Map Reduce output • KeyProviderConfig • CryptoContextProvider • Sample Code
KeyProviderConfig • Members • keyProvider • keyProviderParameters • Methods • getKeyProvider() • getKeyProviderParameters()
CryptoContextProvider Provide several static helper methods to update Crypto related Job Configurations. For example, store the following Parameters and Secrets to the Job Credential in the secret key list • mapred.[[[STAGE]]].crypto.context.provider.parameters • mapred.[[[STAGE]]].crypto.context.secrets [[[STAGE]]]: input, output, map.output  AbstractCryptoContextProvider  FileMatchCryptoContextProvider  KeyProviderCryptoContextProvider Credentials credentials = jobConf.getCredentials(); credentials.addSecretKey(new Text("mapred.map.output.crypto.context.provider.parameters"), parameters); credentials.addSecretKey(new Text("mapred.map.output.crypto.context.secrets"), secrets);
AbstractCryptoContextProvider  Methods  setInputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)  setMapOutputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)  setOutputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)
FileMatchCryptoContextProvider Provides the ability to select the appropriate CryptoContext according to the file path FileMatches fileMatches = new FileMatches(KeyContext.derive("12345678")); fileMatches.addMatch("^.*/input1.intel_aes$", KeyContext.derive("1234")); fileMatches.addMatch("^.*/input2.intel_aes$", KeyContext.derive("5678")); FileMatchCryptoContextProvider.setInputCryptoContextProvider(jobConf, fileMatches, null);
KeyProviderCryptoContextProvider Not only include the capability of FileMatchCryptoContextProvider also provide the ability to retrieve the Key from Key Store FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 128)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true); KeyProviderCryptoContextProvider.setInputCryptoContextProvider(jobConf, fileMatches, true, keyProviderConfig);
SAMPLE CODE - ENCRYPT THE MR OUTPUT Configuration conf = new Configuration(); Job job = new Job(conf, "wordcount"); JobConf jobConf = (JobConf)job.getConfiguration();
SAMPLE CODE - ENCRYPT THE MR OUTPUT Configuration conf = new Configuration(); Job job = new Job(conf, "wordcount"); JobConf jobConf = (JobConf)job.getConfiguration(); FileOutputFormat.setOutputCompressorClass(job, AESCodec.class); jobConf.set(AESCodec.CRYPTO_COMPRESSOR, org.apache.hadoop.io.compress.SnappyCodec);
SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256));
SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true);
SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true); KeyProviderCryptoContextProvider.setOutputCryptoContextProvider(jobConf, fileMatches, false, keyProviderConfig); ……. job.waitForCompletion(true);
MORE IN KeyProviderCryptoContextProvider • Using asymmetric key (RSA) to protect Parameters & Secrets
MORE IN KeyProviderCryptoContextProvider • Using asymmetric key (RSA) to protect Parameters & Secrets CredentialProtection credentialProtection = new CredentialProtection(jobConf, RSACredentialProtectionCodec.class, encryptionKeyProviderConfig, encryptionKeyName, decryptionKeyProviderConfig, decryptionKeyName); KeyProviderCryptoContextProvider.setInputCryptoContextProvider( jobConf, fileMatches, false, keyProviderConfig, credentialProtection);
MORE IN KeyProviderCryptoContextProvider - Conti • How to use Customized KeyProvider in KeyProviderCryptoContextProvider String keyProviderParameters = KeyStoreKeyProvider.getKeyStoreParameterString( keyStoreFile, keyStoreType, keyStorePassword, keyStorePasswordFile, sharedPassword); KeyProviderConfig keyProviderConfig = new KeyProviderConfig( CustomizeKeyStoreKeyProvider.class.getName(), keyProviderParameters);
TOOL – DISTCRYPTO Use MapReduce Job to encrypt, decrypt or key rotate multiple files • Usage • -op <operation> : "encrypt”, "decrypt" and "rotate” • --ek <encryption key> • -dk <decryption key> • -src <source definition file> • -dst <dest url> • -log <log url>
TOOL – DISTCRYPTO - conti • Source Definition File (XML format) • src • path • format: • raw • Sequence • the full class name of a class which implement CryptoHandler for customized format. • includeFilter & excludeFilter • stripSuffix & appendSuffix • keyClassName & valueClassName.
TOOL – DISTCRYPTO - conti • Encryption Sample • command • hadoop distcrypto -op encrypt -ek 21EF7D7487F69A19E552C1274A9FCAC721EF7D7487F69A19E552C1274A9F CAC7 -log /tmp/log.distcrypto.encrypt -src file:///working/crypto_encrypt.xml • Source Definition File (crypto_encrypt.xml) • TODO: Not support retrieve keys from key store --- Not Good <configuration><src> <path>/tmp/install.log</path> <format>raw</format> <appendSuffix>.encrypted</appendSuffix> </src></configuration>
HBASE ENCRYPTION HBASE-7544
HBASE ENCRYPTION – HBASE-7544 • Introduce transparent encryption of HBase on disk data. • Transparent encryption at the CF level • Two-tier key architecture for consistency with best practices for this feature in the RDBMS world • Flexible and non-intrusive key rotation
HBASE ENCRYPTION – HBASE-7544
HBASE ENCRYPTION – HBASE-7544 HFile Block0 …… Block N Meta Block0 …… Meta Block N File Info Data Block Index Mwta Block Index Fixed File Trailer Key block data format 1 byte ordinal 4 bytes key data length encrypted key data Encryption KeyBlock Offset
HBASE-7544 SETTINGS 1. Set up the keystore with a secret key Create a secret key of appropriate length for AES. $ keytool -keystore /path/to/hbase/conf/hbase.jks -storetype jceks -storepass password -genseckey -keyalg AES -keysize 256 -alias ${USER} Press RETURN to store the key with the same password as the store
HBASE-7544 SETTINGS 2. Configure HBase to use the keystore Add this to the hbase-site.xml file: <property> <name>hbase.crypto.keyprovider</name> <value>org.apache.hadoop.io.crypto.KeyStoreKeyProvider</value> </property> <property> <name>hbase.crypto.keyprovider.parameters</name> <value><![CDATA[keyStoreUrl=file:///path/to/hbase/conf/ hbase.jks&keyStoreType=JCEKS&password=password]]></value> </property>
HBASE-7544 SETTINGS 3. Create the table $ ./bin/hbase shell hbase(main):001:0> create 'test', {NAME=>'t', CRYPTO=>'AES', CRYPTO_KEY=>'123456'}
HBASE-7544 • CF key rotation • CF key is changed by modifying the column descriptor via HBaseAdmin. • Then, major compaction is triggered either on the table at once or region by region. • Performance • Using this AES-NI codec, HFile read and write code paths introduces an overhead roughly on par with GZIP compression for reads, and half that as for writes.
OTHER RELATED JIRAS • MAPREDUCE-4491: Encryption and Key Protection • 4550: Key Protection : Define Encryption and Key Protection interfaces and default implementation • 4551: Key Protection : Add ability to read keys and protect keys in JobClient and TTS/NodeManagers • 4552: Encryption: Add support for PGP Encryption • 4553: Key Protection : Implement KeyProvider to read key from a WebService Based KeyStore • 5025: Key Distribution and Management for supporting crypto codec in Map Reduce
SECURITY WEB KEYSTORE SERVER safe (http://benoyantony.github.com/safe/) Web service based keystore Support ACL Per Key Authenticates the user using SPNego Base on Cloudera Alfredo, a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP. WEB Server (safe(alfredo)) KDC user authorization authentication MR/Hbase + WebStoreKeyProvider
OTHER TODOs • Hive support • https://issues.apache.org/jira/browse/HIVE-5207 • Support data encryption for Hive tables • https://issues.apache.org/jira/browse/HIVE-4227 • Add column level encryption to ORC files (Created: 25/Mar/13 17:14) • Pig support • https://issues.apache.org/jira/browse/PIG-3289 • Encryption aware load and store functions
Q & A

Empfohlen

Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConYahoo!デベロッパーネットワーク
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityshrey mehrotra
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityKashif Khan
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_securityAdam Muise
 
Hadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateHadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateSteve Loughran
 
Openstack 101
Openstack 101Openstack 101
Openstack 101POSSCON
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revJason Shih
 

Empfohlen

Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConYahoo!デベロッパーネットワーク
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityshrey mehrotra
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityKashif Khan
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_securityAdam Muise
 
Hadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateHadoop and Kerberos: the Madness Beyond the Gate
Hadoop and Kerberos: the Madness Beyond the GateSteve Loughran
 
Openstack 101
Openstack 101Openstack 101
Openstack 101POSSCON
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revJason Shih
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Kevin Minder
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXAbhishek Mallick
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionSteve Loughran
 
Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessCloudera, Inc.
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop securitybigdatagurus_meetup
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureUwe Printz
 
Kafka Security
Kafka SecurityKafka Security
Kafka SecuritySriharsha Chintalapani
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowDataWorks Summit
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentrytrihug
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityShivaji Dutta
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Cloudera, Inc.
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataRommel Garcia
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 
Hadoop security landscape
Hadoop security landscapeHadoop security landscape
Hadoop security landscapeSujee Maniyam
 
Launching your career in Big Data
Launching your career in Big DataLaunching your career in Big Data
Launching your career in Big DataSujee Maniyam
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Kevin Minder
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXAbhishek Mallick
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionSteve Loughran
 
Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessCloudera, Inc.
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop securitybigdatagurus_meetup
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureUwe Printz
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowDataWorks Summit
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentrytrihug
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Cloudera, Inc.
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataRommel Garcia
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningSean Chittenden
 

Was ist angesagt? (20)

Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
 
Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster Access
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, Future
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and Tomorrow
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
 

Andere mochten auch

Hadoop security landscape
Hadoop security landscapeHadoop security landscape
Hadoop security landscapeSujee Maniyam
 
Launching your career in Big Data
Launching your career in Big DataLaunching your career in Big Data
Launching your career in Big DataSujee Maniyam
 
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
HDP Advanced Security: Comprehensive Security for Enterprise HadoopHDP Advanced Security: Comprehensive Security for Enterprise Hadoop
HDP Advanced Security: Comprehensive Security for Enterprise HadoopHortonworks
 
Reference architecture for Internet of Things
Reference architecture for Internet of ThingsReference architecture for Internet of Things
Reference architecture for Internet of ThingsSujee Maniyam
 
Securing Hadoop with Apache Ranger
Securing Hadoop with Apache RangerSecuring Hadoop with Apache Ranger
Securing Hadoop with Apache RangerDataWorks Summit
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with HadoopCloudera, Inc.
 
Protecting Enterprise Data in Apache Hadoop
Protecting Enterprise Data in Apache HadoopProtecting Enterprise Data in Apache Hadoop
Protecting Enterprise Data in Apache HadoopOwen O'Malley
 
Risk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedRisk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedCloudera, Inc.
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopOwen O'Malley
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityBiju Nair
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBlue Coat
 
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...Hortonworks
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014Cloudera, Inc.
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Coastal Pet Products, Inc.
 

Andere mochten auch (20)

Hadoop security landscape
Hadoop security landscapeHadoop security landscape
Hadoop security landscape
 
Launching your career in Big Data
Launching your career in Big DataLaunching your career in Big Data
Launching your career in Big Data
 
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
HDP Advanced Security: Comprehensive Security for Enterprise HadoopHDP Advanced Security: Comprehensive Security for Enterprise Hadoop
HDP Advanced Security: Comprehensive Security for Enterprise Hadoop
 
Reference architecture for Internet of Things
Reference architecture for Internet of ThingsReference architecture for Internet of Things
Reference architecture for Internet of Things
 
Securing Hadoop with Apache Ranger
Securing Hadoop with Apache RangerSecuring Hadoop with Apache Ranger
Securing Hadoop with Apache Ranger
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
 
Big Data Security and Governance
Big Data Security and GovernanceBig Data Security and Governance
Big Data Security and Governance
 
Protecting Enterprise Data in Apache Hadoop
Protecting Enterprise Data in Apache HadoopProtecting Enterprise Data in Apache Hadoop
Protecting Enterprise Data in Apache Hadoop
 
Data protection2015
Data protection2015Data protection2015
Data protection2015
 
Risk Management for Data: Secured and Governed
Risk Management for Data: Secured and GovernedRisk Management for Data: Secured and Governed
Risk Management for Data: Secured and Governed
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in Hadoop
 
Hadoop to spark_v2
Hadoop to spark_v2Hadoop to spark_v2
Hadoop to spark_v2
 
Hadoop and Big Data Security
Hadoop and Big Data SecurityHadoop and Big Data Security
Hadoop and Big Data Security
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
 
Apache Ranger
Apache RangerApache Ranger
Apache Ranger
 
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
Discover HDP 2.2: Comprehensive Hadoop Security with Apache Ranger and Apache...
 
Apache Spark
Apache SparkApache Spark
Apache Spark
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
 

Ähnlich wie Secure Hadoop Data with Encryption and Kerberos

comp security lab.ppsx
comp security lab.ppsxcomp security lab.ppsx
comp security lab.ppsxDesuWajana
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API LandminesErnie Turner
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능Hyperledger Korea User Group
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
Infrastructure as Code: Manage your Architecture with Git
Infrastructure as Code: Manage your Architecture with GitInfrastructure as Code: Manage your Architecture with Git
Infrastructure as Code: Manage your Architecture with GitDanilo Poccia
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraFormWesley Charles Blake
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Tom Kerkhove
 

Ähnlich wie Secure Hadoop Data with Encryption and Kerberos (20)

comp security lab.ppsx
comp security lab.ppsxcomp security lab.ppsx
comp security lab.ppsx
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Dodging WebCrypto API Landmines
Dodging WebCrypto API LandminesDodging WebCrypto API Landmines
Dodging WebCrypto API Landmines
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWS
 
Infrastructure as Code: Manage your Architecture with Git
Infrastructure as Code: Manage your Architecture with GitInfrastructure as Code: Manage your Architecture with Git
Infrastructure as Code: Manage your Architecture with Git
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraForm
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 

Mehr von tcloudcomputing-tw

Session 4 - News from ACS Community
Session 4 - News from ACS CommunitySession 4 - News from ACS Community
Session 4 - News from ACS Communitytcloudcomputing-tw
 
Session 3 - CloudStack Test Automation and CI
Session 3 - CloudStack Test Automation and CISession 3 - CloudStack Test Automation and CI
Session 3 - CloudStack Test Automation and CItcloudcomputing-tw
 
Session 2 - CloudStack Usage and Application (2013.Q3)
Session 2 - CloudStack Usage and Application (2013.Q3)Session 2 - CloudStack Usage and Application (2013.Q3)
Session 2 - CloudStack Usage and Application (2013.Q3)tcloudcomputing-tw
 
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)tcloudcomputing-tw
 
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3tcloudcomputing-tw
 
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2tcloudcomputing-tw
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-22012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2tcloudcomputing-tw
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-12012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1tcloudcomputing-tw
 

Mehr von tcloudcomputing-tw (9)

Session 4 - News from ACS Community
Session 4 - News from ACS CommunitySession 4 - News from ACS Community
Session 4 - News from ACS Community
 
Session 3 - CloudStack Test Automation and CI
Session 3 - CloudStack Test Automation and CISession 3 - CloudStack Test Automation and CI
Session 3 - CloudStack Test Automation and CI
 
Session 2 - CloudStack Usage and Application (2013.Q3)
Session 2 - CloudStack Usage and Application (2013.Q3)Session 2 - CloudStack Usage and Application (2013.Q3)
Session 2 - CloudStack Usage and Application (2013.Q3)
 
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
Session 1 - CloudStack Plugin Structure and Implementation (2013.Q3)
 
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q3
 
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
Tcloud Computing Hadoop Family and Ecosystem Service 2013.Q2
 
Hadoop Family and Ecosystem
Hadoop Family and EcosystemHadoop Family and Ecosystem
Hadoop Family and Ecosystem
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-22012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-2
 
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-12012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
2012 CloudStack Design Camp in Taiwan--- CloudStack Overview-1
 

Kürzlich hochgeladen

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Kürzlich hochgeladen (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Secure Hadoop Data with Encryption and Kerberos

  • 2.
  • 3.
  • 4. WITHOUT KERBEROS • Authorization Ensuring the user can only do things that they are allowed to do • Yes: Owner/Group Permission • Authentication Ensuring the user is who they claim to be • NO
  • 7. KERBEROS CONFIG BECOMING EASY • Cloudera • Cloudera Manager • HDP • Ambari – Security Wizard --- ambari-1.2.5
  • 8.
  • 10. HADOOP GATEWAY - NOW • Webhdfs • Rest: curl "http://GATEWAYHOST/webhdfs/v1/PATH?[user.name=USER&]op=…” • Hadoop: hadoop fs -fs webhdfs://GATEWAYHOST:14000 -cat FILe_PATH • Oozie • REST API , supports direct submission of MapReduce, Pig, and Hive jobs • Steps • Use webhdfs to upload your files and jars • create an oozie workflow • Hbase • Hbase Stargate Rest Gateway • Hbase Thrift server
  • 11. HADOOP GATEWAY - FUTURE • Apache Knox Gateway Provides a single point of authentication and access for Apache™ Hadoop® services in a cluster
  • 12. HADOOP GATEWAY - FUTURE • Apache Knox Gateway • Integrate with the existing frameworks for Active Directory /LDAP • Shell and Rest Interface support • Currently working on kerberized cluster support
  • 13.
  • 14. HADOOP DATA ENCRYPTION • Disk Encryption • Partition Encryption  dm-crypt • File System Encryption • Folder Encryption  encryptfs • Hadoop Encryption Framework • Just encrypt what it should be
  • 15. HADOOP ENCRYPTION FRAMEWORK - API Local File HDFS encrypt/ decrypt HDFS File Encrypt/decry pt
  • 16. HADOOP ENCRYPTION FRAMEWORK - MR File Map File Reduce HDFS HDFS File Encryption/Decryption All the Path(Stages)
  • 17. JIRAS • hadoop-9331: Hadoop crypto codec framework and crypto codec implementations • hadoop-9332: Crypto codec implementations for AES • hadoop-9333: Hadoop crypto codec framework based on compression codec • mapreduce-5025: Key Distribution and Management for supporting crypto codec in Map Reduce • hbase-7544: Transparent table/CF encryption
  • 18. Brief • Two Crypto Typical Case in Hadoop • Crypto API Case: Using AES Key (Store in KeyStore) to Encrypt/Decrypt Data • MR CryptoContext Case: Encrypt the MR output • Tool – Distcrypto • Hbase Encryption • Other Related JIRAs and Security Key Store(Manager) • TODOs
  • 19. KEY STORE TOOL - KEYTOOL A key and certificate management utility. • Create & Store an AES key • keytool -keystore /tmp/hbase.jks -storetype jceks -storepass 123456 -genseckey - keyalg AES -keysize 256 -alias hbase • Create & Store an RSA Private Key • keytool -genkey -keyalg RSA -keysize 2048 -storetype jceks -storepass 123456 - keystore privateKeyStore.jks -alias testPrivate • Export Certificate from KeyStore to a cert file • keytool -export -keystore privateKeyStore.jks -storetype jceks -storepass 123456 - alias testPrivate -file publicKey.crt • Import a cert file to a KeyStore • keytool -import -trustcacerts -file publicKey.crt -storetype jceks -storepass 123456 - alias testPublic -keystore publicKeyStore.jks
  • 20. CRYPTO API CASE: USING AES KEY (STORE IN KEYSTORE) TO ENCRYPT/DECRYPT DATA
  • 21. CRYPTO API CASE: USING AES KEY (STORE IN KEYSTORE) TO ENCRYPT/DECRYPT DATA Use Crypto API to retrieve AES secret key from a key store file and use the key to encrypt/decrypt data • KeyProvider • CryptoContext • CryptoCodec • Sample Code
  • 22. KeyProvider - KeyStoreKeyProvider • To retrieve secret key from specified Key Store File • Parameters • keyStoreUrl & password • keyStoreType: JCE, JCEKS …… • keyPasswordFile & sharePassword • Initial: keyProvider.init(String parameters) • String parameters = “file:///etc/keystore/mapred.jks&keyStoreType=JCEKS &password=123456” • String parameters = KeyStoreKeyProvider.getKeyStoreParameterString(fileUrl, StoreType, StorePassword, null, true); • Get: keyProvider.getKeys(String [])
  • 23. CryptoContext • To store key related info • Key Attributes • Raw Key Data • Key Type: SYMMETRIC_KEY, PUBLIC_KEY, PRIVATE_KEY, CERTIFICATE • Cryptographic Algorithm: e.g AES • Cryptographic Length
  • 24. CryptoCodec • A wrap, contain CryptoContext and provide Crypto IO Stream • Major member • CryptoContext • Crypto IO Stream Method • createOutputStream(……) • createInputStream(……)
  • 25. SAMPLE CODE --- FILE ENCRYPTION
  • 26. SAMPLE CODE --- FILE ENCRYPTION - conti
  • 28. MR CRYPTOCONTEXT CASE: ENCRYPT THE MR OUTPUT Using provided CryptoContext to encrypt the Map Reduce output • KeyProviderConfig • CryptoContextProvider • Sample Code
  • 29. KeyProviderConfig • Members • keyProvider • keyProviderParameters • Methods • getKeyProvider() • getKeyProviderParameters()
  • 30. CryptoContextProvider Provide several static helper methods to update Crypto related Job Configurations. For example, store the following Parameters and Secrets to the Job Credential in the secret key list • mapred.[[[STAGE]]].crypto.context.provider.parameters • mapred.[[[STAGE]]].crypto.context.secrets [[[STAGE]]]: input, output, map.output  AbstractCryptoContextProvider  FileMatchCryptoContextProvider  KeyProviderCryptoContextProvider Credentials credentials = jobConf.getCredentials(); credentials.addSecretKey(new Text("mapred.map.output.crypto.context.provider.parameters"), parameters); credentials.addSecretKey(new Text("mapred.map.output.crypto.context.secrets"), secrets);
  • 31. AbstractCryptoContextProvider  Methods  setInputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)  setMapOutputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)  setOutputCryptoContextProvider (jobConf, cryptoContextProviderClass, secrets, parameters)
  • 32. FileMatchCryptoContextProvider Provides the ability to select the appropriate CryptoContext according to the file path FileMatches fileMatches = new FileMatches(KeyContext.derive("12345678")); fileMatches.addMatch("^.*/input1.intel_aes$", KeyContext.derive("1234")); fileMatches.addMatch("^.*/input2.intel_aes$", KeyContext.derive("5678")); FileMatchCryptoContextProvider.setInputCryptoContextProvider(jobConf, fileMatches, null);
  • 33. KeyProviderCryptoContextProvider Not only include the capability of FileMatchCryptoContextProvider also provide the ability to retrieve the Key from Key Store FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 128)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true); KeyProviderCryptoContextProvider.setInputCryptoContextProvider(jobConf, fileMatches, true, keyProviderConfig);
  • 34. SAMPLE CODE - ENCRYPT THE MR OUTPUT Configuration conf = new Configuration(); Job job = new Job(conf, "wordcount"); JobConf jobConf = (JobConf)job.getConfiguration();
  • 35. SAMPLE CODE - ENCRYPT THE MR OUTPUT Configuration conf = new Configuration(); Job job = new Job(conf, "wordcount"); JobConf jobConf = (JobConf)job.getConfiguration(); FileOutputFormat.setOutputCompressorClass(job, AESCodec.class); jobConf.set(AESCodec.CRYPTO_COMPRESSOR, org.apache.hadoop.io.compress.SnappyCodec);
  • 36. SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256));
  • 37. SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true);
  • 38. SAMPLE CODE - ENCRYPT THE MR OUTPUT - Conti FileMatches fileMatches = new FileMatches(KeyContext.refer("KEY00", Key.KeyType.SYMMETRIC_KEY, "AES", 256)); String keyStoreFile = "file:///" + KEYSTORE_HOME + "/mr.jks"; String keyStorePassword = "12345678"; KeyProviderConfig keyProviderConfig = KeyProviderCryptoContextProvider.getKeyStoreKeyProviderConfig( keyStoreFile, "JCEKS", keyStorePassword, null, true); KeyProviderCryptoContextProvider.setOutputCryptoContextProvider(jobConf, fileMatches, false, keyProviderConfig); ……. job.waitForCompletion(true);
  • 39. MORE IN KeyProviderCryptoContextProvider • Using asymmetric key (RSA) to protect Parameters & Secrets
  • 40. MORE IN KeyProviderCryptoContextProvider • Using asymmetric key (RSA) to protect Parameters & Secrets CredentialProtection credentialProtection = new CredentialProtection(jobConf, RSACredentialProtectionCodec.class, encryptionKeyProviderConfig, encryptionKeyName, decryptionKeyProviderConfig, decryptionKeyName); KeyProviderCryptoContextProvider.setInputCryptoContextProvider( jobConf, fileMatches, false, keyProviderConfig, credentialProtection);
  • 41. MORE IN KeyProviderCryptoContextProvider - Conti • How to use Customized KeyProvider in KeyProviderCryptoContextProvider String keyProviderParameters = KeyStoreKeyProvider.getKeyStoreParameterString( keyStoreFile, keyStoreType, keyStorePassword, keyStorePasswordFile, sharedPassword); KeyProviderConfig keyProviderConfig = new KeyProviderConfig( CustomizeKeyStoreKeyProvider.class.getName(), keyProviderParameters);
  • 42. TOOL – DISTCRYPTO Use MapReduce Job to encrypt, decrypt or key rotate multiple files • Usage • -op <operation> : "encrypt”, "decrypt" and "rotate” • --ek <encryption key> • -dk <decryption key> • -src <source definition file> • -dst <dest url> • -log <log url>
  • 43. TOOL – DISTCRYPTO - conti • Source Definition File (XML format) • src • path • format: • raw • Sequence • the full class name of a class which implement CryptoHandler for customized format. • includeFilter & excludeFilter • stripSuffix & appendSuffix • keyClassName & valueClassName.
  • 44. TOOL – DISTCRYPTO - conti • Encryption Sample • command • hadoop distcrypto -op encrypt -ek 21EF7D7487F69A19E552C1274A9FCAC721EF7D7487F69A19E552C1274A9F CAC7 -log /tmp/log.distcrypto.encrypt -src file:///working/crypto_encrypt.xml • Source Definition File (crypto_encrypt.xml) • TODO: Not support retrieve keys from key store --- Not Good <configuration><src> <path>/tmp/install.log</path> <format>raw</format> <appendSuffix>.encrypted</appendSuffix> </src></configuration>
  • 46. HBASE ENCRYPTION – HBASE-7544 • Introduce transparent encryption of HBase on disk data. • Transparent encryption at the CF level • Two-tier key architecture for consistency with best practices for this feature in the RDBMS world • Flexible and non-intrusive key rotation
  • 47. HBASE ENCRYPTION – HBASE-7544
  • 48. HBASE ENCRYPTION – HBASE-7544 HFile Block0 …… Block N Meta Block0 …… Meta Block N File Info Data Block Index Mwta Block Index Fixed File Trailer Key block data format 1 byte ordinal 4 bytes key data length encrypted key data Encryption KeyBlock Offset
  • 49. HBASE-7544 SETTINGS 1. Set up the keystore with a secret key Create a secret key of appropriate length for AES. $ keytool -keystore /path/to/hbase/conf/hbase.jks -storetype jceks -storepass password -genseckey -keyalg AES -keysize 256 -alias ${USER} Press RETURN to store the key with the same password as the store
  • 50. HBASE-7544 SETTINGS 2. Configure HBase to use the keystore Add this to the hbase-site.xml file: <property> <name>hbase.crypto.keyprovider</name> <value>org.apache.hadoop.io.crypto.KeyStoreKeyProvider</value> </property> <property> <name>hbase.crypto.keyprovider.parameters</name> <value><![CDATA[keyStoreUrl=file:///path/to/hbase/conf/ hbase.jks&keyStoreType=JCEKS&password=password]]></value> </property>
  • 51. HBASE-7544 SETTINGS 3. Create the table $ ./bin/hbase shell hbase(main):001:0> create 'test', {NAME=>'t', CRYPTO=>'AES', CRYPTO_KEY=>'123456'}
  • 52. HBASE-7544 • CF key rotation • CF key is changed by modifying the column descriptor via HBaseAdmin. • Then, major compaction is triggered either on the table at once or region by region. • Performance • Using this AES-NI codec, HFile read and write code paths introduces an overhead roughly on par with GZIP compression for reads, and half that as for writes.
  • 53. OTHER RELATED JIRAS • MAPREDUCE-4491: Encryption and Key Protection • 4550: Key Protection : Define Encryption and Key Protection interfaces and default implementation • 4551: Key Protection : Add ability to read keys and protect keys in JobClient and TTS/NodeManagers • 4552: Encryption: Add support for PGP Encryption • 4553: Key Protection : Implement KeyProvider to read key from a WebService Based KeyStore • 5025: Key Distribution and Management for supporting crypto codec in Map Reduce
  • 54. SECURITY WEB KEYSTORE SERVER safe (http://benoyantony.github.com/safe/) Web service based keystore Support ACL Per Key Authenticates the user using SPNego Base on Cloudera Alfredo, a Java library consisting of a client and a server components to enable Kerberos SPNEGO authentication for HTTP. WEB Server (safe(alfredo)) KDC user authorization authentication MR/Hbase + WebStoreKeyProvider
  • 55. OTHER TODOs • Hive support • https://issues.apache.org/jira/browse/HIVE-5207 • Support data encryption for Hive tables • https://issues.apache.org/jira/browse/HIVE-4227 • Add column level encryption to ORC files (Created: 25/Mar/13 17:14) • Pig support • https://issues.apache.org/jira/browse/PIG-3289 • Encryption aware load and store functions
  • 56. Q & A