SlideShare ist ein Scribd-Unternehmen logo

SECURING HADOOP ECOSYSTEM

CloudIDSummit
CloudIDSummit

Aaron T. Myers (ATM), Software Engineer, Cloudera, Inc. The era of “Big Data for the masses” is upon us. Despite the mindshare Big Data has been receiving – driven by the development and distribution of Apache Hadoop, the first commercialized release was only in December of 2011 by Cloudera, Inc. Cloudera remains the leading Hadoop platform provider in the market today. Now, with a diverse enterprise and government early adopter customer list, through Cloudera we can get a bird’s eye view of the leading authentication issues beginning to emerge from these companies headed out of the sandbox and into full production. Speaker Aaron T. Myers (ATM) was one of Cloudera’s earliest engineers and maintains a core focus on Apache Hadoop core, specifically focused on HDFS and Hadoop’s security features. ATM is an Apache Hadoop PMC Member and Committer.

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
Securing  the  Hadoop  Ecosystem   Aaron  T.  Myers  (ATM)  @  Cloudera     Cloud  Iden?ty  Summit,  July  2013  
Who  am  I?   •  SoHware  Engineer  at  Cloudera   •  Hadoop  CommiJer  and  PMC  Member  at  Apache   SoHware  Founda?on   •  Primarily  work  on  Hadoop  Security  and  HDFS   •  Masters  thesis  focused  on  systems  security  
Agenda   •  What  is  Hadoop?   •  Hadoop  Ecosystem  Interac?ons   •  Hadoop  Authen?ca?on   •  Hadoop  Authoriza?on   •  IT  Infrastructure  Integra?on   •  The  Future:  Where  Hadoop  Security  is  Headed  
Hadoop  Is…   •  A  distributed  system   •  Designed  for  massive  scaling  of  storage  and  compute   across  many  (10s-­‐1000s)  nodes   •  An  ecosystem   •  Hadoop  is  the  kernel,  apps  on  top  are  user-­‐level  programs   •  e.g.  Impala,  Hive,  Oozie,  HBase,  etc.   •  A  security  pain   •  Designed  to  run  arbitrary  code  submiJed  by  users   •  Another  place  where  many  users  interact  with  the   system   •  Many  orgs  provide  “Hadoop  as  a  service”  
Hadoop  Is…   •  Not  secure  by  default   •  No  authen?ca?on  whatsoever   •  Usually  behind  a  corporate  firewall   •  OHen  accessed  by  common  BI  tools   •  Tableau,  SAS,  Microstrategy,  etc.   •  Expected  to  be  integrated  into  corporate  IT  infra   •  SSO,  etc.  
Hadoop  on  its  Own   Hadoop   NN   DN      TT   JT   DN      TT   DN      TT   MR   client   Map   Task   Map   Task   Reduce   Task   SNN   hdfs,  hJpfs  &  mapred  users   end  users   protocols:  RPC/data  transfer/HTTP   H6pFS   HDFS   client   WebHdfs   client  
The  Hadoop  Ecosystem   •  Storage   •  HBase   •  HDFS   •  Processing   •  Map/Reduce   •  YARN   •  Querying   •  Hive,  Impala  (SQL)   •  Pig  (DSL)   •  Cron,  workflows   •  Oozie   •  Data  ingest   •  Flume  (streaming)   •  Sqoop  (batch)   •  Live  data  serving   •  HBase   •  Pipelines   •  Crunch,  Cascading   •  GUI   •  Hue   •  Management   •  Cloudera  Manager  
Hadoop  and  Friends   Hadoop   Hive  Metastore   Hbase   Oozie   Hue   Impala   Zookeeper   Flume  MapRed   Pig   Crunch   Cascading   Sqoop   Hive   Hbase   Oozie   Impala   browser   Flume   services  clients   clients   RPC   HTTP   ThriH   HTTP   RPC   ThriH   HTTP   RPC   service  users   end  users   protocols:  RPCs/data/HTTP/ThriH/Avro-­‐RPC   Avro  RPC   WebHdfs   HTTP   RPC  Zookeeper  
•  Hadoop  Authen?ca?on  based  on  Kerberos   •  Usually  MIT,  also  Ac?ve  Directory   •  End  Users  to  services,  as  a  user   •  CLI  &  libraries:  Kerberos  (kinit  or  keytab)   •  Web  UIs:  Kerberos  SPNEGO  &  pluggable  HTTP  auth   •  Services  to  Services,  as  a  service   •  Creden?als:  Kerberos  (keytab)   •  Services  to  Services,  on  behalf  of  a  user   •  Proxy-­‐user  (aHer  Kerberos  for  service)   •  Job  tasks  to  Services,  on  behalf  of  a  user   •  Job  delega?on  token   Authen?ca?on  Details  
•  HDFS  Data   •  File  System  permissions  (Unix  like  user/group  permissions)   •  HBase  Data   •  Read/Write  Access  Control  Lists  (ACLs)  at  table  level   •  Hive  Metastore  (Hive,  Impala)   •  Leverages/proxies  HDFS  permissions  for  tables  &  par??ons   •  Hive  Server  (Hive,  Impala)  (coming)   •  More  advanced  GRANT/REVOKE  with  ACLs  for  tables   •  Jobs  (Hadoop,  Oozie)   •  Job  ACLs  for  Hadoop  Scheduler  Queues,  manage  &  view  jobs   •  Zookeeper   •  ACLs  at  znodes,  authen?cated  &  read/write   Authoriza?on  Details  
IT  Integra?on:  Kerberos   •  Users  don’t  want  Yet  Another  Creden?al   •  Corp  IT  doesn’t  want  to  provision  thousands  of   service  principals   •  Solu?on:  local  KDC  +  one-­‐way  trust   •  Run  a  KDC  (usually  MIT  Kerberos)  in  the  cluster   •  Put  all  service  principals  here   •  Set  up  one-­‐way  trust  of  central  corporate  realm  by   local  KDC   •  Normal  user  creden?als  can  be  used  to  access  Hadoop  
IT  Integra?on:  Groups   •  Much  of  Hadoop  authoriza?on  uses  “groups”   •  User  ‘atm’  might  belong  to  groups  ‘analysts’,  ‘eng’,  etc.   •  Users’  groups  are  not  stored  in  Hadoop  anywhere   •  Refers  to  external  system  to  determine  group  membership   •  NN/JT/Oozie/Hive  servers  all  must  perform  group  mapping   •  Default  plugins  for  user/group  mapping:   •  ShellBasedUnixGroupsMapping  –  forks/runs  `/bin/id’   •  JniBasedUnixGroupsMapping  –  makes  a  system  call   •  LdapGroupsMapping  –  talks  directly  to  an  LDAP  server  
IT  Integra?on:  Kerberos  +  LDAP   Hadoop  Cluster   Local  KDC     hdfs/host1@HADOOP.EXAMPLE.COM yarn/host2@HADOOP.EXAMPLE.COM … Central  Ac?ve  Directory     tucu@EXAMPLE.COM atm@EXAMPLE.COM … Cross-­‐realm  trust   NN   JT   LDAP  group   mapping  
IT  Integra?on:  Web  Interfaces   •  Most  web  interfaces  authen?cate  using  SPNEGO   •  Standard  HTTP  authen?ca?on  protocol   •  Used  internally  by  services  which  communicate  over  HTTP   •  Most  browsers  support  Kerberos  SPNEGO  authen?ca?on   •  Hadoop  components  which  use  servlets  for  web   interfaces  can  plug  in  custom  filter   •  Integrate  with  intranet  SSO  HTTP  solu?on  
IT  Integra?on:  Web  Interfaces   •  Most  web  interfaces  authen?cate  using  SPNEGO   •  Standard  HTTP  authen?ca?on  protocol   •  Used  internally  by  services  which  communicate  over  HTTP   •  Most  browsers  support  Kerberos  SPNEGO  authen?ca?on   •  Hadoop  components  which  use  servlets  for  web   interfaces  can  plug  in  custom  filter   •  Integrate  with  intranet  SSO  HTTP  solu?on  
Issues  with  Hadoop  Security   •  SSO  is  poorly  and  not  universally  supported   •  Only  supported  for  the  web  interfaces,  liJle  used,  etc.   •  Kerberos  the  only  op?on   •  Not  all  orgs  comfortable  administering  net  new  Kerberos   realm   •  Not  well-­‐suited  for  cloud  deployments   •  Need  properly  working  reverse  DNS   •  Pain  to  provision  KDC,  distribute  keytabs   •  Kerberos  tough  for  management  tools   •  No  Kerberos  administra?ve  API/protocol  
Issues  with  Hadoop  Security  (cont.)   •  Isola?on  of  user  tasks  currently  requires  separate   local  Unix  accounts  on  all  boxes   •  Need  to  integrate  with  LDAP  using  PAM  or  something  like   it   •  HDFS  authoriza?on  only  supports  Unix-­‐style   permissions   •  Not  expressive  enough  for  some  applica?ons,  e.g.  Hive  
Future  Development   •  Full  SSO  support   •  OAUTH  the  most  commonly  requested,  first  goal   •  Decouple  Hadoop  RPC  implementa?on  from   Kerberos   •  Make  authen?ca?on  system  fully  pluggable  for  custom   implementa?ons   •  Any  service  which  can  provide  bidirec?onal  authen?ca?on   •  Improve  management  tools   •  Cloudera  Manager  can  manage  more  of  the  security   infrastructure  
Future  Development  (cont.)   •  Use  beJer  isola?on  methods  for  user  tasks   •  Linux  containers   •  Solaris  “zones”   •  Etc.   •  BeJer  authoriza?on  capabili?es   •  Talk  of  adding  ACL  support  to  HDFS   •  Hive  Server  2  will  provide  rich  authoriza?on  capabili?es  
Q&A  
Thanks   Aaron  T.  Myers  (ATM)  @  Cloudera     Cloud  Iden?ty  Summit,  July  2013  

Empfohlen

Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessCloudera, Inc.
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowDataWorks Summit
 
Hadoop Security Features that make your risk officer happy
Hadoop Security Features that make your risk officer happyHadoop Security Features that make your risk officer happy
Hadoop Security Features that make your risk officer happyAnurag Shrivastava
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
Securing the Hadoop Ecosystem
Securing the Hadoop EcosystemSecuring the Hadoop Ecosystem
Securing the Hadoop EcosystemDataWorks Summit
 
Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Shravan (Sean) Pabba
 
Structor - Automated Building of Virtual Hadoop Clusters
Structor - Automated Building of Virtual Hadoop ClustersStructor - Automated Building of Virtual Hadoop Clusters
Structor - Automated Building of Virtual Hadoop ClustersOwen O'Malley
 

Empfohlen

Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessCloudera, Inc.
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowDataWorks Summit
 
Hadoop Security Features that make your risk officer happy
Hadoop Security Features that make your risk officer happyHadoop Security Features that make your risk officer happy
Hadoop Security Features that make your risk officer happyAnurag Shrivastava
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
Securing the Hadoop Ecosystem
Securing the Hadoop EcosystemSecuring the Hadoop Ecosystem
Securing the Hadoop EcosystemDataWorks Summit
 
Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Shravan (Sean) Pabba
 
Structor - Automated Building of Virtual Hadoop Clusters
Structor - Automated Building of Virtual Hadoop ClustersStructor - Automated Building of Virtual Hadoop Clusters
Structor - Automated Building of Virtual Hadoop ClustersOwen O'Malley
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityShivaji Dutta
 
drupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupaldrupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupalrolf vreijdenberger
 
Hadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyHadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyDataWorks Summit
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureUwe Printz
 
April 2014 HUG : Apache Sentry
April 2014 HUG : Apache SentryApril 2014 HUG : Apache Sentry
April 2014 HUG : Apache SentryYahoo Developer Network
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operationsMarc Cluet
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revJason Shih
 
Apache Hadoop Security - Ranger
Apache Hadoop Security - RangerApache Hadoop Security - Ranger
Apache Hadoop Security - RangerIsheeta Sanghi
 
An Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache KnoxAn Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache KnoxDataWorks Summit/Hadoop Summit
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: OverviewCloudera, Inc.
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopOwen O'Malley
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Cloudera, Inc.
 
Apache ranger meetup
Apache ranger meetupApache ranger meetup
Apache ranger meetupnvvrajesh
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXAbhishek Mallick
 
Introduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David NalleyIntroduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David Nalleybuildacloud
 
Tool Academy: Web Archiving
Tool Academy: Web ArchivingTool Academy: Web Archiving
Tool Academy: Web Archivingnullhandle
 
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...Abhiraj Butala
 
Deploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopDeploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopCloudera, Inc.
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
Picnic Software - Developing a flexible and scalable application
Picnic Software - Developing a flexible and scalable applicationPicnic Software - Developing a flexible and scalable application
Picnic Software - Developing a flexible and scalable applicationNick Josevski
 
CIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCloudIDSummit
 
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCloudIDSummit
 

Weitere ähnliche Inhalte

Was ist angesagt?

drupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupaldrupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupalrolf vreijdenberger
 
Hadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyHadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyDataWorks Summit
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureUwe Printz
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operationsMarc Cluet
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revJason Shih
 
Apache Hadoop Security - Ranger
Apache Hadoop Security - RangerApache Hadoop Security - Ranger
Apache Hadoop Security - RangerIsheeta Sanghi
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: OverviewCloudera, Inc.
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopOwen O'Malley
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Cloudera, Inc.
 
Apache ranger meetup
Apache ranger meetupApache ranger meetup
Apache ranger meetupnvvrajesh
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXAbhishek Mallick
 
Introduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David NalleyIntroduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David Nalleybuildacloud
 
Tool Academy: Web Archiving
Tool Academy: Web ArchivingTool Academy: Web Archiving
Tool Academy: Web Archivingnullhandle
 
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...Abhiraj Butala
 
Deploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopDeploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopCloudera, Inc.
 
Picnic Software - Developing a flexible and scalable application
Picnic Software - Developing a flexible and scalable applicationPicnic Software - Developing a flexible and scalable application
Picnic Software - Developing a flexible and scalable applicationNick Josevski
 

Was ist angesagt? (20)

Hadoop security
Hadoop securityHadoop security
Hadoop security
 
drupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupaldrupal 7 amfserver presentation: integrating flash and drupal
drupal 7 amfserver presentation: integrating flash and drupal
 
Hadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyHadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happy
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, Future
 
April 2014 HUG : Apache Sentry
April 2014 HUG : Apache SentryApril 2014 HUG : Apache Sentry
April 2014 HUG : Apache Sentry
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operations
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117rev
 
Apache Hadoop Security - Ranger
Apache Hadoop Security - RangerApache Hadoop Security - Ranger
Apache Hadoop Security - Ranger
 
An Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache KnoxAn Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache Knox
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
 
Plugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in HadoopPlugging the Holes: Security and Compatability in Hadoop
Plugging the Holes: Security and Compatability in Hadoop
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
 
Apache ranger meetup
Apache ranger meetupApache ranger meetup
Apache ranger meetup
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
 
Introduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David NalleyIntroduction to Apache CloudStack by David Nalley
Introduction to Apache CloudStack by David Nalley
 
Tool Academy: Web Archiving
Tool Academy: Web ArchivingTool Academy: Web Archiving
Tool Academy: Web Archiving
 
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
Hadoop Security in Big-Data-as-a-Service Deployments - Presented at Hadoop Su...
 
Deploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopDeploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for Hadoop
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
 
Picnic Software - Developing a flexible and scalable application
Picnic Software - Developing a flexible and scalable applicationPicnic Software - Developing a flexible and scalable application
Picnic Software - Developing a flexible and scalable application
 

Andere mochten auch

CIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCloudIDSummit
 
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCloudIDSummit
 
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and IdentitiesCIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and IdentitiesCloudIDSummit
 
CIS13: Externalized Authorization from the Developer’s Perspective
CIS13: Externalized Authorization from the Developer’s PerspectiveCIS13: Externalized Authorization from the Developer’s Perspective
CIS13: Externalized Authorization from the Developer’s PerspectiveCloudIDSummit
 
CIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity CredentialsCIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity CredentialsCloudIDSummit
 
CIS14: Global Trends in BYOID
CIS14: Global Trends in BYOIDCIS14: Global Trends in BYOID
CIS14: Global Trends in BYOIDCloudIDSummit
 
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding EdgeCIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding EdgeCloudIDSummit
 
CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)CloudIDSummit
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCloudIDSummit
 
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User RecognitionCIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User RecognitionCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCloudIDSummit
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CloudIDSummit
 
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?CloudIDSummit
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCloudIDSummit
 
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...CloudIDSummit
 

Andere mochten auch (17)

CIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing GrowthCIS14: Double Trouble—Managing Growth
CIS14: Double Trouble—Managing Growth
 
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile AppsCIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
CIS13: Gateway to the Enterprise: Supporting SSO in Mobile Apps
 
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and IdentitiesCIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
CIS14: Identity Therapy: Surviving the Explosion of Users, Access and Identities
 
CIS13: Externalized Authorization from the Developer’s Perspective
CIS13: Externalized Authorization from the Developer’s PerspectiveCIS13: Externalized Authorization from the Developer’s Perspective
CIS13: Externalized Authorization from the Developer’s Perspective
 
CIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity CredentialsCIS14: From Card to Mobile—Evolving Identity Credentials
CIS14: From Card to Mobile—Evolving Identity Credentials
 
CIS14: Global Trends in BYOID
CIS14: Global Trends in BYOIDCIS14: Global Trends in BYOID
CIS14: Global Trends in BYOID
 
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding EdgeCIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
CIS13: Big Data Analytics Vendor Perspective: Insights from the Bleeding Edge
 
CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)CIS14: Identifying Things (and Things Identifying Us)
CIS14: Identifying Things (and Things Identifying Us)
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated Identity
 
CIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User RecognitionCIS14: Knowing vs. Asking: Innovation in User Recognition
CIS14: Knowing vs. Asking: Innovation in User Recognition
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
 
CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0
 
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
CIS13: How to Build a Federated Identity Service on Identity and Context Virt...
 
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
 
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jainCIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps-jain
 
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
CIS14: Using IDaaS to Enable IAM for Multiple Web-based and Mobile B2B and B2...
 

Ähnlich wie SECURING HADOOP ECOSYSTEM

Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by ClouderaBig Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by ClouderaCaserta
 
HBaseCon 2012 | HBase Security for the Enterprise - Andrew Purtell, Trend Micro
HBaseCon 2012 | HBase Security for the Enterprise - Andrew Purtell, Trend MicroHBaseCon 2012 | HBase Security for the Enterprise - Andrew Purtell, Trend Micro
HBaseCon 2012 | HBase Security for the Enterprise - Andrew Purtell, Trend MicroCloudera, Inc.
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop SecurityChris Nauroth
 
Webinar: Productionizing Hadoop: Lessons Learned - 20101208
Webinar: Productionizing Hadoop: Lessons Learned - 20101208Webinar: Productionizing Hadoop: Lessons Learned - 20101208
Webinar: Productionizing Hadoop: Lessons Learned - 20101208Cloudera, Inc.
 
Hw09 Security And Api Compatibility
Hw09 Security And Api CompatibilityHw09 Security And Api Compatibility
Hw09 Security And Api CompatibilityCloudera, Inc.
 
Big Data Developers Moscow Meetup 1 - sql on hadoop
Big Data Developers Moscow Meetup 1 - sql on hadoopBig Data Developers Moscow Meetup 1 - sql on hadoop
Big Data Developers Moscow Meetup 1 - sql on hadoopbddmoscow
 
Big data - Online Training
Big data - Online TrainingBig data - Online Training
Big data - Online TrainingLearntek1
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop SecurityDataWorks Summit
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastDataWorks Summit
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeCale Hoopes
 
Technologies for Data Analytics Platform
Technologies for Data Analytics PlatformTechnologies for Data Analytics Platform
Technologies for Data Analytics PlatformN Masahiro
 
SQL Server Konferenz 2014 - SSIS & HDInsight
SQL Server Konferenz 2014 - SSIS & HDInsightSQL Server Konferenz 2014 - SSIS & HDInsight
SQL Server Konferenz 2014 - SSIS & HDInsightTillmann Eitelberg
 
Data Pipelines in Hadoop - SAP Meetup in Tel Aviv
Data Pipelines in Hadoop - SAP Meetup in Tel Aviv Data Pipelines in Hadoop - SAP Meetup in Tel Aviv
Data Pipelines in Hadoop - SAP Meetup in Tel Aviv larsgeorge
 
Bi with apache hadoop(en)
Bi with apache hadoop(en)Bi with apache hadoop(en)
Bi with apache hadoop(en)Alexander Alten
 
Secure Hadoop clusters on Windows platform
Secure Hadoop clusters on Windows platformSecure Hadoop clusters on Windows platform
Secure Hadoop clusters on Windows platformRemus Rusanu
 
Distro-independent Hadoop cluster management
Distro-independent Hadoop cluster managementDistro-independent Hadoop cluster management
Distro-independent Hadoop cluster managementDataWorks Summit
 
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access SecurityCloudera, Inc.
 
Maintainable cloud architecture_of_hadoop
Maintainable cloud architecture_of_hadoopMaintainable cloud architecture_of_hadoop
Maintainable cloud architecture_of_hadoopKai Sasaki
 

Ähnlich wie SECURING HADOOP ECOSYSTEM (20)

Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by ClouderaBig Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
Big Data Warehousing Meetup: Securing the Hadoop Ecosystem by Cloudera
 
HBaseCon 2012 | HBase Security for the Enterprise - Andrew Purtell, Trend Micro
HBaseCon 2012 | HBase Security for the Enterprise - Andrew Purtell, Trend MicroHBaseCon 2012 | HBase Security for the Enterprise - Andrew Purtell, Trend Micro
HBaseCon 2012 | HBase Security for the Enterprise - Andrew Purtell, Trend Micro
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop Security
 
Webinar: Productionizing Hadoop: Lessons Learned - 20101208
Webinar: Productionizing Hadoop: Lessons Learned - 20101208Webinar: Productionizing Hadoop: Lessons Learned - 20101208
Webinar: Productionizing Hadoop: Lessons Learned - 20101208
 
Hw09 Security And Api Compatibility
Hw09 Security And Api CompatibilityHw09 Security And Api Compatibility
Hw09 Security And Api Compatibility
 
Big Data Developers Moscow Meetup 1 - sql on hadoop
Big Data Developers Moscow Meetup 1 - sql on hadoopBig Data Developers Moscow Meetup 1 - sql on hadoop
Big Data Developers Moscow Meetup 1 - sql on hadoop
 
Big data - Online Training
Big data - Online TrainingBig data - Online Training
Big data - Online Training
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop Security
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the Beast
 
Middleware in Golang: InVision's Rye
Middleware in Golang: InVision's RyeMiddleware in Golang: InVision's Rye
Middleware in Golang: InVision's Rye
 
Technologies for Data Analytics Platform
Technologies for Data Analytics PlatformTechnologies for Data Analytics Platform
Technologies for Data Analytics Platform
 
SQL Server Konferenz 2014 - SSIS & HDInsight
SQL Server Konferenz 2014 - SSIS & HDInsightSQL Server Konferenz 2014 - SSIS & HDInsight
SQL Server Konferenz 2014 - SSIS & HDInsight
 
Data Pipelines in Hadoop - SAP Meetup in Tel Aviv
Data Pipelines in Hadoop - SAP Meetup in Tel Aviv Data Pipelines in Hadoop - SAP Meetup in Tel Aviv
Data Pipelines in Hadoop - SAP Meetup in Tel Aviv
 
Bi with apache hadoop(en)
Bi with apache hadoop(en)Bi with apache hadoop(en)
Bi with apache hadoop(en)
 
Secure Hadoop clusters on Windows platform
Secure Hadoop clusters on Windows platformSecure Hadoop clusters on Windows platform
Secure Hadoop clusters on Windows platform
 
Distro-independent Hadoop cluster management
Distro-independent Hadoop cluster managementDistro-independent Hadoop cluster management
Distro-independent Hadoop cluster management
 
Twitter with hadoop for oow
Twitter with hadoop for oowTwitter with hadoop for oow
Twitter with hadoop for oow
 
SQL Server 2012 and Big Data
SQL Server 2012 and Big DataSQL Server 2012 and Big Data
SQL Server 2012 and Big Data
 
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access Security
 
Maintainable cloud architecture_of_hadoop
Maintainable cloud architecture_of_hadoopMaintainable cloud architecture_of_hadoop
Maintainable cloud architecture_of_hadoop
 

Mehr von CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Mehr von CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Kürzlich hochgeladen (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

SECURING HADOOP ECOSYSTEM

  • 1. Securing  the  Hadoop  Ecosystem   Aaron  T.  Myers  (ATM)  @  Cloudera     Cloud  Iden?ty  Summit,  July  2013  
  • 2. Who  am  I?   •  SoHware  Engineer  at  Cloudera   •  Hadoop  CommiJer  and  PMC  Member  at  Apache   SoHware  Founda?on   •  Primarily  work  on  Hadoop  Security  and  HDFS   •  Masters  thesis  focused  on  systems  security  
  • 3. Agenda   •  What  is  Hadoop?   •  Hadoop  Ecosystem  Interac?ons   •  Hadoop  Authen?ca?on   •  Hadoop  Authoriza?on   •  IT  Infrastructure  Integra?on   •  The  Future:  Where  Hadoop  Security  is  Headed  
  • 4. Hadoop  Is…   •  A  distributed  system   •  Designed  for  massive  scaling  of  storage  and  compute   across  many  (10s-­‐1000s)  nodes   •  An  ecosystem   •  Hadoop  is  the  kernel,  apps  on  top  are  user-­‐level  programs   •  e.g.  Impala,  Hive,  Oozie,  HBase,  etc.   •  A  security  pain   •  Designed  to  run  arbitrary  code  submiJed  by  users   •  Another  place  where  many  users  interact  with  the   system   •  Many  orgs  provide  “Hadoop  as  a  service”  
  • 5. Hadoop  Is…   •  Not  secure  by  default   •  No  authen?ca?on  whatsoever   •  Usually  behind  a  corporate  firewall   •  OHen  accessed  by  common  BI  tools   •  Tableau,  SAS,  Microstrategy,  etc.   •  Expected  to  be  integrated  into  corporate  IT  infra   •  SSO,  etc.  
  • 6. Hadoop  on  its  Own   Hadoop   NN   DN      TT   JT   DN      TT   DN      TT   MR   client   Map   Task   Map   Task   Reduce   Task   SNN   hdfs,  hJpfs  &  mapred  users   end  users   protocols:  RPC/data  transfer/HTTP   H6pFS   HDFS   client   WebHdfs   client  
  • 7. The  Hadoop  Ecosystem   •  Storage   •  HBase   •  HDFS   •  Processing   •  Map/Reduce   •  YARN   •  Querying   •  Hive,  Impala  (SQL)   •  Pig  (DSL)   •  Cron,  workflows   •  Oozie   •  Data  ingest   •  Flume  (streaming)   •  Sqoop  (batch)   •  Live  data  serving   •  HBase   •  Pipelines   •  Crunch,  Cascading   •  GUI   •  Hue   •  Management   •  Cloudera  Manager  
  • 8. Hadoop  and  Friends   Hadoop   Hive  Metastore   Hbase   Oozie   Hue   Impala   Zookeeper   Flume  MapRed   Pig   Crunch   Cascading   Sqoop   Hive   Hbase   Oozie   Impala   browser   Flume   services  clients   clients   RPC   HTTP   ThriH   HTTP   RPC   ThriH   HTTP   RPC   service  users   end  users   protocols:  RPCs/data/HTTP/ThriH/Avro-­‐RPC   Avro  RPC   WebHdfs   HTTP   RPC  Zookeeper  
  • 9. •  Hadoop  Authen?ca?on  based  on  Kerberos   •  Usually  MIT,  also  Ac?ve  Directory   •  End  Users  to  services,  as  a  user   •  CLI  &  libraries:  Kerberos  (kinit  or  keytab)   •  Web  UIs:  Kerberos  SPNEGO  &  pluggable  HTTP  auth   •  Services  to  Services,  as  a  service   •  Creden?als:  Kerberos  (keytab)   •  Services  to  Services,  on  behalf  of  a  user   •  Proxy-­‐user  (aHer  Kerberos  for  service)   •  Job  tasks  to  Services,  on  behalf  of  a  user   •  Job  delega?on  token   Authen?ca?on  Details  
  • 10. •  HDFS  Data   •  File  System  permissions  (Unix  like  user/group  permissions)   •  HBase  Data   •  Read/Write  Access  Control  Lists  (ACLs)  at  table  level   •  Hive  Metastore  (Hive,  Impala)   •  Leverages/proxies  HDFS  permissions  for  tables  &  par??ons   •  Hive  Server  (Hive,  Impala)  (coming)   •  More  advanced  GRANT/REVOKE  with  ACLs  for  tables   •  Jobs  (Hadoop,  Oozie)   •  Job  ACLs  for  Hadoop  Scheduler  Queues,  manage  &  view  jobs   •  Zookeeper   •  ACLs  at  znodes,  authen?cated  &  read/write   Authoriza?on  Details  
  • 11. IT  Integra?on:  Kerberos   •  Users  don’t  want  Yet  Another  Creden?al   •  Corp  IT  doesn’t  want  to  provision  thousands  of   service  principals   •  Solu?on:  local  KDC  +  one-­‐way  trust   •  Run  a  KDC  (usually  MIT  Kerberos)  in  the  cluster   •  Put  all  service  principals  here   •  Set  up  one-­‐way  trust  of  central  corporate  realm  by   local  KDC   •  Normal  user  creden?als  can  be  used  to  access  Hadoop  
  • 12. IT  Integra?on:  Groups   •  Much  of  Hadoop  authoriza?on  uses  “groups”   •  User  ‘atm’  might  belong  to  groups  ‘analysts’,  ‘eng’,  etc.   •  Users’  groups  are  not  stored  in  Hadoop  anywhere   •  Refers  to  external  system  to  determine  group  membership   •  NN/JT/Oozie/Hive  servers  all  must  perform  group  mapping   •  Default  plugins  for  user/group  mapping:   •  ShellBasedUnixGroupsMapping  –  forks/runs  `/bin/id’   •  JniBasedUnixGroupsMapping  –  makes  a  system  call   •  LdapGroupsMapping  –  talks  directly  to  an  LDAP  server  
  • 13. IT  Integra?on:  Kerberos  +  LDAP   Hadoop  Cluster   Local  KDC     hdfs/host1@HADOOP.EXAMPLE.COM yarn/host2@HADOOP.EXAMPLE.COM … Central  Ac?ve  Directory     tucu@EXAMPLE.COM atm@EXAMPLE.COM … Cross-­‐realm  trust   NN   JT   LDAP  group   mapping  
  • 14. IT  Integra?on:  Web  Interfaces   •  Most  web  interfaces  authen?cate  using  SPNEGO   •  Standard  HTTP  authen?ca?on  protocol   •  Used  internally  by  services  which  communicate  over  HTTP   •  Most  browsers  support  Kerberos  SPNEGO  authen?ca?on   •  Hadoop  components  which  use  servlets  for  web   interfaces  can  plug  in  custom  filter   •  Integrate  with  intranet  SSO  HTTP  solu?on  
  • 15. IT  Integra?on:  Web  Interfaces   •  Most  web  interfaces  authen?cate  using  SPNEGO   •  Standard  HTTP  authen?ca?on  protocol   •  Used  internally  by  services  which  communicate  over  HTTP   •  Most  browsers  support  Kerberos  SPNEGO  authen?ca?on   •  Hadoop  components  which  use  servlets  for  web   interfaces  can  plug  in  custom  filter   •  Integrate  with  intranet  SSO  HTTP  solu?on  
  • 16. Issues  with  Hadoop  Security   •  SSO  is  poorly  and  not  universally  supported   •  Only  supported  for  the  web  interfaces,  liJle  used,  etc.   •  Kerberos  the  only  op?on   •  Not  all  orgs  comfortable  administering  net  new  Kerberos   realm   •  Not  well-­‐suited  for  cloud  deployments   •  Need  properly  working  reverse  DNS   •  Pain  to  provision  KDC,  distribute  keytabs   •  Kerberos  tough  for  management  tools   •  No  Kerberos  administra?ve  API/protocol  
  • 17. Issues  with  Hadoop  Security  (cont.)   •  Isola?on  of  user  tasks  currently  requires  separate   local  Unix  accounts  on  all  boxes   •  Need  to  integrate  with  LDAP  using  PAM  or  something  like   it   •  HDFS  authoriza?on  only  supports  Unix-­‐style   permissions   •  Not  expressive  enough  for  some  applica?ons,  e.g.  Hive  
  • 18. Future  Development   •  Full  SSO  support   •  OAUTH  the  most  commonly  requested,  first  goal   •  Decouple  Hadoop  RPC  implementa?on  from   Kerberos   •  Make  authen?ca?on  system  fully  pluggable  for  custom   implementa?ons   •  Any  service  which  can  provide  bidirec?onal  authen?ca?on   •  Improve  management  tools   •  Cloudera  Manager  can  manage  more  of  the  security   infrastructure  
  • 19. Future  Development  (cont.)   •  Use  beJer  isola?on  methods  for  user  tasks   •  Linux  containers   •  Solaris  “zones”   •  Etc.   •  BeJer  authoriza?on  capabili?es   •  Talk  of  adding  ACL  support  to  HDFS   •  Hive  Server  2  will  provide  rich  authoriza?on  capabili?es  
  • 21. Thanks   Aaron  T.  Myers  (ATM)  @  Cloudera     Cloud  Iden?ty  Summit,  July  2013