Security Capabilities
A secure environment is predicated on the following capabilities:
- Authentication: Restricting access to a specified set of users. Robust authentication prevents third parties from representing themselves as legitimate users.
- Authorization: Restricting an authenticated user's capabilities on the system. Flexible authorization systems enable a system to grant a user a set of capabilities that enable the user to perform desired tasks, but prevents the use of any capabilities outside of that scope.
- Encryption: Restricting an external party's ability to read data. Data transmission between nodes in a secure MapR cluster is encrypted, preventing an attacker with access to that communication from gaining information about the transmission's contents.
Authentication
- A username/password pair
- Kerberos
maprlogin
utility. When you authenticate
with a username/password pair, the system verifies credentials using Pluggable
Authentication Modules (PAM). You can configure the cluster to use any registry that has a
PAM module. MapR tickets contain the following information:- UID (generated from the UNIX user ID)
- GIDs (group IDs for each group the user belongs to)
- Ticket creation time
- Ticket expiration time (by default, 14 days)
- Renewal expiration time (by default, 30 days from date of ticket creation)
Authorization
MapR supports Hadoop Access Control Lists (ACLs) for regulating a user’s privileges on the job queue and cluster. MapR extends the ACL concept to cover volumes, a logical storage construct unique to the MapR filesystem. The M7 license level of MapR provides MapR tables, which are stored natively on the file system. Authorization for MapR tables is managed by Access Control Expressions (ACEs), a list of logical statements that intersect to define a set of users and the actions those users are authorized to perform. The MapR filesystem also supports standard POSIX filesystem permission levels to control filesystem actions.
Encryption
- The Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol secures several channels of HTTP traffic.
- In compliance with the NIST standard, the Advanced Encryption Standard in Galois/Counter Mode (AES/GCM) secures several communication channels between cluster components.
- Kerberos encryption secures several communication paths elsewhere in the cluster.