Security Capabilities

A secure environment is predicated on the following capabilities:

  • Authentication: Restricting access to a specified set of users. Robust authentication prevents third parties from representing themselves as legitimate users.
  • Authorization: Restricting an authenticated user's capabilities on the system. Flexible authorization systems enable a system to grant a user a set of capabilities that enable the user to perform desired tasks, but prevents the use of any capabilities outside of that scope.
  • Encryption: Restricting an external party's ability to read data. Data transmission between nodes in a secure MapR cluster is encrypted, preventing an attacker with access to that communication from gaining information about the transmission's contents.

Authentication

The core component of user authentication in MapR is the ticket. A ticket is an object that contains specific information about a user, an expiration time, and a key. Tickets uniquely identify a user and are encrypted to protect their contents. Tickets are used to establish sessions between a user and the cluster. MapR supports two methods of authenticating a user and generating a ticket:
  • A username/password pair
  • Kerberos
Both methods are mediated by the maprlogin utility. When you authenticate with a username/password pair, the system verifies credentials using Pluggable Authentication Modules (PAM). You can configure the cluster to use any registry that has a PAM module. MapR tickets contain the following information:
  • UID (generated from the UNIX user ID)
  • GIDs (group IDs for each group the user belongs to)
  • Ticket creation time
  • Ticket expiration time (by default, 14 days)
  • Renewal expiration time (by default, 30 days from date of ticket creation)
A MapR ticket determines the user's identity and the system uses the ticket as the basis for authorization decisions. A MapR cluster with security features enabled does not rely on the client-side operating system identity.

Authorization

MapR supports Hadoop Access Control Lists (ACLs) for regulating a user’s privileges on the job queue and cluster. MapR extends the ACL concept to cover volumes, a logical storage construct unique to the MapR filesystem. The M7 license level of MapR provides MapR tables, which are stored natively on the file system. Authorization for MapR tables is managed by Access Control Expressions (ACEs), a list of logical statements that intersect to define a set of users and the actions those users are authorized to perform. The MapR filesystem also supports standard POSIX filesystem permission levels to control filesystem actions.

Encryption

MapR uses several technologies to protect network traffic:
  • The Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol secures several channels of HTTP traffic.
  • In compliance with the NIST standard, the Advanced Encryption Standard in Galois/Counter Mode (AES/GCM) secures several communication channels between cluster components.
  • Kerberos encryption secures several communication paths elsewhere in the cluster.