Security Architecture

Describes the default security architecture and additional authentication and encryption capabilities.

The design of the MapR security architecture takes into account the main threats to a secure cluster. By default, MapR provides basic authorization functionality and some authentication:

• Filesystem permissions: MapR-FS is a POSIX-like file system. You can set user permissions as you would on any other Linux system.
• Cluster, volume, and job queue Access Control Lists (ACLs): You can specify the actions that a given user can perform on each of these cluster elements.
• Access Control Expressions for natively stored MapR-DB tables. ACEs control which areas of the tables users or groups can access.
• Username/password login authentication to the MapR Control System (MCS) through Pluggable Access Modules (PAM). You can use any registry that has a PAM module.

Wire-level security (WLS) is disabled by default. When WLS is enabled, MapR upgrades its security to use network-safe authentication and encryption:

• Communication between the nodes in the cluster is authenticated and may be encrypted:
  • Traffic between the server and cluster, traffic within the MapR filesystem, and CLDB traffic is authenticated using network-safe tokens and may be encrypted with secure MapR RPCs.
  • Traffic between JobClients, TaskTrackers, JobTrackers, NodeManagers, and ResourceManagers is secured with MAPRSASL, an implementation of the Simple Authentication and Security Layer framework.

• Support for Kerberos user authentication.
• Support for Kerberos encryption for secure communication to open source components that require it.
• Support for the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) used with the web UI frontends of some cluster components.

Clusters with different security profiles, and client machines outside of the cluster's security realm, can communicate with the secure cluster.