Security Support Matrix

The tables in this section show component support for authentication, impersonation, and wire-level encryption.

Table 1 shows component support for authentication using data-fabric SASL, Kerberos, and PAM.

Table 2 shows component support for impersonation and wire-level encryption.

Table Symbols

The tables in this section use dashes to indicate non-support and directional arrows to convey inbound and outbound communication:
  • A dash (—) indicates that the feature is currently not supported, not needed, or not applicable.
  • A right arrow (A → B) means OUTBOUND from A and INBOUND to B.
  • A double arrow (A ↔ B) means OUTBOUND from A and INBOUND to B, and vice versa.
  • No arrow indicates OUTBOUND communication from the subcomponent to all components with which it communicates.

Authentication in Release 7.0.0 and Later

Table 1. Component Support for Authentication
Main Component Subcomponent Authentication
Data-Fabric SASL Kerberos PAM1
CORE COMPONENTS
Data Fabric for Kubernetes N/A
FUSE POSIX Client N/A
JobClient to Resource Manager N/A Yes Yes
Installer N/A Yes
file system FileClient C → file system Yes
FileClient Java → file system Yes Yes2
file systemfile system3 Yes
CLDB ↔ file system4 Yes
FileClient → CLDB4 Yes Yes2
NFSv3 → file system Yes
NFSv3 → CLDB5 Yes
HPE Ezmeral Data Fabric Database HPE Ezmeral Data Fabric Database Java Client → HPE Ezmeral Data Fabric Database6 Yes Yes2
HPE Ezmeral Data Fabric Database C Client → HPE Ezmeral Data Fabric Database6 Yes
AsyncHBase Client → HPE Ezmeral Data Fabric Database6 Yes Yes2
Hive Job Using Connector to HPE Ezmeral Data Fabric Database6 Yes
Spark Job Using Connector to HPE Ezmeral Data Fabric Database6 Yes
Client → HBase Thrift Gateway6 Yes
HBase Thrift Gateway for HPE Ezmeral Data Fabric Database (Binary)7 Yes
Client → Data Access Gateway Yes
Data Access Gateway → HPE Ezmeral Data Fabric Database (JSON) Yes
Client → HBase REST Gateway Yes Yes
HBase REST Gateway for HPE Ezmeral Data Fabric Database (Binary) Yes
HPE Ezmeral Data Fabric Streams Java Client → HPE Ezmeral Data Fabric Streams Yes
librdkafka C/C#/Python Client → HPE Ezmeral Data Fabric Streams Yes
Client Kafka REST Gateway Yes
Kafka REST Gateway → HPE Ezmeral Data Fabric Streams Yes
REST Client → Kafka Connect Gateway Yes
Kafka Connect Gateway → HPE Ezmeral Data Fabric Streams Yes
Control System8 Control System CLI Command Yes Yes
Control System Web Command (REST Interface) Yes Yes
NFSv3 N/A
NFSv4 N/A Yes
ZooKeeper9 ZK client → ZK server Yes
ZK server ↔ ZK server Yes
BUNDLED CLIENTS10
Data Science Refinery (DSR) N/A
Persistent Application Client Container (PACC) N/A
ECOSYSTEM COMPONENTS
Airflow Airflow → HiveCLI Yes Yes Yes
Airflow → Hive Server2/Hive Metastore/HttpFS Yes Yes
Airflow → Spark/HPE Ezmeral Data Fabric Database Binary/HPE Ezmeral Data Fabric Database JSON/Livy Yes
Airflow → S3 (mapr-s3server)13
Drill11 Web client → Drillbit Partial (using SPNEGO WIP) Yes
Drillbit ↔ Drillbit Yes Yes
Java/C++ Client/JDBC/ODBC → Drillbit Yes Yes Yes
Drill → Hive Storage Plugin Yes
HBase Client → HBase Thrift Gateway Yes Yes Yes
Client → HBase REST Gateway Yes Yes Yes
Hue → HBase Thrift Yes Yes Yes
Hive HiveServer2 → Metastore Yes Yes
JDBC Client → HiveServer2 Yes Yes Yes
ODBC Client → HiveServer2 Yes Yes
WebHCat → Metastore Yes
Hive Shell → MetaStore Yes Yes
Beeline → HiveServer2 Yes Yes Yes
Client (Browser) → HiveServer2 Web UI Server Yes
REST Client → WebHCat Yes
HttpFS Client (REST) → HttpFS Yes Yes
HttpFS → file system Yes
Hue Hue → YARN Yes Yes
Hue → Oozie12 Yes Yes
Hue → HbaseThrift Yes Yes
Hue → HttpFS Yes Yes
Hue → HiveServer2 Yes Yes Yes
Hue → Livy Server Yes Yes No
KSQL KSQL → HPE Ezmeral Data Fabric Streams (Java client)
KSQL Server ↔ ZooKeeper Yes
KSQL client (KSQL CLI/REST API) ↔ KSQL server Yes Yes
KSQL Server ↔ Schema Registry Yes Yes
KSQL → Kafka Streams Yes
Kafka Schema Registry Kafka Client ↔ HPE Ezmeral Data Fabric Streams
Schema Registry Server ↔ ZooKeeper Yes
Schema Registry Client ↔ Schema Registry Server Yes Yes
Schema Registry Server ↔ Schema Registry Server Yes Yes
Kafka Streams Kafka Streams → HPE Ezmeral Data Fabric Streams (Java client)
Livy REST Client → Livy Server Yes Yes Yes
NiFi N/A Yes14
OTel TBD TBD TBD TBD
Spark Web Clients → Spark Component UI No, but uses Spark's shared secret with DIGEST-MD5
Spark Driver → Executor No, but uses Spark's shared secret with DIGEST-MD5
Spark Job Using Connector → HPE Ezmeral Data Fabric Database Yes
Spark Job Using Connector → HPE Ezmeral Data Fabric Streams Yes Yes
JDBC Client → Spark Thrift Server Yes Yes Yes
ODBC Client → Spark Thrift Server Yes Yes
YARN REST/Browser → RM/JHS/ATS Yes Yes
Internal communication (RM/NM/JHS) Yes Yes
Containers → YARN Services (RM/NM) No, but uses YARN's shared secret with DIGEST-MD5
Timeline Server Yes Yes

1If LDAP is required, LDAP can be supported through PAM.

2 Kerberos support is provided by implicit conversion of Kerberos tickets to data-fabric tickets.

3Payload not encrypted by default.

4All data exchanged with CLDB is in protobufs only and hence encrypted in secure clusters.

5Only admin ops to CLDB are audited. NFSv3 communication with CLDB is usually not admin-related.

6Accessed through the data-fabric client, which reads security settings from /opt/mapr/conf/mapr-clusters.conf; hence, this interface follows the secure-by-default model.

7Data-fabric SASL is supported but not enabled during installation.

8The Control System is secure between client and webserver (API Server). The server may invoke other commands through the maprcli interface that themselves do not use secure communication.

9HPE Ezmeral Data Fabric uses data-fabric SASL for communication with ZooKeeper.

10Includes a FUSE POSIX client, YARN client, and other client components.

11Support for Kerberos has not been verified, but SPNEGO can be used in conjunction with HTTPS.

12Auditing user administration operations with Hue. Note that Oozie is deprecated. See Discontinued Ecosystem Components.

13The Airflow-to-S3 connection is authenticated using access and secret keys generated by the maprcli s3keys generate command.

14For more information, see NiFi Security.

Impersonation and Wire-Level Encryption in Release 7.0.0 and Later

Table 2. Component Support for Impersonation and Wire-Level Encryption
Main Component Subcomponent Impersonation Wire-Level Encryption
Data-Fabric SASL Kerberos SSL/TLS
CORE COMPONENTS
Data Fabric for Kubernetes N/A
FUSE POSIX Client N/A
JobClient to Resource Manager N/A Yes Yes Yes
Installer N/A Yes
file system FileClient C → file system Yes Yes
FileClient Java → file system Yes Yes
file systemfile system Yes
CLDB ↔ file system Yes
FileClient → CLDB Yes Yes
NFSv3 → file system Yes Yes
NFSv3 → CLDB Yes Yes
HPE Ezmeral Data Fabric Database HPE Ezmeral Data Fabric Database Java Client → HPE Ezmeral Data Fabric Database Yes Yes
HPE Ezmeral Data Fabric Database C Client → HPE Ezmeral Data Fabric Database Yes Yes
AsyncHBase Client → HPE Ezmeral Data Fabric Database Yes Yes
Hive Job Using Connector to HPE Ezmeral Data Fabric Database Yes Yes
Spark Job Using Connector to HPE Ezmeral Data Fabric Database Yes Yes
Client → HBase Thrift Gateway Yes
HBase Thrift Gateway for HPE Ezmeral Data Fabric Database (Binary) Yes Yes
Client → Data Access Gateway Yes
Data Access Gateway → HPE Ezmeral Data Fabric Database (JSON) Yes Yes
Client → HBase REST Gateway Yes
HBase REST Gateway for HPE Ezmeral Data Fabric Database (Binary) Yes Yes
HPE Ezmeral Data Fabric Streams Java Client → HPE Ezmeral Data Fabric Streams Yes Yes
librdkafka C/C#/Python Client → HPE Ezmeral Data Fabric Streams Yes
Client → Kafka REST Gateway Yes
Kafka REST Gateway → HPE Ezmeral Data Fabric Streams Yes Yes
REST Client → Kafka Connect Gateway Yes Yes
Kafka Connect Gateway → HPE Ezmeral Data Fabric Streams Yes
Control System Control System CLI Command Yes
Control System Web Command (REST Interface) Yes
NFSv3 N/A
NFSv4 N/A Yes
ZooKeeper ZK client → ZK server Yes
ZK server ↔ ZK server
BUNDLED CLIENTS1
Data Science Refinery (DSR) N/A
Persistent Application Client Container (PACC) N/A
ECOSYSTEM COMPONENTS
Airflow Airflow → HiveCLI Yes2 Yes Yes Yes
Airflow → Hive Server2/Hive Metastore/HttpFS Yes2 Yes Yes Yes
Airflow → Spark/HPE Ezmeral Data Fabric Database Binary/HPE Ezmeral Data Fabric Database JSON/Livy Yes2 Yes Yes
Airflow → S3 (mapr-s3server) Yes
Drill Web client → Drillbit Yes Yes
Drillbit ↔ Drillbit Yes Yes Yes
Java/C++ client → Drillbit Yes Yes Yes Yes
Drill → Hive storage plugin Yes Yes
HBase Client → HBase Thrift Gateway Yes Yes Yes Yes
Client → HBase REST Gateway Yes Yes
Hue → HBase Thrift Yes Yes Yes Yes
Hive HiveServer2 → Metastore Yes Yes Yes Yes
JDBC Client → HiveServer2 Yes Yes Yes Yes
ODBC Client → HiveServer2 Yes Yes Yes
WebHCat → Metastore Yes Yes
Hive Shell → MetaStore Yes Yes Yes
Beeline → HiveServer2 Yes Yes Yes Yes
Client (Browser) → HiveServer2 Web UI Server Yes
REST Client → WebHCat Yes Yes
HttpFS Client (REST) → HttpFS Yes Yes
HttpFS → file system Yes Yes
Hue Hue → YARN Yes Yes
Hue → Oozie3 Yes Yes
Hue → HBaseThrift Yes Yes Yes Yes
Hue → HttpFS Yes Yes
Hue → HiveServer2 Yes Yes Yes Yes
Hue → Livy Server Yes Yes
KSQL KSQL → HPE Ezmeral Data Fabric Streams (Java client) Yes
KSQL Server ↔ ZooKeeper Yes
KSQL client (KSQL CLI/REST API) ↔ KSQL server Yes Yes Yes
KSQL Server ↔ Schema Registry Yes Yes Yes
KSQL → Kafka Streams Yes Yes
Kafka Schema Registry Schema Registry Server ↔ ZooKeeper Yes
Schema Registry Client ↔ Schema Registry Server Yes Yes Yes
Schema Registry Server ↔ Schema Registry Server Yes Yes Yes
Schema Registry Server ↔ Streams for Apache Kafka Yes
Kafka Streams Kafka Streams → HPE Ezmeral Data Fabric Streams (Java client) Yes
Livy REST Client → Livy Server Yes Yes
NiFi REST/Browser → NiFi Yes Yes4 Yes
NiFi → ZooKeeper Yes Yes
NiFi → Hadoop Yes
NiFi → Kafka Yes
NiFi → Hive Yes Yes
NiFi → HBase Yes
NiFi → Object Store Yes Yes
OTel TBD TBD TBD TBD TBD
Spark Web clients → Spark Component UI Yes
Spark Driver → Executor When running Spark-on-YARN, Driver-To-Executor communication is through YARN (Hadoop protocol), so it is fully secured.
Spark Job Using Connector → HPE Ezmeral Data Fabric Database Yes
Spark Job Using Connector → HPE Ezmeral Data Fabric Streams Yes Yes
Tez Browser → Tez UI Yes
Tez UI → YARN RM Yes
Tez UI → Timeline Server Yes
Tez Containers → YARN ShuffleHandler Service Yes
YARN REST/Browser → RM/JHS/ATS Yes Yes
Internal communication (RM/NM/JHS) Yes Yes
Containers → YARN Services (RM/NM) Yes Yes
Timeline Server Yes Yes

1Includes a FUSE POSIX client, YARN client, and other client components.

2Airflow supports impersonation but requires a specific cluster configuration to do so. See this page.

3Oozie is deprecated. See Discontinued Ecosystem Components.

4For more information, see NiFi Security.