Configuring Data-Fabric Security

Provides usage information for frequently used security functionality, including Access Control Lists (ACLs), Access Control Expressions (ACEs), file permissions, and subnet allowlisting.

NOTE Release 6.1 makes it easier to secure new data-fabric installations. See Using the Enable Secure Cluster Option in the Installer.

Wired encryption and authentication (including impersonation) for the data-fabric platform and for all supported ecosystem products are enabled on all new installations through Installer. Alternatively, enable security manually by running the configure.sh command with the -secure option.

Enable security features at any time, but additional configuration is required for the individual components to work with security enabled. This section discusses initial configuration of a secure cluster as well as other forms of security.

The following access control elements are available irrespective of whether security features are enabled for your cluster. After security features are enabled, these elements benefit from encrypted traffic within the cluster and strong authentication to the cluster.

  • ACLs for the cluster, the volumes in the cluster, and the MapReduce application queue
  • Access Control Expression (ACE)s control user permissions for directories, files, and HPE Ezmeral Data Fabric Database tables that are stored natively
  • File permissions for objects in the file system layer
  • Subnet allowlisting restricts access to the cluster's FileServer service

On clusters with security features enabled, ecosystem components may require additional configuration. For example, Hive functionality has different security requirements depending on the interaction between the HiveServer2 component, the Hive command-line interface, and the Hive metastore.

See the Security Support Matrix for more information about supported security options for Ecosystem components. See the specific Ecosystem component in Ecosystem Components for information on security configuration.

See Security Vulnerabilities for a list of known vulnerabilities.

Verifying if Files Needed for Security are Present

When you run configure.sh with the -secure option, the following files are automatically created in the /opt/mapr/conf directory. To ensure that security is properly configured, navigate to the /opt/mapr/conf directory and verify that the files are present.

Master value controlling the cluster secure or non-secure state
File or command: /opt/mapr/conf/mapr-clusters.conf

maprcli dashboard info -cluster <clusterName> -json | grep secure

Default secure setting: secure=true
Alternate possible values/notes: secure=false disables security on restarting the cluster.
Data-fabric service account
File or command: sudo passwd -S mapr
Default secure setting: Site Specific Password.
Alternate possible values/notes: No password. Use su to access.
CLDB key file
File or command: /opt/mapr/conf/cldb.key
Default secure setting: Created at install. Do not change.
Alternate possible values/notes: Must exist on all CLDB nodes and be identical.
Server ticket
File or command: /opt/mapr/conf/maprserverticket
Default secure setting: Created at install, do not change.
Alternate possible values/notes: Must exist on all cluster nodes and be identical.
User ticket
File or command: /opt/mapr/conf/mapruserticket
Default secure setting: Created at install, do not change.
Alternate possible values/notes: Must exist on all cluster nodes and be identical. This ticket is owned and used by the service account as needed.
SSL keys
File or command: /opt/mapr/conf/ssl_truststore

/opt/mapr/conf/ssl_keystore

Default secure setting: Created at install, and should rarely change. These keys are used by web and REST HTTPS interfaces.
Alternate possible values/notes: How to import CA (Certificate Authority) signed certificates to Ezmeral Data Fabric 7.
Java (JAAS) authentication service settings
File or command: /opt/mapr/conf/mapr.login.conf
Default secure setting: Created at install. Do not change.
Alternate possible values/notes: Must exist on all cluster nodes and be identical.
Roles for use with ACEs
File or command: /opt/mapr/conf/m7_permissions_roles_refimpl.conf
Default secure setting: Specific roles defined using automation.
Alternate possible values/notes: Use should be deprecated. Linux groups are a much better method, centralized and consistent with enterprise standards.
Default security settings for some data-fabric services
File or command: /opt/mapr/conf/env.sh
Default secure setting: Created at install, do not change.
Alternate possible values/notes: Must exist on all cluster nodes and be identical. View the list of settings by using this command: grep -i secure env.sh
ZooKeeper security setting
File or command: /opt/mapr/zookeeper/zookeeper-$zkver/conf/zoo.cfg
Default secure setting: authMech=MAPR-SECURITYauthProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvide
Alternate possible values/notes: authMech=SIMPLE-SECURITY
JMX remote access (debug and metrics monitoring)
File or command: /opt/mapr/conf/jmxremote.{access,password}
Default secure setting: read-only and with the password limited to the data-fabric service account.
Alternate possible values/notes: read-write but is not recommended.

Determining if Wire-Level Security is Enabled Using the CLI

If you run configure.sh with the -secure option, wire-level security is automatically enabled at the cluster level. You can, optionally, disable wire-level security at the individual volume-level. To determine if wire-level security is enabled for a volume, run the following command:

/opt/mapr/bin/maprcli volume list -json |grep wire

This command returns the value of wireSecurity as 1 if wire-level security is enabled for the volume; 0 otherwise.

Enabling Cluster Wide Data Access Auditing

To enable auditing data access operations at a cluster level, run:

/opt/mapr/bin/maprcli audit data -enabled

Determining if per Volume Data Access Auditing is Enabled

To determine if auditing data access operations is enabled for a volume, run:

/opt/mapr/bin/maprcli volume info -name <volume_name> -json | grep -i 'audited\|coalesce'

This command returns the value of audited as 1 if data access auditing is enabled for the volume; 0 otherwise.