MapR Security Support Matrix

The tables in this section describe MapR security features.

Table 1 describes security for MapR main components and subcomponents that authenticate using MapR-SASL, Kerberos, PAM, and LDAP.

Table 2 describes support for impersonation, authorization, auditing, and wire-level encryption for MapR main components and subcomponents.

Authentication

Table 1. Authentication
Main Component Subcomponent Authentication
MapR-SASL Kerberos PAM LDAP
CORE COMPONENTS
MapR Installer N/A No No Yes Yes (via PAM)
JobClient to Resource Manager N/A Yes Yes N/A N/A
MapR-FS1 MapRClient-MapR-FS Yes No N/A N/A
MapR-DB MapRDB Java Client ↔ MapR-FS Yes No No No
MapRDB C Client ↔ MapR-FS Yes No No No
AsyncHBase Client ↔ MapR-FS Yes No No No
Spark driver-MapR-DB (JSON) Yes No No No
Spark driver-MapR-DB (Binary) Yes No No No
HBase Thrift Gateway for MapR-DB2 Yes No No No
HBase REST Gateway for MapR-DB No Yes Yes No
MapR-Streams Kafka Java Client Yes No No No
librdkafka C Client Yes No No No
Kafka REST Gateway        
Kafka Connect        
Kafka Python Client        
Admin Java APIs Yes No No No
Analytics Using DocumentStream Yes No No No
Monet3 N/A No No Yes Yes (via PAM)
Zookeeper4 ZK client to ZK server Yes Yes N/A N/A
  ZK server to ZK server No No N/A N/A
ECOSYSTEM COMPONENTS
Drill5 Web client-Drillbit No Partial (using SPNEGO WIP) Yes Yes (via PAM)
Java/C++ client - Drillbit Yes Yes Yes Yes (via PAM)
Drill - Hive storage plugin Yes No No No
Flume6 Thrift Client-Flume Agent Yes Yes N/A N/A
Avro Client-Flume Agent (Netty) No No N/A N/A
Flume Agent-MapR Streams Yes No N/A N/A
Flume Agent-MapR DB Yes No N/A N/A
Flume Agent-Hive Metastore Yes Yes N/A N/A
Hive HiveServer2-Metastore Yes Yes N/A N/A
WebHCat-Metastore No Yes Yes N/A
Hive Shell-MetaStore Yes Yes N/A N/A
Beeline-HiveServer2 Yes Yes Yes Yes
REST API-WebHCat No Yes Yes No
HttpFS REST API N/A Yes Yes Yes (via PAM)
HttpFS-Hue Yes Yes N/A N/A
HttpFS-MapR-FS Yes No No No
Hue Hue-Oozie Yes Yes N/A N/A
Hue-YARN Yes Yes N/A N/A
Hue-HbaseThrift Yes Yes N/A N/A
Hue-Sqoop2 Yes Yes N/A N/A
Hue-Livy N/A N/A N/A N/A
Hue-HttpFS Yes Yes N/A N/A
Hue-HiveServer2 Yes Yes No Yes
Oozie Oozie Server-Oozie client, REST API Hue7 Yes (Default) Yes N/A Custom*
Pig - Oozie Server8 N/A N/A N/A N/A
Spark/Sqoop - Oozie Server9 N/A N/A N/A N/A
Oozie Server-Beeline-HS2 Yes Yes Yes Yes (via PAM)
Oozie Server-Hive Yes Yes N/A N/A
Spark Web clients to Spark component UI No, but uses Spark's shared secret with DIGEST-MD5
Driver to Executor No, but uses Spark's shared secret with DIGEST-MD5
Driver to HBase Yes Yes No No
Driver to MapR-DB Yes No No No
Driver to MapR-Streams Yes Yes No No
Sqoop 210 REST API, Hue, Sqoop 2 Client - Sqoop 2 Server Yes Yes No No
YARN REST/Browser - RM/JHS/ATS N/A Yes Yes (default) Yes (via PAM)
Internal communication (RM/NM/JHS) Yes Yes N/A N/A
Containters - YARN services (RM/NM) No, but uses Spark's shared secret with DIGEST-MD5
Timeline Server Yes Yes N/A N/A
Kafka REST REST API No No Yes No

1Encryption of payload not enabled by default.

2MapR-SASL supported but not enabled during installation.

3Monet is secure between client and webserver (API Server). The server may invoke other commands via mapr-cli that themselves do not use secure communication.

4SSL supported from ZK 3.5. Auditing supported from 3.5.3.

5Support for Kerberos has not been verified.

6Flume agents can't be started automatically after installation. Manual configuration is required.

7Custom authentication filter can be configured.

8Apache Pig is a library.

9Oozie orchestrates Spark/Sqoop jobs using Spark/Sqoop native client, so security is the same as Spark/Sqoop.

10SSL added to Sqoop 1.99.7. Basic access authentication enabled by default.

Impersonation, Authorization, Auditing, and Wire-Level Encryption

Table 2. Impersonation, Authorization, Auditing, and Wire-Level Encryption
Main Component Subcomponent Impersonation Authorization Auditing Wire-Level Encryption
MapR-SASL Kerberos SSL/TLS
CORE COMPONENTS
MapR Installer N/A N/A Yes N/A No No Yes
JobClient to Resource Manager N/A Yes Yes (Hadoop) Yes Yes Yes No
MapR-FS MapRClient-MapR-FS Yes Yes (FS) Yes Partial No No
MapR-DB MapRDB Java Client ↔ MapR-FS Yes Yes (FS) Yes (FS) Yes No No
MapRDB C Client ↔ MapR-FS Yes Yes (FS) Yes (FS) Yes No No
AsyncHBase Client ↔ MapR-FS Yes Yes (FS) Yes (FS) Yes No No
Spark driver-MapR-DB (JSON) Yes Yes (FS) Yes (FS) Yes No No
Spark driver-MapR-DB (Binary) Yes Yes (FS) Yes (FS) Yes No No
HBase Thrift Gateway for MapR-DB Yes Yes (FS) Yes (FS) Yes No No
HBase REST Gateway for MapR-DB Yes Yes (FS) Yes (FS) No No Yes
MapR-Streams Kafka Java Client Yes Yes (FS) No Yes No No
librdkafka C Client Yes Yes (FS) No Yes No No
Kafka REST Gateway            
Kafka Connect            
Kafka Python Client            
Admin Java APIs Yes Yes (FS) No Yes No No
Analytics Using DocumentStream Yes Yes (FS) No Yes No No
Monet N/A N/A Yes N/A No No Yes
Zookeeper ZK client to ZK server N/A Yes (ACL) Yes (Log) Yes No No
  ZK server to ZK server N/A N/A Yes (Log) No No No
ECOSYSTEM COMPONENTS
Drill Web client-Drillbit Yes Yes (FS) No No No11 Yes
Java/C++ client - Drillbit Yes Yes (FS) No Yes Yes Yes
Drill - Hive storage plugin Yes Yes (DB) No Yes No No
Flume Thrift Client-Flume Agent Yes No No Yes No Yes
Avro Client-Flume Agent (Netty) No Yes (IP filter) No No No Yes
Flume Agent-MapR Streams N/A Yes (stream) No Yes No No
Flume Agent-MapR DB N/A Yes (DB) N/A Yes No No
Flume Agent-Hive Metastore N/A Yes (DB) N/A Yes Yes N/A
Hive HiveServer2-Metastore Yes Yes (FS) No Yes Yes Yes
WebHCat-Metastore Yes N/A No No Yes No
Hive Shell-MetaStore Yes Yes (FS) No Yes Yes No
Beeline-HiveServer2 Yes Yes (FS), Sentry Yes No No Yes
REST API-WebHCat Yes Yes (FS) No No Yes No
HttpFS REST API Yes Yes (FS) Yes N/A No Yes
HttpFS-Hue Yes Yes (FS) Yes No No Yes
HttpFS-MapR-FS Yes Yes (FS) Yes Yes No No
Hue Hue-Oozie Yes Yes (FS) No12 No No Yes
Hue-YARN Yes Yes (FS) No No No Yes
Hue-HbaseThrift Yes Yes (FS) No Yes N/A N/A
Hue-Sqoop2 Yes Yes (FS) No N/A N/A Yes
Hue-Livy Yes Yes (FS) No N/A N/A N/A
Hue-HttpFS Yes Yes (FS) No No No Yes
Hue-HiveServer2 Yes Yes (FS) No Yes Yes Yes
Oozie Oozie Server-Oozie client, REST API Hue Yes Yes (FS) Yes Yes Yes Yes
Pig - Oozie Server Yes N/A N/A N/A N/A N/A
Spark/Sqoop - Oozie Server Yes N/A N/A N/A N/A N/A
Oozie Server-Beeline-HS2 Yes N/A Yes Yes N/A Yes
Oozie Server-Hive Yes N/A Yes Yes (Default) Yes No
Spark Web clients to Spark component UI N/A Yes (ACL) No No No Yes
Driver to Executor N/A N/A No When running Spark-on-YARN, Driver-To-Executor communication is through YARN (Hadoop protocol), so it is fully secured.
Driver to HBase Yes Yes N/A No N/A N/A
Driver to MapR-DB Yes Yes N/A Yes N/A N/A
Driver to MapR-Streams N/A Yes (ACL) N/A Yes No Yes
Sqoop 2 REST API, Hue, Sqoop 2 Client - Sqoop 2 Server Yes Yes (FS) N/A Yes Yes Yes
YARN REST/Browser - RM/JHS/ATS Yes Yes Yes No No Yes
Internal communication (RM/NM/JHS) N/A N/A Yes Yes Yes No
Containters - YARN services (RM/NM) N/A N/A Yes Yes Yes No
Timeline Server N/A Yes Yes (Log) Yes Yes No
Kafka REST REST API Yes Yes (Streams) No No No Yes

11SPNEGO can be used in conjuction to HTTPS.

12Auditing user administration operations with Hue.