MapR Security Support Matrix

This matrix lists supported MapR security features.

The following table lists the MapR Ecosystem Packs (MEPs) supported by MapR versions.
MapR Version MEP Version
6.0 4.0
5.2.0, 5.2.1, and 5.2.2 3.0.2, 3.0.1, 3.0, 2.0.3, 2.0.2, 2.0.1, 2.0, 1.1.4, 1.1.3, 1.1.2, 1.1.1, 1.1.0
5.1, 5.0, 4.1, 4.0.x, and 3.1.1 N/A
To simplify the information presented in the matrix below, only those items that you must consider are listed for each ecosystem project. The following items must always be considered for each project:
  • Inbound Authentication
  • Inbound Encryption
The following items are typically determined by the receiver and are included where there are exceptions:
  • Outbound Authentication
  • Outbound Encryption
The following items are only listed for multi-component services for which they are relevant, such as HBase and Drill.
  • Authentication between Services
  • Encryption between Components
Impersonation is only listed for proxy services for which it is relevant, such as services that communicate with another service. Authorization is only listed for the service which authorizes itself; other services are handled by impersonation. Note that auditing cuts across projects and is independent of security settings for individual projects. See Audit Architecture: Operations for a description of the features and instructions for implementation. In summary, MapR auditing supports the auditing functionality implemented in Hadoop open source components. It includes four audit types specific to MapR:
  • Administrative (or CLDB) auditing
  • Authentication auditing
  • MapR command line interface (maprcli) auditing
  • Data access auditing
In addition, auditing formats all audit records in JSON format to support analytics in Drill.
Project Supported Security Options
Cascading None
Drill
Authentication:
  • User/password (PAM)
    • Between Drill client and Drillbits
  • Kerberos
    • Between Drill client and Drillbits
    • Between Drillbits
  • MapR-SASL
    • Between Drill client and Drillbits
    • Between Drillbits
    • Drillbit and ZK
    • Drillbit and Hive
    • Drillbit and MapR core (MapR-FS and MapR-DB)

Impersonation: Yes. Supports both user and inbound impersonation. See Configuring User Impersonation and Configuring Inbound Impersonation.

Authorization:
  • Relies on data store
  • Views provide a way to securely share subsets of data, providing a form of access control
Encryption over the wire:
  • SSL
    • Between Drill client and Drillbits
  • SASL
    • Plain (only using SSL)
      • Between Drill client and Drillbits
    • Kerberos
      • Between Drill client and Drillbits
      • Between Drillbits
    • MapR-SASL
      • Between Drill client and Drillbits
      • Between Drillbits
      • Drillbit and Hive
      • Drillbit and MapR core (MapR-FS and MapR-DB)

See Securing Drill for more information.

Flume

Inbound Authentication: N/A (not a service)

Outbound Authentication: MapR ticket, Kerberos

Authentication between Flume agents: MapR ticket, Kerberos

Impersonation: Yes (runs jobs as submitting user)

Authorization: N/A

Encryption over Wire: SSL from Thrift RPC 1.6.0 on

File Channel Encryption: Supported from Thrift RPC 1.6.0 on

HBase (for releases before 6.0)

Inbound Authentication: Kerberos

Impersonation: Inbound

Authentication between Services: Kerberos

Authorization: ACLs on table, column family, and column; boolean logic on cells

Encryption over Wire: Kerberos (inbound and service-to-service; when communicating with another component, it honors that component’s encryption)

HBase/MapR-DB REST Proxy

Inbound Authentication: Kerberos, custom

Impersonation: Yes, the user authenticates to Gateway, which then impersonates user to HBase/MapR-DB

Authorization: None (delegates to HBase/MapR-DB)

Built-in Data Authorization: No

Encryption over Wire: SSL

Encryption between Components: Kerberos

HBase/MapR-DB Thrift Proxy

Inbound Authentication: Kerberos

Impersonation: Yes. Impersonation honors data authorization from HBase 0.98.7 onward.

Authorization: None (delegates to HBase/MapR-DB)

Built-in Data Authorization: No

Encryption over Wire: SSL

Hive

Hive Metastore:

Inbound Authentication: Kerberos, MapR SASLAuthorization: storage-based

HiveServer2:

Inbound Authentication: user/password (PAM), Kerberos, MapR SASL (enabled with cluster security), LDAP

Outbound Authentication: MapR ticket, Kerberos

Impersonation: Yes (By default it is turned off. HiveServer2 submits jobs as mapr user, since mapr is the default user that runs all Hive services: metastore and HiveServer2.)

Authorization: Built-in, standards-based, or delegate to HBase/MapR-DB

Encryption over Wire: Inbound

Hive transforms (custom MapReduce code) run as submitter via impersonation. So data level authorization applies, and Sentry level authorization does not.

WebHCat:

Inbound Authentication: user/password (PAM), Kerberos

HttpFS

Inbound Authentication: user/password (PAM), MapR ticket (except cURL), Kerberos

Impersonation: Yes

Encryption: SSL

Encryption over Wire: Yes

Hue

Inbound Authentication: user/password (LDAP, internal database, PAM), SPNEGO

Outbound Authentication:

Hue 3.6 and greater:

  • MapR SASL
  • Kerberos (MapReduce version 1, MapReduce version 2/YARN)

Impersonation: Yes

Encryption over Wire: SSL

Enabling Hue security with MapR-SASL or Kerberos for connectivity to HiveServer2 requires that Hive Server2 enable MapR-SASL and disable user/password. Thus, user/password will not work with Hive Server2 for ODBC/JDBC.

Enabling Hue to connect to HBase securely requires that HBase support Kerberos.

For Hue 3.12 and greater, enabling Hue security with MapR-SASL for connectivity to Drill requires that MapR-SASL is enabled on Drill.

Hue works with Spark through the Livy service. Hue does not support encryption and authentication with Livy. Impersonation is supported.

Impala

Inbound Authentication: Kerberos, LDAP

Outbound Authentication: MapR-SASL, Kerberos

Impersonation: No. All file system/database access is as the Impala daemon.

Authorization: Sentry required

Encryption over Wire: Yes

MapReduce version 1 and version 2 (YARN)

Inbound Authentication:
  • User/password (PAM) or Kerberos/MapR-SASL (SPNEGO) for Web interfaces
  • MapR ticket (Kerberos, MapR-SASL)

Outbound Authentication: MapR ticket

Authorization: ACLs on queues, jobs

Impersonation: Yes (runs jobs as submitting user)

Encryption over Wire: AES 256

Oozie

Inbound Authentication: MapR ticket, Kerberos

Outbound Authentication: MapR ticket, Kerberos

Impersonation: Yes

Authorization: Yes

Encryption over Wire: Yes

Pig Library1 (N/A-not a service)
Sentry With Impala 1.4.1: Sentry 1.4.0 can provide authorization on a non-secure cluster or on a secure cluster where Hive does not use Kerberos authentication.

With Impala 2.2: Sentry 1.6.0 can provide authorization on a non-secure cluster or on a secure cluster that uses Kerberos authentication.

As of Sentry 1.6.0: Sentry can provide authorization with Sqoop2 on a secure Kerberos cluster.

Hive and Sentry integration is also supported on MapR-SASL and kerberized clusters.

Spark

Spark supports authentication only for Spark on YARN. YARN starts application workers on nodes and Spark applications that use YARN connect to those workers. The workers access the cluster as the submitting user. You can optionally configure network level authentication.

Inbound Authentication: (YARN cluster mode only)
  • None for user
  • Daemons for an application can authenticate with each other
  • Spark SQL Thrift server supports:
    • User/password (PAM)
    • LDAP
    • Kerberos
    • MapR native security with MapR tickets (MapR-SASL)

Outbound Authentication: (YARN cluster mode only) Kerberos and MapR ticket

Impersonation: (YARN cluster mode only) Spark workers run as submitting user

Authorization: N/A

Encryption over Wire:

  • SSL
  • MapR-SASL (As of MEP 3.0, SASL is enabled by default on secure clusters.)
Sqoop 1.4.x

Library1 (N/A-not a service)

Sqoop 2.0.0

Inbound Authentication: Kerberos, MapR-SASL

Outbound Authentication: Kerberos, MapR-SASL

Authorization: Role-based access control from Sqoop 1.99.6 on Sentry

Impersonation: Yes (Kerberos only)

Encryption over Wire: Starting with 1.99.7

Tez Library 1 (N/A-not a service)
ZooKeeper Authentication: MapR ticket

Encryption over Wire: None

1 For libraries, security depends on the user of the library.

See the following sections for related information on MapR security:

  • For technical information on the protocols supported by MapR, see Security Protocols.
  • For a list of supported ecosystem projects and versions for a given version of the MapR distribution, go to Interoperability Matrix and see the Ecosystem Support matrices.
  • For an overview of security in MapR, with instructions for implementing various features for the core components, see the Security Overview.
  • For instructions on implementing security features for specific ecosystem components, see the section for each component under Ecosystem Components.