MapR Security Support Matrix

The tables in this section describe MapR security features.

Table 1 describes security for MapR main components and subcomponents that authenticate using MapR-SASL, Kerberos, PAM, and LDAP.

Table 2 describes support for impersonation, authorization, auditing, and wire-level encryption for MapR main components and subcomponents.

Table Symbols

The tables in this section use directional arrows to convey inbound and outbound communication:
  • A right arrow (A → B) means OUTBOUND from A and INBOUND to B.
  • A double arrow (A ↔ B) means OUTBOUND from A and INBOUND to B, and vice versa.
  • No arrow indicates OUTBOUND communication from the subcomponent to all components with which it communicates.

Authentication

Table 1. Authentication
Main Component Subcomponent Authentication
MapR-SASL Kerberos PAM LDAP
CORE COMPONENTS
MapR Installer N/A No No Yes Yes (via PAM)
JobClient to Resource Manager N/A Yes Yes N/A N/A
MapR-FS FileClient → MapR-FS1 Yes No Yes Yes (via PAM)
MapR-FS ↔ MapR-FS2 Yes No Yes Yes (via PAM)
CLDB ↔ MapR-FS3 Yes No Yes Yes (via PAM)
FileClient → CLDB3 Yes No Yes Yes (via PAM)
NFSv3 → MapR-FS2 Yes No Yes Yes (via PAM)
NFSv3 → CLDB4 Yes No Yes Yes (via PAM)
MapR-DB MapRDB Java Client → MapR-FS5 Yes No No No
MapRDB C Client → MapR-FS5 Yes No No No
AsyncHBase Client → MapR-FS5 Yes No No No
Hive connector for MapR-DB5 Yes No No No
Spark driver → MapR-DB (JSON)5 Yes No No No
Spark driver → MapR-DB (Binary)5 Yes No No No
HBase Thrift Gateway for MapR-DB6 Yes No No No
HBase REST Gateway for MapR-DB No Yes Yes No
MapR-Streams Kafka Java Client Yes No No No
librdkafka C Client Yes No No No
Kafka REST Gateway No No Yes No
Kafka Connect        
Kafka Python Client Yes No No No
Admin Java APIs Yes No No No
Analytics Using DocumentStream Yes No No No
Monet7 N/A No No Yes Yes (via PAM)
Zookeeper8 ZK client → ZK server Yes Yes N/A N/A
  ZK server ↔ ZK server No No N/A N/A
ECOSYSTEM COMPONENTS
Drill9 Web client → Drillbit No Partial (using SPNEGO WIP) Yes Yes (via PAM)
Drillbit ↔ Drillbit Yes Yes N/A N/A
Java/C++ client → Drillbit Yes Yes Yes Yes (via PAM)
Drill → Hive storage plugin Yes No No No
Flume10 Thrift Client → Flume Agent Yes Yes N/A N/A
Avro Client → Flume Agent (Netty) No No N/A N/A
Flume Agent → MapR Streams Yes No N/A N/A
Flume Agent → MapR DB Yes No N/A N/A
Flume Agent → Hive Metastore Yes Yes N/A N/A
Hive HiveServer2 → Metastore Yes Yes N/A N/A
WebHCat → Metastore No Yes N/A N/A
Hive Shell → MetaStore Yes Yes N/A N/A
Beeline → HiveServer2 Yes Yes Yes Yes
REST API → WebHCat No Yes No No
HttpFS REST API N/A Yes Yes Yes (via PAM)
HttpFS → Hue Yes Yes N/A N/A
HttpFS → MapR-FS Yes No No No
Hue Hue → Oozie Yes Yes N/A N/A
Hue → YARN Yes Yes N/A N/A
Hue → HbaseThrift Yes Yes N/A N/A
Hue → Sqoop2 Yes Yes N/A N/A
Hue → Livy N/A N/A N/A N/A
Hue → HttpFS Yes Yes N/A N/A
Hue → HiveServer2 Yes Yes No Yes
Oozie Oozie client, REST API, Hue → Oozie Server Yes (Default) Yes N/A Custom11
Pig → Oozie Server12 N/A N/A N/A N/A
Spark/Sqoop → Oozie Server13 N/A N/A N/A N/A
Oozie Server → Beeline-HS2 Yes Yes Yes Yes (via PAM)
Oozie Server → Hive Yes Yes N/A N/A
Spark Web clients → Spark component UI No, but uses Spark's shared secret with DIGEST-MD5
Driver → Executor No, but uses Spark's shared secret with DIGEST-MD5
Driver → MapR-DB (JSON) Yes (FS) No No No
Driver → MapR-DB (Binary) Yes (FS) No No No
Driver → MapR-Streams Yes (FS) Yes No No
Sqoop 214 REST API, Hue, Sqoop 2 Client → Sqoop 2 Server Yes Yes No No
YARN REST/Browser → RM/JHS/ATS N/A Yes Yes (default) Yes (via PAM)
Internal communication (RM/NM/JHS) Yes Yes N/A N/A
Containters → YARN services (RM/NM) No, but uses YARN's shared secret with DIGEST-MD5
Timeline Server Yes Yes N/A N/A
Kafka REST REST API No No Yes No

1Encryption of payload not enabled by default.

2Payload not encrypted by default.

3All data exchanged with CLDB is in protobufs only and hence encrypted in secure clusters.

4Only admin ops to CLDB are audited. NFSv3 communication with CLDB is usually not admin-related.

5Accessed through the MapR client, which reads security settings from /opt/mapr/conf/mapr-clusters.conf; hence, this interface follows the secure-by-default model.

6MapR-SASL supported but not enabled during installation.

7Monet is secure between client and webserver (API Server). The server may invoke other commands through the maprcli that themselves do not use secure communication.

8SSL supported from Zookeeper 3.5. Auditing supported from Zookeeper 3.5.3.

9Support for Kerberos has not been verified.

10Flume agents can't be started automatically after installation. Manual configuration is required.

11Custom authentication filter can be configured.

12Apache Pig is a library.

13Oozie orchestrates Spark/Sqoop jobs using Spark/Sqoop native client, so security is the same as Spark/Sqoop.

14SSL added to Sqoop 1.99.7. Basic access authentication enabled by default.

Impersonation, Authorization, Auditing, and Wire-Level Encryption

Table 2. Impersonation, Authorization, Auditing, and Wire-Level Encryption
Main Component Subcomponent Impersonation Authorization Auditing Wire-Level Encryption
MapR-SASL Kerberos SSL/TLS
CORE COMPONENTS
MapR Installer N/A N/A Yes N/A No No Yes
JobClient to Resource Manager N/A Yes Yes (Hadoop) Yes Yes Yes No
MapR-FS FileClient → MapR-FS Yes Yes (FS) Yes Partial No No
MapR-FS ↔ MapR-FS N/A Yes No Partial No No
CLDB ↔ MapR-FS N/A Yes No Yes No No
FileClient → CLDB Yes Yes Yes Yes No No
NFSv3 → MapR-FS Yes Yes Yes Partial No No
NFSv3 → CLDB Yes Yes No Yes No No
MapR-DB MapRDB Java Client → MapR-FS Yes Yes (FS) Yes (FS) Yes No No
MapRDB C Client → MapR-FS Yes Yes (FS) Yes (FS) Yes No No
AsyncHBase Client → MapR-FS Yes Yes (FS) Yes (FS) Yes No No
Hive connector for MapR-DB No Yes (FS) Yes (FS) Yes No No
Spark driver → MapR-DB (JSON) No Yes (FS) Yes (FS) Yes No No
Spark driver → MapR-DB (Binary) No Yes (FS) Yes (FS) Yes No No
HBase Thrift Gateway for MapR-DB Yes Yes (FS) Yes (FS) Yes No No
HBase REST Gateway for MapR-DB Yes Yes (FS) Yes (FS) No No Yes
MapR-Streams Kafka Java Client Yes Yes (FS) No Yes No No
librdkafka C Client Yes Yes (FS) No Yes No No
Kafka REST Gateway Yes Yes (FS) No No No Yes
Kafka Connect            
Kafka Python Client Yes Yes (FS) No Yes No No
Admin Java APIs Yes Yes (FS) No Yes No No
Analytics Using DocumentStream Yes Yes (FS) No Yes No No
Monet N/A N/A Yes N/A No No Yes
Zookeeper ZK client → ZK server N/A Yes (ACL) Yes (Log) Yes No No
  ZK server ↔ ZK server N/A N/A Yes (Log) No No No
ECOSYSTEM COMPONENTS
Drill Web client → Drillbit Yes Yes (FS) No No No15 Yes
Drillbit ↔ Drillbit Yes Yes (FS) No Yes Yes N/A
Java/C++ client → Drillbit Yes Yes (FS) No Yes Yes Yes
Drill → Hive storage plugin Yes Yes (DB) No Yes No No
Flume Thrift Client → Flume Agent Yes No No Yes No Yes
Avro Client → Flume Agent (Netty) No Yes (IP filter) No No No Yes
Flume Agent → MapR Streams N/A Yes (stream) No Yes No No
Flume Agent → MapR DB N/A Yes (DB) N/A Yes No No
Flume Agent → Hive Metastore N/A Yes (DB) N/A Yes Yes N/A
Hive HiveServer2 → Metastore Yes Yes (FS) No Yes Yes Yes
WebHCat → Metastore Yes N/A No No Yes No
Hive Shell → MetaStore Yes Yes (FS) No Yes Yes No
Beeline → HiveServer2 Yes Yes (FS), Sentry Yes Yes No Yes
REST API → WebHCat Yes Yes (FS) No No Yes No
HttpFS REST API Yes Yes (FS) Yes N/A No Yes
HttpFS → Hue Yes Yes (FS) Yes No No Yes
HttpFS → MapR-FS Yes Yes (FS) Yes Yes No No
Hue Hue → Oozie Yes Yes (FS) No16 No No Yes
Hue → YARN Yes Yes (FS) No No No Yes
Hue → HbaseThrift Yes Yes (FS) No Yes N/A N/A
Hue → Sqoop2 Yes Yes (FS) No N/A N/A Yes
Hue → Livy Yes Yes (FS) No N/A N/A N/A
Hue → HttpFS Yes Yes (FS) No No No Yes
Hue → HiveServer2 Yes Yes (FS) No Yes Yes Yes
Oozie Oozie client, REST API, Hue → Oozie Server Yes Yes (FS) Yes Yes Yes Yes
Pig → Oozie Server Yes N/A N/A N/A N/A N/A
Spark/Sqoop → Oozie Server Yes N/A N/A N/A N/A N/A
Oozie Server → Beeline-HS2 Yes N/A Yes Yes N/A Yes
Oozie Server → Hive Yes N/A Yes Yes (Default) Yes No
Spark Web clients → Spark component UI N/A Yes (ACL) No No No Yes
Driver → Executor N/A N/A No When running Spark-on-YARN, Driver-To-Executor communication is through YARN (Hadoop protocol), so it is fully secured.
Driver → MapR-DB (JSON) No Yes (FS) Yes (FS) Yes No No
Driver → MapR-DB (Binary) No Yes (FS) Yes (FS) Yes No No
Driver → MapR-Streams N/A Yes (ACL) N/A Yes No Yes
Sqoop 2 REST API, Hue, Sqoop 2 Client → Sqoop 2 Server Yes Yes (FS) N/A Yes Yes Yes
YARN REST/Browser → RM/JHS/ATS Yes Yes Yes No No Yes
Internal communication (RM/NM/JHS) N/A N/A Yes Yes Yes No
Containers → YARN services (RM/NM) N/A N/A Yes Yes Yes No
Timeline Server N/A Yes Yes (Log) Yes Yes No
Kafka REST REST API Yes Yes (Streams) No No No Yes

15SPNEGO can be used in conjunction with HTTPS.

16Auditing user administration operations with Hue.