Comprehensive security for Enterprise Hadoop
Apache Ranger delivers a comprehensive approach to security for a Hadoop cluster. It provides central security policy administration across the core enterprise security requirements of authorization, authentication, audit and data protection.
Apache Ranger offers a centralized security framework to manage fine-grained access control over Hadoop data access components like Apache Hive and Apache HBase. Using the Apache Ranger console, security administrators can easily manage policies for access to files, folders, databases, tables, or column. These policies can be set for individual users or groups and then enforced within Hadoop.
Security administrators can also use Apache Ranger to manage audit tracking and policy analytics for deeper control of the environment. The solution also provides an option to delegate administration of certain data to other group owners, with the aim of securely decentralizing data ownership.
Apache Ranger currently supports authorization, authentication, auditing, data encryption and security administration for the following HDP components:
Apache Ranger has a decentralized architecture with the following internal components:
|Ranger portal||The portal is the central interface for security administration. Users can create and update policies, which are then stored in a policy database. Plugins within each component poll these policies at regular intervals.The portal also consists of an audit server that sends audit data collected from the plugins for storage in HDFS or in a relational database.|
|Ranger plugins||Plugins are lightweight Java programs which embed within processes of each cluster component. For example, the Apache Ranger plugin for Apache Hive is embedded within Hiveserver2.These plugins pull in policies from a central server and store them locally in a file. When a user request comes through the component, these plugins intercept the request and evaluate it against the security policy. Plugins also collect data from the user request and follow a separate thread to send this data back to the audit server.|
|User group sync||Apache Ranger provides a user synchronization utility to pull users and groups from Unix or from LDAP or Active Directory. The user or group information is stored within Ranger portal and used for policy definition.|
Author: Balaji Ganesan
Hortonworks has recently announced the integration of Apache Atlas and Apache Ranger, and introduced the concept of tag or classification based policies. Enterprises can classify data in Apache Atlas and use the classification to build security policies in Apache Ranger.
Atlas – Ranger TP VM. You can download it from here.
This VM can be used with the following tutorials.
Tag Based Policies tutorial walks through an example of tagging data in Atlas and building a security policy in Ranger. This tutorial can be accessed at Tag Based Policies With Apache Ranger and Apache Atlas.
Cross Component Lineage tutorial walks through the steps for creating data in Apache Hive through Apache Sqoop and Apache Storm. This tutorial can be accessed at Cross Component Lineage With Apache Atlas, Across Apache Sqoop, Storm and Hive.
|Extension of support||Additional investments extend administration of authorization and auditing to more Hadoop components:|
|Encryption||Production-ready KMS to support HDFS Transparent Data Encryption|
The Atlas/ Ranger integration represents a paradigm shift for big data governance and security. By integrating Atlas with Ranger enterprises can now implement dynamic classification-based security policies, in addition to role-based security. Ranger’s centralized platform empowers data administrators to define security policy based on Atlas metadata tags or attributes and apply this policy in real-time to the entire hierarchy of data assets including databases, tables and columns.
|Apache Ranger 0.6.0||
|Apache Ranger 0.5.0||
|Apache Ranger 0.4.0||
|HDP Advanced Security 3.5||
Ambari 2.0 helps provision, manage and monitor Hadoop security in two ways. First, Ambari now simplifies the setup, configuration and maintenance of Kerberos for strong authentication in the cluster. Secondly, Ambari now includes support for installing and configuring Apache Ranger for centralized security administration, authorization and audit. For additional details view the Apache Ambari page.