MapR Security Support Matrix

The tables in this section show component support for authentication, impersonation, and wire-level encryption.

Table 1 shows component support for authentication using MapR-SASL, Kerberos, and PAM.

Table 2 shows component support for impersonation and wire-level encryption.

Table Symbols

The tables in this section use dashes to indicate non-support and directional arrows to convey inbound and outbound communication:
  • A dash (—) indicates that the feature is currently not supported, not needed, or not applicable.
  • A right arrow (A → B) means OUTBOUND from A and INBOUND to B.
  • A double arrow (A ↔ B) means OUTBOUND from A and INBOUND to B, and vice versa.
  • No arrow indicates OUTBOUND communication from the subcomponent to all components with which it communicates.

Authentication in MapR 6.1

Table 1. Component Support for Authentication
Main Component Subcomponent Authentication
MapR-SASL Kerberos PAM1
CORE COMPONENTS
Data Fabric for Kubernetes N/A
FUSE POSIX Client N/A
JobClient to Resource Manager N/A Yes Yes
MapR Installer N/A Yes
MapR Filesystem FileClient C → MapR Filesystem Yes
FileClient Java → MapR Filesystem Yes Yes2
MapR FilesystemMapR Filesystem3 Yes
CLDB ↔ MapR Filesystem4 Yes
FileClient → CLDB4 Yes Yes2
NFSv3 → MapR Filesystem Yes
NFSv3 → CLDB5 Yes
MapR Database MapR Database Java Client → MapR Database6 Yes Yes2
MapR Database C Client → MapR Database6 Yes
AsyncHBase Client → MapR Database6 Yes Yes2
Hive Job Using Connector to MapR Database6 Yes
Spark Job Using Connector to MapR Database6 Yes
Client → HBase Thrift Gateway6 Yes
HBase Thrift Gateway for MapR Database (Binary)7 Yes
Client → Data Access Gateway Yes
Data Access Gateway → MapR Database (JSON) Yes
Client → HBase REST Gateway Yes Yes
HBase REST Gateway for MapR Database (Binary) Yes
MapR-Streams Java Client → MapR Event Store For Apache Kafka Yes
librdkafka C/C#/Python Client → MapR Event Store For Apache Kafka Yes
Client Kafka REST Gateway Yes
Kafka REST Gateway → MapR Event Store For Apache Kafka Yes
REST Client → Kafka Connect Gateway
Kafka Connect Gateway → MapR Event Store For Apache Kafka Yes
MapR Control System8 MCS CLI Command Yes Yes
MCS Web Command (REST Interface) Yes Yes
NFSv3 N/A
NFSv4 N/A Yes
ZooKeeper9 ZK client → ZK server Yes
ZK server ↔ ZK server Yes
BUNDLED CLIENTS10
Data Science Refinery (DSR) N/A
Persistent Application Client Container (PACC) N/A
ECOSYSTEM COMPONENTS
Drill11 Web client → Drillbit Partial (using SPNEGO WIP) Yes
Drillbit ↔ Drillbit Yes Yes
Java/C++ Client/JDBC/ODBC → Drillbit Yes Yes Yes
Drill → Hive Storage Plugin Yes
Flume12 Thrift Client → Flume Agent Yes Yes
Avro Client → Flume Agent (Netty)
Flume Agent → MapR Streams Yes
Flume Agent → MapR Database Yes
Flume Agent → Hive Metastore Yes Yes
Hive HiveServer2 → Metastore Yes Yes
JDBC Client → HiveServer2 Yes Yes Yes
ODBC Client → HiveServer2 Yes Yes
WebHCat → Metastore Yes Yes
Hive Shell → MetaStore Yes Yes
Beeline → HiveServer2 Yes Yes Yes
REST API → WebHCat Yes
HttpFS Client (REST) → HttpFS Yes Yes
HttpFS → MapR Filesystem Yes
Hue Hue → Oozie13 Yes Yes
Hue → YARN Yes Yes
Hue → HbaseThrift Yes Yes
Hue → Sqoop2 Yes Yes
Hue → HttpFS Yes Yes
Hue → HiveServer2 Yes Yes
KSQL KSQL → MapR Event Store For Apache Kafka (Java client)
KSQL → Kafka Streams
Kafka Streams Kafka Streams → MapR Event Store For Apache Kafka (Java client)
MapR Object Store MapR Object StoreMapR Filesystem (via POSIX client) Yes
MapR Object StoreMapR Event Store For Apache Kafka (via librdkafka) Yes
MapR Object Store Client → MapR Object Store (self-managed via credentials file)
Oozie Oozie Client, REST API, Hue → Oozie Server14 Yes Yes
Oozie Server → Spark/Sqoop15 Yes Yes
Oozie Server → Beeline-HS2 Yes Yes Yes
Oozie Server → Hive Yes Yes
Spark Web Clients → Spark Component UI No, but uses Spark's shared secret with DIGEST-MD5
Spark Driver → Executor No, but uses Spark's shared secret with DIGEST-MD5
Spark Job Using Connector → MapR Database Yes
Spark Job Using Connector → MapR-Streams Yes Yes
JDBC Client → Spark Thrift Server Yes Yes
ODBC Client → Spark Thrift Server Yes Yes
Sqoop 216 REST API, Hue, Sqoop 2 Client → Sqoop 2 Server Yes Yes
YARN REST/Browser → RM/JHS/ATS Yes Yes
Internal communication (RM/NM/JHS) Yes Yes
Containers → YARN Services (RM/NM) No, but uses YARN's shared secret with DIGEST-MD5
Timeline Server Yes Yes

1If LDAP is required, LDAP can be supported through PAM.

2 Kerberos support is provided by implicit conversion of Kerberos tickets to MapR tickets.

3Payload not encrypted by default.

4All data exchanged with CLDB is in protobufs only and hence encrypted in secure clusters.

5Only admin ops to CLDB are audited. NFSv3 communication with CLDB is usually not admin-related.

6Accessed through the MapR client, which reads security settings from /opt/mapr/conf/mapr-clusters.conf; hence, this interface follows the secure-by-default model.

7MapR-SASL is supported but not enabled during installation.

8The MapR Control System is secure between client and webserver (API Server). The server may invoke other commands through the maprcli interface that themselves do not use secure communication.

9MapR uses MapR-SASL for communication with ZooKeeper.

10Includes a FUSE POSIX client, YARN client, and other client components.

11Support for Kerberos has not been verified, but SPNEGO can be used in conjunction with HTTPS.

12Flume agents can't be started automatically after installation. Manual configuration is required.

13Auditing user administration operations with Hue.

14A custom authentication filter can be configured.

15Oozie orchestrates Spark/Sqoop jobs using the Spark/Sqoop native client, so security is the same as Spark/Sqoop.

16SSL added to Sqoop 1.99.7. Basic access authentication is enabled by default.

Impersonation and Wire-Level Encryption in MapR 6.1

Table 2. Component Support for Impersonation and Wire-Level Encryption
Main Component Subcomponent Impersonation Wire-Level Encryption
MapR-SASL Kerberos SSL/TLS
CORE COMPONENTS
Data Fabric for Kubernetes N/A
FUSE POSIX Client N/A
JobClient to Resource Manager N/A Yes Yes Yes
MapR Installer N/A Yes
MapR Filesystem FileClient C → MapR Filesystem Yes Yes
FileClient Java → MapR Filesystem Yes Yes
MapR FilesystemMapR Filesystem Yes
CLDB ↔ MapR Filesystem Yes
FileClient → CLDB Yes Yes
NFSv3 → MapR Filesystem Yes Yes
NFSv3 → CLDB Yes Yes
MapR Database MapR Database Java Client → MapR Database Yes Yes
MapR Database C Client → MapR Database Yes Yes
AsyncHBase Client → MapR Database Yes Yes
Hive Job Using Connector to MapR Database Yes Yes
Spark Job Using Connector to MapR Database Yes Yes
Client → HBase Thrift Gateway Yes
HBase Thrift Gateway for MapR Database (Binary) Yes Yes
Client → Data Access Gateway Yes
Data Access Gateway → MapR Database (JSON) Yes Yes
Client → HBase REST Gateway Yes
HBase REST Gateway for MapR Database (Binary) Yes Yes
MapR-Streams Java Client → MapR Event Store For Apache Kafka Yes Yes
librdkafka C/C#/Python Client → MapR Event Store For Apache Kafka Yes
Client → Kafka REST Gateway Yes
Kafka REST Gateway → MapR Event Store For Apache Kafka Yes Yes
REST Client → Kafka Connect Gateway
Kafka Connect Gateway → MapR Event Store For Apache Kafka Yes
MapR Control System MCS CLI Command Yes
MCS Web Command (REST Interface) Yes
NFSv3 N/A
NFSv4 N/A Yes
ZooKeeper ZK client → ZK server Yes
ZK server ↔ ZK server
BUNDLED CLIENTS1
Data Science Refinery (DSR) N/A
Persistent Application Client Container (PACC) N/A
ECOSYSTEM COMPONENTS
Drill Web client → Drillbit Yes Yes
Drillbit ↔ Drillbit Yes Yes Yes
Java/C++ client → Drillbit Yes Yes Yes Yes
Drill → Hive storage plugin Yes Yes
Flume Thrift Client → Flume Agent Yes Yes Yes
Avro Client → Flume Agent (Netty) Yes
Flume Agent → MapR Streams Yes
Flume Agent → MapR Database Yes
Flume Agent → Hive Metastore Yes Yes
Hive HiveServer2 → Metastore Yes Yes Yes Yes
JDBC Client → HiveServer2 Yes Yes Yes Yes
ODBC Client → HiveServer2 Yes Yes Yes
WebHCat → Metastore Yes Yes
Hive Shell → MetaStore Yes Yes Yes
Beeline → HiveServer2 Yes Yes Yes
REST API → WebHCat Yes Yes
HttpFS Client (REST) → HttpFS Yes Yes
HttpFS → MapR Filesystem Yes Yes
Hue Hue → Oozie Yes Yes
Hue → YARN Yes Yes
Hue → HBaseThrift Yes Yes
Hue → Sqoop2 Yes Yes
Hue → HttpFS Yes Yes
Hue → HiveServer2 Yes Yes Yes Yes
KSQL KSQL → MapR Event Store For Apache Kafka (Java client)
KSQL → Kafka Streams
Kafka Streams Kafka Streams → MapR Event Store For Apache Kafka (Java client)
MapR Object Store MapR Object StoreMapR Filesystem (via POSIX client) Yes Yes
MapR Object StoreMapR Event Store For Apache Kafka (via librdkafka) Yes
MapR Object StoreMapR Object Store (self-managed via credentials file) Yes
Oozie Oozie client, REST API, Hue → Oozie Server Yes Yes Yes Yes
Oozie Server → Spark/Sqoop Yes Yes Yes
Oozie Server → Beeline-HS2 Yes Yes Yes Yes
Oozie Server → Hive Yes Yes Yes
Spark Web clients → Spark Component UI Yes
Spark Driver → Executor When running Spark-on-YARN, Driver-To-Executor communication is through YARN (Hadoop protocol), so it is fully secured.
Spark Job Using Connector → MapR Database Yes
Spark Job Using Connector → MapR Event Store For Apache Kafka Yes Yes
Sqoop 2 REST API, Hue, Sqoop 2 Client → Sqoop 2 Server Yes Yes Yes Yes
YARN REST/Browser → RM/JHS/ATS Yes Yes
Internal communication (RM/NM/JHS) Yes Yes
Containers → YARN Services (RM/NM) Yes Yes
Timeline Server Yes Yes

1Includes a FUSE POSIX client, YARN client, and other client components.