Security

Securing enterprise data is critical. To make securing data in clusters easy, the MapR Data Platform has a data protection scheme built directly into the platform which is enabled by default, simplifying the process of protecting critical data. You can take advantage of the default security settings, or you can implement data security manually. Either way, it is important to identify which data to secure.

Since data must be shared between nodes on the cluster, data transmissions between nodes and from the cluster to the client are vulnerable to interception. Networked computers are also vulnerable to attacks where an intruder successfully pretends to be another authorized user and then acts improperly as that user. Additionally, networked machines share the security vulnerabilities of a single node. The MapR Data Platform supports the ability to apply protection directly as data enters and exits the platform. You do not need to apply an external management server or particular security plug-in.

Secure by Default

MapR, which includes the MapR Data Platform and MEP components, is secure out-of-the-box on all new installations, ensuring all network connections require authentication and all data in motion is protected with wire-level encryption. MapR provides the ability to apply security protection directly for data as it comes into and out of the platform without requiring an external security manager server or a particular security plug-in for each ecosystem component. The security semantics are applied automatically on data being retrieved or stored by any ecosystem component, application, or users.

Platform-Based Security

The MapR Data Platform applies security semantics automatically as data is being stored and retrieved from the platform. It supports all four pillars of security (authentication, authorization, auditing, and encryption), using platform-level capabilities that do not require external security tools or plugins.

Encryption
On the MapR Data Platform, data is protected by encrypting all data being transmitted over the wire and encrypting all data that is stored in the platform.

The following sections describe MapR's security capabilities and security architecture.

Security Capabilities

A secure MapR environment is predicated on authentication, authorization, auditing, and encryption capabilities. You can use policy-based security to classify and manage these capabilities.

Authentication

Restricting access to a specified set of users.

Robust authentication prevents third parties from representing themselves as legitimate users. MapR supports a wide range of authentication mechanisms depending on the network transport which includes MapR tickets, kerberos, Pluggable Access Module (PAM), Basic Authentication, MapRSASL, and SPNEGO.

See Configuring Authentication for more information.

Authorization

Restricting an authenticated user's capabilities on the system.

MapR provides sophisticated authorization controls to ensure that users can perform only the activities for which they have permissions, such as data access, job submission, cluster administration, etc. These permissions can be granted by an administrator through the browser-based MapR Control System (MCS) management and monitoring interface or command-line utilities.

See Managing Access Controls for more information.

Auditing

Logging audit records of operations.

MapR allows you to log audit records of cluster-administration operations and operations on directories, files, and tables.

See Managing Auditing for more information.

Encryption

Restricting an external party's ability to read data.

Encryption is used to avoid exposure to breaches, such as packet sniffing and theft of storage devices. In a secure MapR cluster, data transmission between nodes and between a MapR cluster and ecosystem application is encrypted, preventing an attacker with access to that communication from gaining information about the contents of the transmission. Optionally, you can enable encryption for data at rest to prevent unauthorized users from accessing sensitive data, and it also protects against data theft through sector-level disk access.

Data is protected by encrypting all data being transmitted over the wire and optionally encrypting all that is stored on the MapR platform. MapR’s data encryption scheme is built directly into the platform and is enabled by default.

See Managing Encryption for MapR Core for more information.

Security Architecture

MapR provides the following authentication and authorization functionality:

Filesystem permissions
For files and directories on the MapR cluster, you can leverage standard Unix-style permissions to grant access to authorized users. Since MapR Filesystem is a POSIX-like file system, you can set user permissions as you would on any other Linux system. See Setting MapR Filesystem Permissions for more information.
Cluster, volume, and job queue Access Control Lists (ACLs)
You can specify the actions that a given user can perform on each of these cluster elements. You can use access control lists (ACLs) to grant permissions for performing administrative tasks at both the cluster and the volume level. See Managing Access Control Lists for more information.
Access Control Expressions for filesystem and natively stored MapR Database tables
ACEs control which files, directories, volumes, streams, and tables users or groups can access. ACEs are a powerful and flexible mechanism to grant permissions on structured and unstructured data. See Managing Access Control Expressions for more information.
Impersonation for centralized control of access to resources

Impersonation, also known as identity assertion, is one user accessing data and submitting jobs on behalf of another user. See Managing Impersonation for more information.

What to do Next

MapR’s secure-by-default data platform provides security through a single option in the MapR Installer or by running the configure.sh script with the -secure option after a manual installation. You can enable security on your cluster using the procedure described in the following:

After enabling security, optionally, you can do the following: