MapR 5.0 Documentation : Security Overview

Authentication in MapR

The core component of user authentication in MapR is the ticketA ticket is an object that contains specific information about a user, an expiration time, and a key. Tickets uniquely identify a user and are encrypted to protect their contents. Tickets are used to establish sessions between a user and the cluster.

MapR supports two methods of authenticating a user and generating a ticket: a username/password pair and Kerberos. Both of these methods are mediated by the maprlogin utility. When you authenticate with a username/password pair, the system verifies credentials using Pluggable Authentication Modules (PAM). You can configure the cluster to use any registry that has a PAM module.

MapR tickets contain the following information:

  • UID (generated from the UNIX user ID)
  • GIDs (group IDs for each group the user belongs to)
  • ticket creation time
  • ticket expiration time (by default, 14 days)
  • renewal expiration time (by default, 30 days from date of ticket creation)

A MapR ticket determines the user's identity and the system uses the ticket as the basis for authorization decisions. A MapR cluster with security features enabled does not rely on the client-side operating system identity.

The Security Architecture section discusses the implementation details of these authentication methods.

Authorization in MapR

MapR supports Hadoop Access Control Lists (ACLs) for regulating user privileges to the job queue and cluster. MapR extends the ACL concept to cover volumes, a logical storage construct unique to the MapR filesystem. The Enterprise Database Edition license level of MapR provides MapR tables, which are stored natively on the file system. Authorization for MapR tables is managed by Access Control Expressions (ACEs), a list of logical statements that intersect to define a set of users and the privileges those users are authorized to perform. The MapR filesystem also supports standard POSIX filesystem permission levels.

The Configuring MapR Security section contains procedures for setting up and modifying ACLs and ACEs for the cluster, the volumes on the cluster, the job queue, and the natively stored MapR tables.

Encryption Used by MapR

MapR uses several technologies to protect network traffic:

  • The Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol secures several channels of HTTP traffic.

  • In compliance with the NIST standard, the Advanced Encryption Standard in Galois/Counter Mode (AES/GCM) secures several communication channels between cluster components.

  • Kerberos encryption secures several communication paths elsewhere in the cluster.

The Security Architecture section includes details on the specific technologies used by particular elements of a cluster.

Nodes with CPUs that support AES encryption at the hardware level will provide superior performance on encryption tasks. You can determine if a node's CPU supports the AES instruction set by running the following command:

$ cat /proc/cpuinfo | grep flags | grep aes

Impersonation in MapR

Impersonation, also known as identity assertion, is one user (the mapr super user) accessing data and submitting jobs on behalf of another user. Impersonation in MapR allows centralized control of access to resources in the MapR-FS, MapR-DB, and HBase systems.

Implementing impersonation provides authoritative, end-to-end security for your MapR installation, independent of remote authentication and security mechanisms that control user access to application features.

To implement impersonation in MapR, there are both MapR core and ecosystem component requirements that must be met. as well as requirements at the application development level. These requirements are described in Access Control and Impersonation in MapR.

When all other requirements are met, enabling impersonation for the mapr superuser is a simple task.

Auditing in MapR

The auditing features in MapR let you log audit records of cluster-administration operations and operations on directories, files, and tables.

Auditing creates audit records of maprcli commands, REST API calls, and other actions performed on a cluster through the MapR Control System (MCS).

Auditing records many different types of operations on directories, files, and MapR-DB tables in log files in various locations in your MapR cluster. You can then process the information in these log files with Apache Drill or other tools. For an overview of how auditing works and the wide variety of ways you can use auditing, see Auditing of Cluster Administration and Operations on Directories, Files, and Tables.

Special guidance is provided for using auditing in cluster administration or file system and table operations, and a reference for the status codes that can appear in audit log files helps interpret auditing messages.