SlideShare une entreprise Scribd logo

Security Features in Apache HBase Guide

HBaseCon
HBaseCon

This document summarizes new security features in Apache HBase 0.98 including role-based access control using groups, labels, and attributes. It also covers cell-level security with access control lists, labels for row and column visibility, and transparent encryption of data at rest. Performance considerations of encryption are also discussed.

LogicielsTechnologieBusiness
1  sur  43
Télécharger pour lire hors ligne
Security Features in Apache HBase – An Operator’s Guide Anoop Sam John, Andrew Purtell, Ramkrishna S. Vasudevan Committers and PMC Members, Apache HBase, Apache Software Foundation Big Data US Research And Development, Intel v5
• New Security Features in Apache HBase 0.98 • Controlling Access To Data – Role-Based Access Control Using Groups and ACLs – Role-Based Access Control Using Labels – Attribute-Based Access Control Using Labels • Preventing Data Leaks – Transparent Encryption • Performance Considerations Outline
New Security Features in Apache HBase 0.98
Cell Tags • All values written to HBase are stored in cells • Cells can now also carry an arbitrary number of tags – Metadata, considered distinct from the key and the value – Compressed when persisted to HFiles – Server side only • Clients cannot get or send cells with tags directly • Tags will be correctly replicated if cross-cluster replication is enabled
Cell ACLs (HBASE-7662) • Extends the existing HBase ACL model with support for persisting and checking per-cell ACL data in tags – (R)ead, (W)rite, E(X)ecute, (A)dmin, (C)reate – Namespace → Table → Column Family → Cell • Backwards compatible with existing installs and code • Uses existing facilities (operation attributes) to carry cell ACLs to supporting servers
Cell ACLs (HBASE-7662) • Cell ACLs are scoped to the same point in time as the cell itself – Simple and straightforward evolution of security policy over time without expensive updates • We require that mutations have covering permission – The union of the user’s table perms, CF perms, and perms in the most recent visible[1] version, if the value already exists, must allow the pending mutation in order for it to be applied – For Deletes, in addition, all visible prior versions covered by the Delete must allow the Delete – Delete semantics are being refined • Complex Deletes may be rejected; just resubmit as simpler ops • Improved in 0.98.2, likely fully resolved in 0.98.3 1. Visible is defined here as not covered already by a committed delete marker
Cell Labels (HBASE-7663) • Visibility expression support via a new security coprocessor – Labels: arbitrary strings – Expressions: Labels joined in boolean expressions – Operators: &, |, !, ( ) secret secret | topsecret ( secret | topsecret ) & !probationary
Cell Labels (HBASE-7663) • New admin APIs and new shell commands for label management • The universe of labels and the maximal set of labels for a user are defined up front • Users label cells using visibility expressions • Other users ask for authorizations on Gets and Scans • We build a user’s effective set of authorizations per request in a pluggable way on the server • Scan results are filtered according to the user’s effective authorizations • VisibilityController and AccessController can be used together
Transparent Encryption (HBASE-7544) • Transparent encryption of HBase on disk data – HFile blocks are encrypted as written and decrypted as read – Write ahead log (WAL) serialization is pluggable; we provide new secure writers and readers that encrypt and decrypt edits • Built on a new extensible cryptographic codec and key management framework in HBase • Simple key management – Default provider integrates with the Java Keystore • Per column family configuration – Supports schema design that places sensitive information in only a subset of column families
Transparent Encryption (HBASE-7544)
Endpoint EXEC Grants (HBASE-6104) • HBase ACLs grant a familiar set of privileges to users and groups: – (R)ead, (W)rite, E(X)excute, (C)reate, (A)dmin • Versions prior to 0.98.0 ignored X • Now access to coprocessor Endpoint invocations can be controlled on a global, per-table, or per-column family basis
Controlling Access To Data
Our Example Schema • A simple user information table Row Key Column Family: i Column Family: pii uid i:fullname pii:address i:nick pii:phone pii:cc pii:cvv2 pii:expdate > create ‘user’, { NAME => ‘i’, COMPRESSION => ’snappy’, VERSIONS => 10 }, { NAME => ‘pii’, COMPRESSION => ’snappy’, VERSIONS => 10 }
Our Example Security Policy • Column family: i
Our Example Security Policy • Column family: pii
Getting Started • Enable HFile V3 – hfile.format.version=3 • Enable SASL+Kerberos authentication – RPC: Follow the steps in section 8.1 of the online manual: https://hbase.apache.org/book/security.html – ZooKeeper: Follow the steps in section 17.2 of the online manual: https://hbase.apache.org/book/zk.sasl.auth.html • Install security coprocessors – hbase.coprocessor.region.classes= org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.visibility.VisibilityController, org.apache.hadoop.hbase.security.token.TokenProvider
Getting Started – hbase.coprocessor.master.classes= org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.visibility.VisibilityController – hbase.coprocessor.regionserver.classes= org.apache.hadoop.hbase.security.access.AccessController • Enable Endpoint exec permission checks – hbase.security.exec.permission.checks=true • [Optional] Enable transport security – hbase.rpc.protection=auth-conf
Role-Based Access Control Using the Hadoop Group Mapping Service and ACLs • Map each role in the organization to a LDAP entity – Employee -> • cn=user, member: ou=users,dc=groups, dc=example,dc=org – Developer -> • cn=developer, member: ou=developers,dc=groups,dc=example,dc=org – Test User Account -> • cn=testuser, member: ou=users,dc=example,dc=org – Service Account -> • cn=service, member: ou=services,dc=example,dc=org – Admin -> • cn=manager,dc=example,dc=org
Role-Based Access Control Using the Hadoop Group Mapping Service and ACLs • Set up the Hadoop group mapper (core-site.xml) – hadoop.security.group.mapping= org.apache.hadoop.security.LdapGroupsMapping – hadoop.security.group.mapping.ldap.url=… – hadoop.security.group.mapping.ldap.bind.user=… – hadoop.security.group.mapping.ldap.search.filter.user= (& (|(objectclass=person)(objectclass=applicationProcess))(cn={0})) – hadoop.security.group.mapping.ldap.search.filter.group= (objectclass=groupofnames) – hadoop.security.group.mapping.ldap.search.attr.member=member – hadoop.security.group.mapping.ldap.search.attr.group.name=cn
Role-Based Access Control Using the Hadoop Group Mapping Service and ACLs • Confirm the configuration is working correctly hbase> whoami service (auth:KERBEROS) groups: services
Role-Based Access Control Using the Hadoop Group Mapping Service and ACLs • Grant permissions to groups and service and test accounts hbase> grant '@admins', 'RWXCA' hbase> grant 'service', 'RWXCA', 'user' hbase> grant '@developers', 'RW', 'user', 'i' hbase> grant 'testuser', 'RW', 'user', 'i' hbase> grant 'user', { '@developers' => 'RW', 'testuser' => 'R' }, { COLUMNS => 'pii', FILTER => "(PrefixFilter ('test'))" } Note: Cell grants done by the shell apply to existing cells only. This is useful for testing. In practice applications must add the desired cell ACL to the operation when submitting writes.
Role-Based Access Control Using Labels • Define labels corresponding to roles in the security policy admin service test developer
Role-Based Access Control Using Labels • Express access rules as visibility expressions admin | service admin | service | test admin | service | developer admin | service | developer | test • Define labels hbase> add_labels [ 'admin', 'service', 'developer', 'test' ]
Role-Based Access Control Using Labels • Assign one or more roles to each user by associating their principal with a label set hbase> set_auths 'service', [ 'service' ] hbase> set_auths 'testuser', [ 'test' ] hbase> set_auths 'manager', [ 'admin' ] hbase> set_auths 'dev', [ 'developer' ] hbase> set_auths 'qa', [ 'test', 'developer' ] hbase> …
Role-Based Access Control Using Labels • Apply appropriate visibility expressions to cells hbase> set_visibility 'user', 'admin|service|developer', { COLUMNS => 'i' } hbase> set_visibility 'user', 'admin|service', { COLUMNS => ' pii' } hbase> set_visibility 'user', 'admin|service|developer|test', { COLUMNS => [ 'i', 'pii' ], FILTER => "(PrefixFilter ('test'))" } Note: Visibility expressions added to cells by the shell apply to existing cells only. This is useful for testing. In practice applications must add the desired visibility expression to the operation when submitting writes.
Attribute-Based Access Control • We can construct the effective authorization set for a user in a pluggable and stackable way ← Retrieves principal for user ← Maps principal to group names ← Imports auths from request ← Enforces minimum auths Auths table ← Maps identity attributes to auths Directory
Attribute-Based Access Control • LDAP plugin can mix in auths corresponding to attributes of the subject’s identity – Expected soon in 0.98 (maybe 0.98.4) Query (&(objectClass=person) (userPrincipalName={0})) Attribute Mapping <attribute>: <regex> → <auth> memberOf: .+ -> $1 division: .+ -> $1 department: .+ -> $1 employeeID: P[0-9]+ -> probationary Directory
Attribute-Based Access Control Using Labels • Apply appropriate visibility expressions to cells hbase> set_visibility 'user', 'admin|service|(developer&(!probationary))', { COLUMNS => 'i' } hbase> set_visibility 'user', 'admin|service', { COLUMNS => ' pii' } hbase> set_visibility 'user', 'admin|service|((developer|test)&(!probationary))', { COLUMNS => [ 'i', 'pii' ], FILTER => "(PrefixFilter ('test'))" }
Attribute-Based Access Control Using ACLs • An area of future work – We could consider a HBase provided replacement for the Hadoop Group Mapper that also supports mapping object attributes to strings – For the VisibilityController, the mapped strings would be interpreted as auths (see slide #27) – For the AccessController, the mapped strings could be interpreted as group names – See HBASE-10919[1] or raise a discussion on user@hbase.apache.org 1. https://issues.apache.org/jira/browse/HBASE-10919
Preventing Data Leaks
Protecting Data At Rest • HBase is deployed into a layered system • Incorrect handling of permissions or storage volumes at the HDFS layer or below could expose sensitive information Apache HBase Apache ZooKeeper ZooKeeper ZooKeeper ZooKeeper Apache Hadoop Distributed File System (HDFS) DataNode MasterMaster (Standby) RegionServer DataNode DataNode DataNode DataNode RegionServer RegionServer RegionServer RegionServer
Getting Started • Create the cluster master key in a KeyStore file $ keytool -keystore hbase.jks -storetype jceks –genseckey -keyalg AES -keysize 128 -storepass secret -alias hbase-master-default • Deploy the KeyStore file to all site configuration directories and restrict local access to it $ chown hbase:hbase hbase.jks $ chmod 0600 hbase.jks (-rw-------) • Enable HFile V3 – hfile.format.version=3
Getting Started • Set up key provider configuration for KeyStore files – hbase.crypto.keyprovider= org.apache.hadoop.hbase.io.crypto.KeyStoreKeyProvider – hbase.crypto.keyprovider.parameters= jceks:///path/to/hbase/conf/hbase.jks?password=secret – hbase.crypto.master.key.name=hbase-master-default • Restrict local access to the site file $ chown hbase:hbase hbase-site.xml $ chmod 0600 hbase-site.xml (-rw-------) • The KeyStore password need not be embedded in the site file – Use ?passwordFile=/path/to/password/file and protect that instead
Getting Started • Enable WAL encryption – hbase.crypto.wal.key.name=hbase-master-default – hbase.regionserver.hlog.reader.impl= org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogReader – hbase.regionserver.hlog.writer.impl= org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogWriter – hbase.regionserver.wal.encryption=true WAL encryption is configured separately from HFile encryption to enable storage management with tiered sensitivity • (JRE 8+) Enable AES-NI acceleration features – Add to hbase-env.sh: – XX:+UseAES –XX:+UseAESIntrinsics
Transparent Encryption • Segregate sensitive information into one or a few column families with HFile encryption enabled – We are storing sensitive personally identifiable customer information in the “pii” family – Enable encryption on “pii” only to mitigate performance impact – After changing schema, run a major compaction to insure all files are (eventually) transformed hbase> disable 'user' hbase> alter 'user', { NAME => 'pii', COMPRESSION => 'snappy', ENCRYPTION => 'aes' } hbase> enable 'user' hbase> major_compact 'user' Row Key Column Family: i Column Family: pii uid i:fullname pii:address i:nick pii:phone pii:cc pii:cvv2 pii:expdate
Transparent Encryption • Data key management – RegionServers retrieve and unwrap CF keys from descriptors as needed to encrypt HFiles – The data key for a CF can be modified at any time by the admin • Or, encryption can be enabled and disabled entirely • CF encryption is completely reversible! – HFiles contain the data key used for encryption, wrapped (encrypted) by the master key • Supports incremental rekeying without expensive IO or downtime – Simply trigger major compaction to normalize encryption and data keying state over the entire CF • Can be done on a region by region basis with a HBase shell script
Transparent Encryption • Master key rotation – Should be an infrequent operation, an attacker able to observe even all schema and HFiles gains very little information about it over time – Store a copy of the current master key with an alternate alias e.g. “hbase-master-alt” – Replace the master key with a new one – Update site file • hbase.crypto.master.alternate.key.name=hbase-master-alt – Do a rolling restart of all HBase server processes – Trigger a major compaction and wait for completion – Remove the old master key from the KMS and remove alt alias from site – Do another rolling restart of all HBase server processes
Key Providers • Any Key Management System with a Java KeyStore provider can be supported by the KeyStoreKeyProvider • Or natively, via custom HBase KeyProviders • Update site configuration hbase.crypto.keyprovider hbase.crypto.keyprovider.parameters HBase KeyStoreKeyProvider HBase YourKeyProvider JDK KeyStore provider framework Thales Luna CloudHSM . . .
Cipher Providers • We support alternate or accelerated ciphers with either: 1. Java Cryptography (JCE) algorithm provider • Install a signed JCE provider (supporting “AES/CTR/NoPadding” mode with 128 bit keys) • Add it with highest preference to the JCE site configuration file $JAVA_HOME/lib/security/java.security • Update site configuration hbase.crypto.algorithm.aes.provider hbase.crypto.algorithm.rng.provider 2. Custom HBase Cipher implementation • Start at org.apache.hadoop.hbase.io.crypto.CipherProvider • Make it available on the server classpath • Update site configuration hbase.crypto.cipherprovider
Performance Considerations
WAL Encryption • Performance implications of WAL encryption – As measured by HLogPerformanceEvaluation microbenchmark – Relative differences are what is interesting – WAL throughput ceiling ~10% lower with 7u45 – ~8% lower with 8u20 • Future mitigation: When HDFS storage tiering capability is in production, configure separate storage tiers for WAL and HFile data Test Throughput ops/sec Total cycles Insns per cycle Oracle Java 1.7.0_45-b18 - None 52658.302 8878179986750 0.47 Oracle Java 1.7.0_45-b18 - AES WAL encryption 48045.834 9911748458387 0.57 OpenJDK 1.8.0_20-b09 - None 54874.125 8662634367005 0.46 OpenJDK 1.8.0_20-b09 - AES WAL encryption 50659.507 9668111259270 0.61
Promoting Common ACLs • When designing security policy for a table, consider that table and column family level grants are inexpensive compared to cell level grants – Table and CF level grants are cached in memory – Cell level grants require region scanning • We consider permissions as the union of grants at all levels; a table or CF grant allows us to early out • If a user will always be granted permissions at the cell level, promote their access to a column family or table level grant
End Questions?

Recommandé

Apache HBase 0.98
Apache HBase 0.98Apache HBase 0.98
Apache HBase 0.98AndrewPurtell
 
Harmonizing Multi-tenant HBase Clusters for Managing Workload Diversity
Harmonizing Multi-tenant HBase Clusters for Managing Workload DiversityHarmonizing Multi-tenant HBase Clusters for Managing Workload Diversity
Harmonizing Multi-tenant HBase Clusters for Managing Workload DiversityHBaseCon
 
HBaseCon 2012 | HBase for the Worlds Libraries - OCLC
HBaseCon 2012 | HBase for the Worlds Libraries - OCLCHBaseCon 2012 | HBase for the Worlds Libraries - OCLC
HBaseCon 2012 | HBase for the Worlds Libraries - OCLCCloudera, Inc.
 
DataStax | Building a Spark Streaming App with DSE File System (Rocco Varela)...
DataStax | Building a Spark Streaming App with DSE File System (Rocco Varela)...DataStax | Building a Spark Streaming App with DSE File System (Rocco Varela)...
DataStax | Building a Spark Streaming App with DSE File System (Rocco Varela)...DataStax
 
Large-scale Web Apps @ Pinterest
Large-scale Web Apps @ PinterestLarge-scale Web Apps @ Pinterest
Large-scale Web Apps @ PinterestHBaseCon
 
HBaseCon 2012 | Mignify: A Big Data Refinery Built on HBase - Internet Memory...
HBaseCon 2012 | Mignify: A Big Data Refinery Built on HBase - Internet Memory...HBaseCon 2012 | Mignify: A Big Data Refinery Built on HBase - Internet Memory...
HBaseCon 2012 | Mignify: A Big Data Refinery Built on HBase - Internet Memory...Cloudera, Inc.
 
Develop Scalable Applications with DataStax Drivers (Alex Popescu, Bulat Shak...
Develop Scalable Applications with DataStax Drivers (Alex Popescu, Bulat Shak...Develop Scalable Applications with DataStax Drivers (Alex Popescu, Bulat Shak...
Develop Scalable Applications with DataStax Drivers (Alex Popescu, Bulat Shak...DataStax
 
Efficient in situ processing of various storage types on apache tajo
Efficient in situ processing of various storage types on apache tajoEfficient in situ processing of various storage types on apache tajo
Efficient in situ processing of various storage types on apache tajoHyunsik Choi
 

Recommandé

Apache HBase 0.98
Apache HBase 0.98Apache HBase 0.98
Apache HBase 0.98AndrewPurtell
 
Harmonizing Multi-tenant HBase Clusters for Managing Workload Diversity
Harmonizing Multi-tenant HBase Clusters for Managing Workload DiversityHarmonizing Multi-tenant HBase Clusters for Managing Workload Diversity
Harmonizing Multi-tenant HBase Clusters for Managing Workload DiversityHBaseCon
 
HBaseCon 2012 | HBase for the Worlds Libraries - OCLC
HBaseCon 2012 | HBase for the Worlds Libraries - OCLCHBaseCon 2012 | HBase for the Worlds Libraries - OCLC
HBaseCon 2012 | HBase for the Worlds Libraries - OCLCCloudera, Inc.
 
DataStax | Building a Spark Streaming App with DSE File System (Rocco Varela)...
DataStax | Building a Spark Streaming App with DSE File System (Rocco Varela)...DataStax | Building a Spark Streaming App with DSE File System (Rocco Varela)...
DataStax | Building a Spark Streaming App with DSE File System (Rocco Varela)...DataStax
 
Large-scale Web Apps @ Pinterest
Large-scale Web Apps @ PinterestLarge-scale Web Apps @ Pinterest
Large-scale Web Apps @ PinterestHBaseCon
 
HBaseCon 2012 | Mignify: A Big Data Refinery Built on HBase - Internet Memory...
HBaseCon 2012 | Mignify: A Big Data Refinery Built on HBase - Internet Memory...HBaseCon 2012 | Mignify: A Big Data Refinery Built on HBase - Internet Memory...
HBaseCon 2012 | Mignify: A Big Data Refinery Built on HBase - Internet Memory...Cloudera, Inc.
 
Develop Scalable Applications with DataStax Drivers (Alex Popescu, Bulat Shak...
Develop Scalable Applications with DataStax Drivers (Alex Popescu, Bulat Shak...Develop Scalable Applications with DataStax Drivers (Alex Popescu, Bulat Shak...
Develop Scalable Applications with DataStax Drivers (Alex Popescu, Bulat Shak...DataStax
 
Efficient in situ processing of various storage types on apache tajo
Efficient in situ processing of various storage types on apache tajoEfficient in situ processing of various storage types on apache tajo
Efficient in situ processing of various storage types on apache tajoHyunsik Choi
 
HBaseCon 2012 | HBase Filtering - Lars George, Cloudera
HBaseCon 2012 | HBase Filtering - Lars George, ClouderaHBaseCon 2012 | HBase Filtering - Lars George, Cloudera
HBaseCon 2012 | HBase Filtering - Lars George, ClouderaCloudera, Inc.
 
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...Cloudera, Inc.
 
Neo4j 4.1 overview
Neo4j 4.1 overviewNeo4j 4.1 overview
Neo4j 4.1 overviewNeo4j
 
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...DataStax
 
Log analysis with elastic stack
Log analysis with elastic stackLog analysis with elastic stack
Log analysis with elastic stackBangladesh Network Operators Group
 
Document validation in MongoDB 3.2
Document validation in MongoDB 3.2Document validation in MongoDB 3.2
Document validation in MongoDB 3.2Andrew Morgan
 
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...Gruter
 
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...DataStax
 
Apache phoenix
Apache phoenixApache phoenix
Apache phoenixOsama Hussein
 
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...DataStax
 
Running secured Spark job in Kubernetes compute cluster and integrating with ...
Running secured Spark job in Kubernetes compute cluster and integrating with ...Running secured Spark job in Kubernetes compute cluster and integrating with ...
Running secured Spark job in Kubernetes compute cluster and integrating with ...DataWorks Summit
 
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQL
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQLCompressed Introduction to Hadoop, SQL-on-Hadoop and NoSQL
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQLArseny Chernov
 
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...DataStax
 
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...DataStax
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
Apache Cassandra at Macys
Apache Cassandra at MacysApache Cassandra at Macys
Apache Cassandra at MacysDataStax Academy
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11Tajo Seoul Meetup July 2015 - What's New Tajo 0.11
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11Hyunsik Choi
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityBiju Nair
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityKashif Khan
 
HBase and HDFS: Understanding FileSystem Usage in HBase
HBase and HDFS: Understanding FileSystem Usage in HBaseHBase and HDFS: Understanding FileSystem Usage in HBase
HBase and HDFS: Understanding FileSystem Usage in HBaseenissoz
 
Content Identification using HBase
Content Identification using HBaseContent Identification using HBase
Content Identification using HBaseHBaseCon
 

Contenu connexe

Tendances

HBaseCon 2012 | HBase Filtering - Lars George, Cloudera
HBaseCon 2012 | HBase Filtering - Lars George, ClouderaHBaseCon 2012 | HBase Filtering - Lars George, Cloudera
HBaseCon 2012 | HBase Filtering - Lars George, ClouderaCloudera, Inc.
 
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...Cloudera, Inc.
 
Neo4j 4.1 overview
Neo4j 4.1 overviewNeo4j 4.1 overview
Neo4j 4.1 overviewNeo4j
 
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...DataStax
 
Document validation in MongoDB 3.2
Document validation in MongoDB 3.2Document validation in MongoDB 3.2
Document validation in MongoDB 3.2Andrew Morgan
 
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...Gruter
 
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...DataStax
 
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...DataStax
 
Running secured Spark job in Kubernetes compute cluster and integrating with ...
Running secured Spark job in Kubernetes compute cluster and integrating with ...Running secured Spark job in Kubernetes compute cluster and integrating with ...
Running secured Spark job in Kubernetes compute cluster and integrating with ...DataWorks Summit
 
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQL
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQLCompressed Introduction to Hadoop, SQL-on-Hadoop and NoSQL
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQLArseny Chernov
 
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...DataStax
 
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...DataStax
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11Tajo Seoul Meetup July 2015 - What's New Tajo 0.11
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11Hyunsik Choi
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityBiju Nair
 

Tendances (20)

HBaseCon 2012 | HBase Filtering - Lars George, Cloudera
HBaseCon 2012 | HBase Filtering - Lars George, ClouderaHBaseCon 2012 | HBase Filtering - Lars George, Cloudera
HBaseCon 2012 | HBase Filtering - Lars George, Cloudera
 
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
 
Neo4j 4.1 overview
Neo4j 4.1 overviewNeo4j 4.1 overview
Neo4j 4.1 overview
 
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...
DataStax | Data Science with DataStax Enterprise (Brian Hess) | Cassandra Sum...
 
Log analysis with elastic stack
Log analysis with elastic stackLog analysis with elastic stack
Log analysis with elastic stack
 
Document validation in MongoDB 3.2
Document validation in MongoDB 3.2Document validation in MongoDB 3.2
Document validation in MongoDB 3.2
 
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...
Hadoop Summit 2014: Query Optimization and JIT-based Vectorized Execution in ...
 
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...
Designing & Optimizing Micro Batching Systems Using 100+ Nodes (Ananth Ram, R...
 
Apache phoenix
Apache phoenixApache phoenix
Apache phoenix
 
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...
Cassandra Tools and Distributed Administration (Jeffrey Berger, Knewton) | C*...
 
Running secured Spark job in Kubernetes compute cluster and integrating with ...
Running secured Spark job in Kubernetes compute cluster and integrating with ...Running secured Spark job in Kubernetes compute cluster and integrating with ...
Running secured Spark job in Kubernetes compute cluster and integrating with ...
 
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQL
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQLCompressed Introduction to Hadoop, SQL-on-Hadoop and NoSQL
Compressed Introduction to Hadoop, SQL-on-Hadoop and NoSQL
 
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...
Micro-batching: High-performance Writes (Adam Zegelin, Instaclustr) | Cassand...
 
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...
DataStax | Effective Testing in DSE (Lessons Learned) (Predrag Knezevic) | Ca...
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
Apache Cassandra at Macys
Apache Cassandra at MacysApache Cassandra at Macys
Apache Cassandra at Macys
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11Tajo Seoul Meetup July 2015 - What's New Tajo 0.11
Tajo Seoul Meetup July 2015 - What's New Tajo 0.11
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 

En vedette

HBase and HDFS: Understanding FileSystem Usage in HBase
HBase and HDFS: Understanding FileSystem Usage in HBaseHBase and HDFS: Understanding FileSystem Usage in HBase
HBase and HDFS: Understanding FileSystem Usage in HBaseenissoz
 
Content Identification using HBase
Content Identification using HBaseContent Identification using HBase
Content Identification using HBaseHBaseCon
 
Design Patterns for Building 360-degree Views with HBase and Kiji
Design Patterns for Building 360-degree Views with HBase and KijiDesign Patterns for Building 360-degree Views with HBase and Kiji
Design Patterns for Building 360-degree Views with HBase and KijiHBaseCon
 
HBase Data Modeling and Access Patterns with Kite SDK
HBase Data Modeling and Access Patterns with Kite SDKHBase Data Modeling and Access Patterns with Kite SDK
HBase Data Modeling and Access Patterns with Kite SDKHBaseCon
 
Apache HBase in the Enterprise Data Hub at Cerner
Apache HBase in the Enterprise Data Hub at CernerApache HBase in the Enterprise Data Hub at Cerner
Apache HBase in the Enterprise Data Hub at CernerHBaseCon
 
HBaseCon 2013: Compaction Improvements in Apache HBase
HBaseCon 2013: Compaction Improvements in Apache HBaseHBaseCon 2013: Compaction Improvements in Apache HBase
HBaseCon 2013: Compaction Improvements in Apache HBaseCloudera, Inc.
 
HBaseCon 2012 | HBase Schema Design - Ian Varley, Salesforce
HBaseCon 2012 | HBase Schema Design - Ian Varley, SalesforceHBaseCon 2012 | HBase Schema Design - Ian Varley, Salesforce
HBaseCon 2012 | HBase Schema Design - Ian Varley, SalesforceCloudera, Inc.
 
Streaming map reduce
Streaming map reduceStreaming map reduce
Streaming map reducedanirayan
 
Hindex: Secondary indexes for faster HBase queries
Hindex: Secondary indexes for faster HBase queriesHindex: Secondary indexes for faster HBase queries
Hindex: Secondary indexes for faster HBase queriesRajeshbabu Chintaguntla
 
HBase Consistency and Performance Improvements
HBase Consistency and Performance ImprovementsHBase Consistency and Performance Improvements
HBase Consistency and Performance ImprovementsDataWorks Summit
 
Hadoop Summit 2012 | HBase Consistency and Performance Improvements
Hadoop Summit 2012 | HBase Consistency and Performance ImprovementsHadoop Summit 2012 | HBase Consistency and Performance Improvements
Hadoop Summit 2012 | HBase Consistency and Performance ImprovementsCloudera, Inc.
 
Time-Series Apache HBase
Time-Series Apache HBaseTime-Series Apache HBase
Time-Series Apache HBaseHBaseCon
 
Build a Time Series Application with Apache Spark and Apache HBase
Build a Time Series Application with Apache Spark and Apache HBaseBuild a Time Series Application with Apache Spark and Apache HBase
Build a Time Series Application with Apache Spark and Apache HBaseCarol McDonald
 
Hortonworks Technical Workshop: HBase For Mission Critical Applications
Hortonworks Technical Workshop: HBase For Mission Critical ApplicationsHortonworks Technical Workshop: HBase For Mission Critical Applications
Hortonworks Technical Workshop: HBase For Mission Critical ApplicationsHortonworks
 
HBaseCon 2013: Evolving a First-Generation Apache HBase Deployment to Second...
HBaseCon 2013: Evolving a First-Generation Apache HBase Deployment to Second...HBaseCon 2013: Evolving a First-Generation Apache HBase Deployment to Second...
HBaseCon 2013: Evolving a First-Generation Apache HBase Deployment to Second...Cloudera, Inc.
 
HBaseCon 2013: Project Valta - A Resource Management Layer over Apache HBase
HBaseCon 2013: Project Valta - A Resource Management Layer over Apache HBaseHBaseCon 2013: Project Valta - A Resource Management Layer over Apache HBase
HBaseCon 2013: Project Valta - A Resource Management Layer over Apache HBaseCloudera, Inc.
 
HBaseCon 2012 | Building Mobile Infrastructure with HBase
HBaseCon 2012 | Building Mobile Infrastructure with HBaseHBaseCon 2012 | Building Mobile Infrastructure with HBase
HBaseCon 2012 | Building Mobile Infrastructure with HBaseCloudera, Inc.
 

En vedette (20)

HBase and HDFS: Understanding FileSystem Usage in HBase
HBase and HDFS: Understanding FileSystem Usage in HBaseHBase and HDFS: Understanding FileSystem Usage in HBase
HBase and HDFS: Understanding FileSystem Usage in HBase
 
Content Identification using HBase
Content Identification using HBaseContent Identification using HBase
Content Identification using HBase
 
Design Patterns for Building 360-degree Views with HBase and Kiji
Design Patterns for Building 360-degree Views with HBase and KijiDesign Patterns for Building 360-degree Views with HBase and Kiji
Design Patterns for Building 360-degree Views with HBase and Kiji
 
HBase Data Modeling and Access Patterns with Kite SDK
HBase Data Modeling and Access Patterns with Kite SDKHBase Data Modeling and Access Patterns with Kite SDK
HBase Data Modeling and Access Patterns with Kite SDK
 
Apache HBase in the Enterprise Data Hub at Cerner
Apache HBase in the Enterprise Data Hub at CernerApache HBase in the Enterprise Data Hub at Cerner
Apache HBase in the Enterprise Data Hub at Cerner
 
HBaseCon 2013: Compaction Improvements in Apache HBase
HBaseCon 2013: Compaction Improvements in Apache HBaseHBaseCon 2013: Compaction Improvements in Apache HBase
HBaseCon 2013: Compaction Improvements in Apache HBase
 
HBaseCon 2012 | HBase Schema Design - Ian Varley, Salesforce
HBaseCon 2012 | HBase Schema Design - Ian Varley, SalesforceHBaseCon 2012 | HBase Schema Design - Ian Varley, Salesforce
HBaseCon 2012 | HBase Schema Design - Ian Varley, Salesforce
 
Streaming map reduce
Streaming map reduceStreaming map reduce
Streaming map reduce
 
Hindex: Secondary indexes for faster HBase queries
Hindex: Secondary indexes for faster HBase queriesHindex: Secondary indexes for faster HBase queries
Hindex: Secondary indexes for faster HBase queries
 
HBase Consistency and Performance Improvements
HBase Consistency and Performance ImprovementsHBase Consistency and Performance Improvements
HBase Consistency and Performance Improvements
 
Hbase Nosql
Hbase NosqlHbase Nosql
Hbase Nosql
 
Hadoop Summit 2012 | HBase Consistency and Performance Improvements
Hadoop Summit 2012 | HBase Consistency and Performance ImprovementsHadoop Summit 2012 | HBase Consistency and Performance Improvements
Hadoop Summit 2012 | HBase Consistency and Performance Improvements
 
IoT:what about data storage?
IoT:what about data storage?IoT:what about data storage?
IoT:what about data storage?
 
Time-Series Apache HBase
Time-Series Apache HBaseTime-Series Apache HBase
Time-Series Apache HBase
 
Fine-Grained Security for Spark and Hive
Fine-Grained Security for Spark and HiveFine-Grained Security for Spark and Hive
Fine-Grained Security for Spark and Hive
 
Build a Time Series Application with Apache Spark and Apache HBase
Build a Time Series Application with Apache Spark and Apache HBaseBuild a Time Series Application with Apache Spark and Apache HBase
Build a Time Series Application with Apache Spark and Apache HBase
 
Hortonworks Technical Workshop: HBase For Mission Critical Applications
Hortonworks Technical Workshop: HBase For Mission Critical ApplicationsHortonworks Technical Workshop: HBase For Mission Critical Applications
Hortonworks Technical Workshop: HBase For Mission Critical Applications
 
HBaseCon 2013: Evolving a First-Generation Apache HBase Deployment to Second...
HBaseCon 2013: Evolving a First-Generation Apache HBase Deployment to Second...HBaseCon 2013: Evolving a First-Generation Apache HBase Deployment to Second...
HBaseCon 2013: Evolving a First-Generation Apache HBase Deployment to Second...
 
HBaseCon 2013: Project Valta - A Resource Management Layer over Apache HBase
HBaseCon 2013: Project Valta - A Resource Management Layer over Apache HBaseHBaseCon 2013: Project Valta - A Resource Management Layer over Apache HBase
HBaseCon 2013: Project Valta - A Resource Management Layer over Apache HBase
 
HBaseCon 2012 | Building Mobile Infrastructure with HBase
HBaseCon 2012 | Building Mobile Infrastructure with HBaseHBaseCon 2012 | Building Mobile Infrastructure with HBase
HBaseCon 2012 | Building Mobile Infrastructure with HBase
 

Similaire à Security Features in Apache HBase Guide

Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overviewconfluent
 
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...HostedbyConfluent
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentInterSystems Corporation
 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentryBrock Noland
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop SecurityChris Nauroth
 
Influx db talk-20150415
Influx db talk-20150415Influx db talk-20150415
Influx db talk-20150415Richard Elling
 
8b. Column Oriented Databases Lab
8b. Column Oriented Databases Lab8b. Column Oriented Databases Lab
8b. Column Oriented Databases LabFabio Fumarola
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Fortify aws aurora_proxy_2019_pleu
Fortify aws aurora_proxy_2019_pleuFortify aws aurora_proxy_2019_pleu
Fortify aws aurora_proxy_2019_pleuMarco Tusa
 
Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?Cask Data
 
BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...
BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...
BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...Krzysztof Adamski
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationArunKumar Subbiah
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
Azure Resource Manager - Technical Primer
Azure Resource Manager - Technical PrimerAzure Resource Manager - Technical Primer
Azure Resource Manager - Technical PrimerBen Coleman
 
The Design, Implementation and Open Source Way of Apache Pegasus
The Design, Implementation and Open Source Way of Apache PegasusThe Design, Implementation and Open Source Way of Apache Pegasus
The Design, Implementation and Open Source Way of Apache Pegasusacelyc1112009
 

Similaire à Security Features in Apache HBase Guide (20)

Apache Kafka® Security Overview
Apache Kafka® Security OverviewApache Kafka® Security Overview
Apache Kafka® Security Overview
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentry
 
MySQL Quick Dive
MySQL Quick DiveMySQL Quick Dive
MySQL Quick Dive
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop Security
 
Influx db talk-20150415
Influx db talk-20150415Influx db talk-20150415
Influx db talk-20150415
 
8b. Column Oriented Databases Lab
8b. Column Oriented Databases Lab8b. Column Oriented Databases Lab
8b. Column Oriented Databases Lab
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Fortify aws aurora_proxy_2019_pleu
Fortify aws aurora_proxy_2019_pleuFortify aws aurora_proxy_2019_pleu
Fortify aws aurora_proxy_2019_pleu
 
CodeIgniter & MVC
CodeIgniter & MVCCodeIgniter & MVC
CodeIgniter & MVC
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The Basics
 
Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?Webinar: What's new in CDAP 3.5?
Webinar: What's new in CDAP 3.5?
 
BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...
BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...
BigDataTech 2016 How to manage authorization rules on Hadoop cluster with Apa...
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integration
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Azure Resource Manager - Technical Primer
Azure Resource Manager - Technical PrimerAzure Resource Manager - Technical Primer
Azure Resource Manager - Technical Primer
 
The Design, Implementation and Open Source Way of Apache Pegasus
The Design, Implementation and Open Source Way of Apache PegasusThe Design, Implementation and Open Source Way of Apache Pegasus
The Design, Implementation and Open Source Way of Apache Pegasus
 

Plus de HBaseCon

hbaseconasia2017: Building online HBase cluster of Zhihu based on Kubernetes
hbaseconasia2017: Building online HBase cluster of Zhihu based on Kuberneteshbaseconasia2017: Building online HBase cluster of Zhihu based on Kubernetes
hbaseconasia2017: Building online HBase cluster of Zhihu based on KubernetesHBaseCon
 
hbaseconasia2017: HBase on Beam
hbaseconasia2017: HBase on Beamhbaseconasia2017: HBase on Beam
hbaseconasia2017: HBase on BeamHBaseCon
 
hbaseconasia2017: HBase Disaster Recovery Solution at Huawei
hbaseconasia2017: HBase Disaster Recovery Solution at Huaweihbaseconasia2017: HBase Disaster Recovery Solution at Huawei
hbaseconasia2017: HBase Disaster Recovery Solution at HuaweiHBaseCon
 
hbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinterest
hbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinteresthbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinterest
hbaseconasia2017: Removable singularity: a story of HBase upgrade in PinterestHBaseCon
 
hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程
hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程
hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程HBaseCon
 
hbaseconasia2017: Apache HBase at Netease
hbaseconasia2017: Apache HBase at Neteasehbaseconasia2017: Apache HBase at Netease
hbaseconasia2017: Apache HBase at NeteaseHBaseCon
 
hbaseconasia2017: HBase在Hulu的使用和实践
hbaseconasia2017: HBase在Hulu的使用和实践hbaseconasia2017: HBase在Hulu的使用和实践
hbaseconasia2017: HBase在Hulu的使用和实践HBaseCon
 
hbaseconasia2017: 基于HBase的企业级大数据平台
hbaseconasia2017: 基于HBase的企业级大数据平台hbaseconasia2017: 基于HBase的企业级大数据平台
hbaseconasia2017: 基于HBase的企业级大数据平台HBaseCon
 
hbaseconasia2017: HBase at JD.com
hbaseconasia2017: HBase at JD.comhbaseconasia2017: HBase at JD.com
hbaseconasia2017: HBase at JD.comHBaseCon
 
hbaseconasia2017: Large scale data near-line loading method and architecture
hbaseconasia2017: Large scale data near-line loading method and architecturehbaseconasia2017: Large scale data near-line loading method and architecture
hbaseconasia2017: Large scale data near-line loading method and architectureHBaseCon
 
hbaseconasia2017: Ecosystems with HBase and CloudTable service at Huawei
hbaseconasia2017: Ecosystems with HBase and CloudTable service at Huaweihbaseconasia2017: Ecosystems with HBase and CloudTable service at Huawei
hbaseconasia2017: Ecosystems with HBase and CloudTable service at HuaweiHBaseCon
 
hbaseconasia2017: HBase Practice At XiaoMi
hbaseconasia2017: HBase Practice At XiaoMihbaseconasia2017: HBase Practice At XiaoMi
hbaseconasia2017: HBase Practice At XiaoMiHBaseCon
 
hbaseconasia2017: hbase-2.0.0
hbaseconasia2017: hbase-2.0.0hbaseconasia2017: hbase-2.0.0
hbaseconasia2017: hbase-2.0.0HBaseCon
 
HBaseCon2017 Democratizing HBase
HBaseCon2017 Democratizing HBaseHBaseCon2017 Democratizing HBase
HBaseCon2017 Democratizing HBaseHBaseCon
 
HBaseCon2017 Removable singularity: a story of HBase upgrade in Pinterest
HBaseCon2017 Removable singularity: a story of HBase upgrade in PinterestHBaseCon2017 Removable singularity: a story of HBase upgrade in Pinterest
HBaseCon2017 Removable singularity: a story of HBase upgrade in PinterestHBaseCon
 
HBaseCon2017 Quanta: Quora's hierarchical counting system on HBase
HBaseCon2017 Quanta: Quora's hierarchical counting system on HBaseHBaseCon2017 Quanta: Quora's hierarchical counting system on HBase
HBaseCon2017 Quanta: Quora's hierarchical counting system on HBaseHBaseCon
 
HBaseCon2017 Transactions in HBase
HBaseCon2017 Transactions in HBaseHBaseCon2017 Transactions in HBase
HBaseCon2017 Transactions in HBaseHBaseCon
 
HBaseCon2017 Highly-Available HBase
HBaseCon2017 Highly-Available HBaseHBaseCon2017 Highly-Available HBase
HBaseCon2017 Highly-Available HBaseHBaseCon
 
HBaseCon2017 Apache HBase at Didi
HBaseCon2017 Apache HBase at DidiHBaseCon2017 Apache HBase at Didi
HBaseCon2017 Apache HBase at DidiHBaseCon
 
HBaseCon2017 gohbase: Pure Go HBase Client
HBaseCon2017 gohbase: Pure Go HBase ClientHBaseCon2017 gohbase: Pure Go HBase Client
HBaseCon2017 gohbase: Pure Go HBase ClientHBaseCon
 

Plus de HBaseCon (20)

hbaseconasia2017: Building online HBase cluster of Zhihu based on Kubernetes
hbaseconasia2017: Building online HBase cluster of Zhihu based on Kuberneteshbaseconasia2017: Building online HBase cluster of Zhihu based on Kubernetes
hbaseconasia2017: Building online HBase cluster of Zhihu based on Kubernetes
 
hbaseconasia2017: HBase on Beam
hbaseconasia2017: HBase on Beamhbaseconasia2017: HBase on Beam
hbaseconasia2017: HBase on Beam
 
hbaseconasia2017: HBase Disaster Recovery Solution at Huawei
hbaseconasia2017: HBase Disaster Recovery Solution at Huaweihbaseconasia2017: HBase Disaster Recovery Solution at Huawei
hbaseconasia2017: HBase Disaster Recovery Solution at Huawei
 
hbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinterest
hbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinteresthbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinterest
hbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinterest
 
hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程
hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程
hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程
 
hbaseconasia2017: Apache HBase at Netease
hbaseconasia2017: Apache HBase at Neteasehbaseconasia2017: Apache HBase at Netease
hbaseconasia2017: Apache HBase at Netease
 
hbaseconasia2017: HBase在Hulu的使用和实践
hbaseconasia2017: HBase在Hulu的使用和实践hbaseconasia2017: HBase在Hulu的使用和实践
hbaseconasia2017: HBase在Hulu的使用和实践
 
hbaseconasia2017: 基于HBase的企业级大数据平台
hbaseconasia2017: 基于HBase的企业级大数据平台hbaseconasia2017: 基于HBase的企业级大数据平台
hbaseconasia2017: 基于HBase的企业级大数据平台
 
hbaseconasia2017: HBase at JD.com
hbaseconasia2017: HBase at JD.comhbaseconasia2017: HBase at JD.com
hbaseconasia2017: HBase at JD.com
 
hbaseconasia2017: Large scale data near-line loading method and architecture
hbaseconasia2017: Large scale data near-line loading method and architecturehbaseconasia2017: Large scale data near-line loading method and architecture
hbaseconasia2017: Large scale data near-line loading method and architecture
 
hbaseconasia2017: Ecosystems with HBase and CloudTable service at Huawei
hbaseconasia2017: Ecosystems with HBase and CloudTable service at Huaweihbaseconasia2017: Ecosystems with HBase and CloudTable service at Huawei
hbaseconasia2017: Ecosystems with HBase and CloudTable service at Huawei
 
hbaseconasia2017: HBase Practice At XiaoMi
hbaseconasia2017: HBase Practice At XiaoMihbaseconasia2017: HBase Practice At XiaoMi
hbaseconasia2017: HBase Practice At XiaoMi
 
hbaseconasia2017: hbase-2.0.0
hbaseconasia2017: hbase-2.0.0hbaseconasia2017: hbase-2.0.0
hbaseconasia2017: hbase-2.0.0
 
HBaseCon2017 Democratizing HBase
HBaseCon2017 Democratizing HBaseHBaseCon2017 Democratizing HBase
HBaseCon2017 Democratizing HBase
 
HBaseCon2017 Removable singularity: a story of HBase upgrade in Pinterest
HBaseCon2017 Removable singularity: a story of HBase upgrade in PinterestHBaseCon2017 Removable singularity: a story of HBase upgrade in Pinterest
HBaseCon2017 Removable singularity: a story of HBase upgrade in Pinterest
 
HBaseCon2017 Quanta: Quora's hierarchical counting system on HBase
HBaseCon2017 Quanta: Quora's hierarchical counting system on HBaseHBaseCon2017 Quanta: Quora's hierarchical counting system on HBase
HBaseCon2017 Quanta: Quora's hierarchical counting system on HBase
 
HBaseCon2017 Transactions in HBase
HBaseCon2017 Transactions in HBaseHBaseCon2017 Transactions in HBase
HBaseCon2017 Transactions in HBase
 
HBaseCon2017 Highly-Available HBase
HBaseCon2017 Highly-Available HBaseHBaseCon2017 Highly-Available HBase
HBaseCon2017 Highly-Available HBase
 
HBaseCon2017 Apache HBase at Didi
HBaseCon2017 Apache HBase at DidiHBaseCon2017 Apache HBase at Didi
HBaseCon2017 Apache HBase at Didi
 
HBaseCon2017 gohbase: Pure Go HBase Client
HBaseCon2017 gohbase: Pure Go HBase ClientHBaseCon2017 gohbase: Pure Go HBase Client
HBaseCon2017 gohbase: Pure Go HBase Client
 

Dernier

Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 

Dernier (20)

Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 

Security Features in Apache HBase Guide

  • 1. Security Features in Apache HBase – An Operator’s Guide Anoop Sam John, Andrew Purtell, Ramkrishna S. Vasudevan Committers and PMC Members, Apache HBase, Apache Software Foundation Big Data US Research And Development, Intel v5
  • 2. • New Security Features in Apache HBase 0.98 • Controlling Access To Data – Role-Based Access Control Using Groups and ACLs – Role-Based Access Control Using Labels – Attribute-Based Access Control Using Labels • Preventing Data Leaks – Transparent Encryption • Performance Considerations Outline
  • 3. New Security Features in Apache HBase 0.98
  • 4. Cell Tags • All values written to HBase are stored in cells • Cells can now also carry an arbitrary number of tags – Metadata, considered distinct from the key and the value – Compressed when persisted to HFiles – Server side only • Clients cannot get or send cells with tags directly • Tags will be correctly replicated if cross-cluster replication is enabled
  • 5. Cell ACLs (HBASE-7662) • Extends the existing HBase ACL model with support for persisting and checking per-cell ACL data in tags – (R)ead, (W)rite, E(X)ecute, (A)dmin, (C)reate – Namespace → Table → Column Family → Cell • Backwards compatible with existing installs and code • Uses existing facilities (operation attributes) to carry cell ACLs to supporting servers
  • 6. Cell ACLs (HBASE-7662) • Cell ACLs are scoped to the same point in time as the cell itself – Simple and straightforward evolution of security policy over time without expensive updates • We require that mutations have covering permission – The union of the user’s table perms, CF perms, and perms in the most recent visible[1] version, if the value already exists, must allow the pending mutation in order for it to be applied – For Deletes, in addition, all visible prior versions covered by the Delete must allow the Delete – Delete semantics are being refined • Complex Deletes may be rejected; just resubmit as simpler ops • Improved in 0.98.2, likely fully resolved in 0.98.3 1. Visible is defined here as not covered already by a committed delete marker
  • 7. Cell Labels (HBASE-7663) • Visibility expression support via a new security coprocessor – Labels: arbitrary strings – Expressions: Labels joined in boolean expressions – Operators: &, |, !, ( ) secret secret | topsecret ( secret | topsecret ) & !probationary
  • 8. Cell Labels (HBASE-7663) • New admin APIs and new shell commands for label management • The universe of labels and the maximal set of labels for a user are defined up front • Users label cells using visibility expressions • Other users ask for authorizations on Gets and Scans • We build a user’s effective set of authorizations per request in a pluggable way on the server • Scan results are filtered according to the user’s effective authorizations • VisibilityController and AccessController can be used together
  • 9. Transparent Encryption (HBASE-7544) • Transparent encryption of HBase on disk data – HFile blocks are encrypted as written and decrypted as read – Write ahead log (WAL) serialization is pluggable; we provide new secure writers and readers that encrypt and decrypt edits • Built on a new extensible cryptographic codec and key management framework in HBase • Simple key management – Default provider integrates with the Java Keystore • Per column family configuration – Supports schema design that places sensitive information in only a subset of column families
  • 11. Endpoint EXEC Grants (HBASE-6104) • HBase ACLs grant a familiar set of privileges to users and groups: – (R)ead, (W)rite, E(X)excute, (C)reate, (A)dmin • Versions prior to 0.98.0 ignored X • Now access to coprocessor Endpoint invocations can be controlled on a global, per-table, or per-column family basis
  • 13. Our Example Schema • A simple user information table Row Key Column Family: i Column Family: pii uid i:fullname pii:address i:nick pii:phone pii:cc pii:cvv2 pii:expdate > create ‘user’, { NAME => ‘i’, COMPRESSION => ’snappy’, VERSIONS => 10 }, { NAME => ‘pii’, COMPRESSION => ’snappy’, VERSIONS => 10 }
  • 14. Our Example Security Policy • Column family: i
  • 15. Our Example Security Policy • Column family: pii
  • 16. Getting Started • Enable HFile V3 – hfile.format.version=3 • Enable SASL+Kerberos authentication – RPC: Follow the steps in section 8.1 of the online manual: https://hbase.apache.org/book/security.html – ZooKeeper: Follow the steps in section 17.2 of the online manual: https://hbase.apache.org/book/zk.sasl.auth.html • Install security coprocessors – hbase.coprocessor.region.classes= org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.visibility.VisibilityController, org.apache.hadoop.hbase.security.token.TokenProvider
  • 17. Getting Started – hbase.coprocessor.master.classes= org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.visibility.VisibilityController – hbase.coprocessor.regionserver.classes= org.apache.hadoop.hbase.security.access.AccessController • Enable Endpoint exec permission checks – hbase.security.exec.permission.checks=true • [Optional] Enable transport security – hbase.rpc.protection=auth-conf
  • 18. Role-Based Access Control Using the Hadoop Group Mapping Service and ACLs • Map each role in the organization to a LDAP entity – Employee -> • cn=user, member: ou=users,dc=groups, dc=example,dc=org – Developer -> • cn=developer, member: ou=developers,dc=groups,dc=example,dc=org – Test User Account -> • cn=testuser, member: ou=users,dc=example,dc=org – Service Account -> • cn=service, member: ou=services,dc=example,dc=org – Admin -> • cn=manager,dc=example,dc=org
  • 19. Role-Based Access Control Using the Hadoop Group Mapping Service and ACLs • Set up the Hadoop group mapper (core-site.xml) – hadoop.security.group.mapping= org.apache.hadoop.security.LdapGroupsMapping – hadoop.security.group.mapping.ldap.url=… – hadoop.security.group.mapping.ldap.bind.user=… – hadoop.security.group.mapping.ldap.search.filter.user= (& (|(objectclass=person)(objectclass=applicationProcess))(cn={0})) – hadoop.security.group.mapping.ldap.search.filter.group= (objectclass=groupofnames) – hadoop.security.group.mapping.ldap.search.attr.member=member – hadoop.security.group.mapping.ldap.search.attr.group.name=cn
  • 20. Role-Based Access Control Using the Hadoop Group Mapping Service and ACLs • Confirm the configuration is working correctly hbase> whoami service (auth:KERBEROS) groups: services
  • 21. Role-Based Access Control Using the Hadoop Group Mapping Service and ACLs • Grant permissions to groups and service and test accounts hbase> grant '@admins', 'RWXCA' hbase> grant 'service', 'RWXCA', 'user' hbase> grant '@developers', 'RW', 'user', 'i' hbase> grant 'testuser', 'RW', 'user', 'i' hbase> grant 'user', { '@developers' => 'RW', 'testuser' => 'R' }, { COLUMNS => 'pii', FILTER => "(PrefixFilter ('test'))" } Note: Cell grants done by the shell apply to existing cells only. This is useful for testing. In practice applications must add the desired cell ACL to the operation when submitting writes.
  • 22. Role-Based Access Control Using Labels • Define labels corresponding to roles in the security policy admin service test developer
  • 23. Role-Based Access Control Using Labels • Express access rules as visibility expressions admin | service admin | service | test admin | service | developer admin | service | developer | test • Define labels hbase> add_labels [ 'admin', 'service', 'developer', 'test' ]
  • 24. Role-Based Access Control Using Labels • Assign one or more roles to each user by associating their principal with a label set hbase> set_auths 'service', [ 'service' ] hbase> set_auths 'testuser', [ 'test' ] hbase> set_auths 'manager', [ 'admin' ] hbase> set_auths 'dev', [ 'developer' ] hbase> set_auths 'qa', [ 'test', 'developer' ] hbase> …
  • 25. Role-Based Access Control Using Labels • Apply appropriate visibility expressions to cells hbase> set_visibility 'user', 'admin|service|developer', { COLUMNS => 'i' } hbase> set_visibility 'user', 'admin|service', { COLUMNS => ' pii' } hbase> set_visibility 'user', 'admin|service|developer|test', { COLUMNS => [ 'i', 'pii' ], FILTER => "(PrefixFilter ('test'))" } Note: Visibility expressions added to cells by the shell apply to existing cells only. This is useful for testing. In practice applications must add the desired visibility expression to the operation when submitting writes.
  • 26. Attribute-Based Access Control • We can construct the effective authorization set for a user in a pluggable and stackable way ← Retrieves principal for user ← Maps principal to group names ← Imports auths from request ← Enforces minimum auths Auths table ← Maps identity attributes to auths Directory
  • 27. Attribute-Based Access Control • LDAP plugin can mix in auths corresponding to attributes of the subject’s identity – Expected soon in 0.98 (maybe 0.98.4) Query (&(objectClass=person) (userPrincipalName={0})) Attribute Mapping <attribute>: <regex> → <auth> memberOf: .+ -> $1 division: .+ -> $1 department: .+ -> $1 employeeID: P[0-9]+ -> probationary Directory
  • 28. Attribute-Based Access Control Using Labels • Apply appropriate visibility expressions to cells hbase> set_visibility 'user', 'admin|service|(developer&(!probationary))', { COLUMNS => 'i' } hbase> set_visibility 'user', 'admin|service', { COLUMNS => ' pii' } hbase> set_visibility 'user', 'admin|service|((developer|test)&(!probationary))', { COLUMNS => [ 'i', 'pii' ], FILTER => "(PrefixFilter ('test'))" }
  • 29. Attribute-Based Access Control Using ACLs • An area of future work – We could consider a HBase provided replacement for the Hadoop Group Mapper that also supports mapping object attributes to strings – For the VisibilityController, the mapped strings would be interpreted as auths (see slide #27) – For the AccessController, the mapped strings could be interpreted as group names – See HBASE-10919[1] or raise a discussion on user@hbase.apache.org 1. https://issues.apache.org/jira/browse/HBASE-10919
  • 31. Protecting Data At Rest • HBase is deployed into a layered system • Incorrect handling of permissions or storage volumes at the HDFS layer or below could expose sensitive information Apache HBase Apache ZooKeeper ZooKeeper ZooKeeper ZooKeeper Apache Hadoop Distributed File System (HDFS) DataNode MasterMaster (Standby) RegionServer DataNode DataNode DataNode DataNode RegionServer RegionServer RegionServer RegionServer
  • 32. Getting Started • Create the cluster master key in a KeyStore file $ keytool -keystore hbase.jks -storetype jceks –genseckey -keyalg AES -keysize 128 -storepass secret -alias hbase-master-default • Deploy the KeyStore file to all site configuration directories and restrict local access to it $ chown hbase:hbase hbase.jks $ chmod 0600 hbase.jks (-rw-------) • Enable HFile V3 – hfile.format.version=3
  • 33. Getting Started • Set up key provider configuration for KeyStore files – hbase.crypto.keyprovider= org.apache.hadoop.hbase.io.crypto.KeyStoreKeyProvider – hbase.crypto.keyprovider.parameters= jceks:///path/to/hbase/conf/hbase.jks?password=secret – hbase.crypto.master.key.name=hbase-master-default • Restrict local access to the site file $ chown hbase:hbase hbase-site.xml $ chmod 0600 hbase-site.xml (-rw-------) • The KeyStore password need not be embedded in the site file – Use ?passwordFile=/path/to/password/file and protect that instead
  • 34. Getting Started • Enable WAL encryption – hbase.crypto.wal.key.name=hbase-master-default – hbase.regionserver.hlog.reader.impl= org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogReader – hbase.regionserver.hlog.writer.impl= org.apache.hadoop.hbase.regionserver.wal.SecureProtobufLogWriter – hbase.regionserver.wal.encryption=true WAL encryption is configured separately from HFile encryption to enable storage management with tiered sensitivity • (JRE 8+) Enable AES-NI acceleration features – Add to hbase-env.sh: – XX:+UseAES –XX:+UseAESIntrinsics
  • 35. Transparent Encryption • Segregate sensitive information into one or a few column families with HFile encryption enabled – We are storing sensitive personally identifiable customer information in the “pii” family – Enable encryption on “pii” only to mitigate performance impact – After changing schema, run a major compaction to insure all files are (eventually) transformed hbase> disable 'user' hbase> alter 'user', { NAME => 'pii', COMPRESSION => 'snappy', ENCRYPTION => 'aes' } hbase> enable 'user' hbase> major_compact 'user' Row Key Column Family: i Column Family: pii uid i:fullname pii:address i:nick pii:phone pii:cc pii:cvv2 pii:expdate
  • 36. Transparent Encryption • Data key management – RegionServers retrieve and unwrap CF keys from descriptors as needed to encrypt HFiles – The data key for a CF can be modified at any time by the admin • Or, encryption can be enabled and disabled entirely • CF encryption is completely reversible! – HFiles contain the data key used for encryption, wrapped (encrypted) by the master key • Supports incremental rekeying without expensive IO or downtime – Simply trigger major compaction to normalize encryption and data keying state over the entire CF • Can be done on a region by region basis with a HBase shell script
  • 37. Transparent Encryption • Master key rotation – Should be an infrequent operation, an attacker able to observe even all schema and HFiles gains very little information about it over time – Store a copy of the current master key with an alternate alias e.g. “hbase-master-alt” – Replace the master key with a new one – Update site file • hbase.crypto.master.alternate.key.name=hbase-master-alt – Do a rolling restart of all HBase server processes – Trigger a major compaction and wait for completion – Remove the old master key from the KMS and remove alt alias from site – Do another rolling restart of all HBase server processes
  • 38. Key Providers • Any Key Management System with a Java KeyStore provider can be supported by the KeyStoreKeyProvider • Or natively, via custom HBase KeyProviders • Update site configuration hbase.crypto.keyprovider hbase.crypto.keyprovider.parameters HBase KeyStoreKeyProvider HBase YourKeyProvider JDK KeyStore provider framework Thales Luna CloudHSM . . .
  • 39. Cipher Providers • We support alternate or accelerated ciphers with either: 1. Java Cryptography (JCE) algorithm provider • Install a signed JCE provider (supporting “AES/CTR/NoPadding” mode with 128 bit keys) • Add it with highest preference to the JCE site configuration file $JAVA_HOME/lib/security/java.security • Update site configuration hbase.crypto.algorithm.aes.provider hbase.crypto.algorithm.rng.provider 2. Custom HBase Cipher implementation • Start at org.apache.hadoop.hbase.io.crypto.CipherProvider • Make it available on the server classpath • Update site configuration hbase.crypto.cipherprovider
  • 41. WAL Encryption • Performance implications of WAL encryption – As measured by HLogPerformanceEvaluation microbenchmark – Relative differences are what is interesting – WAL throughput ceiling ~10% lower with 7u45 – ~8% lower with 8u20 • Future mitigation: When HDFS storage tiering capability is in production, configure separate storage tiers for WAL and HFile data Test Throughput ops/sec Total cycles Insns per cycle Oracle Java 1.7.0_45-b18 - None 52658.302 8878179986750 0.47 Oracle Java 1.7.0_45-b18 - AES WAL encryption 48045.834 9911748458387 0.57 OpenJDK 1.8.0_20-b09 - None 54874.125 8662634367005 0.46 OpenJDK 1.8.0_20-b09 - AES WAL encryption 50659.507 9668111259270 0.61
  • 42. Promoting Common ACLs • When designing security policy for a table, consider that table and column family level grants are inexpensive compared to cell level grants – Table and CF level grants are cached in memory – Cell level grants require region scanning • We consider permissions as the union of grants at all levels; a table or CF grant allows us to early out • If a user will always be granted permissions at the cell level, promote their access to a column family or table level grant