没有合适的资源?快使用搜索试试~ 我知道了~
首页Apache Ambari 2.6.1.5 安全性指南
资源详情
资源评论
资源推荐
Hortonworks Data Platform December 15, 2017
ii
Hortonworks Data Platform: Security
Copyright © 2012-2017 Hortonworks, Inc. Some rights reserved.
The Hortonworks Data Platform, powered by Apache Hadoop, is a massively scalable and 100% open
source platform for storing, processing and analyzing large volumes of data. It is designed to deal with
data from many sources and formats in a very quick, easy and cost-effective manner. The Hortonworks
Data Platform consists of the essential set of Apache Hadoop projects including MapReduce, Hadoop
Distributed File System (HDFS), HCatalog, Pig, Hive, HBase, ZooKeeper and Ambari. Hortonworks is the
major contributor of code and patches to many of these projects. These projects have been integrated and
tested as part of the Hortonworks Data Platform release process and installation and configuration tools
have also been included.
Unlike other providers of platforms built using Apache Hadoop, Hortonworks contributes 100% of our
code back to the Apache Software Foundation. The Hortonworks Data Platform is Apache-licensed and
completely open source. We sell only expert technical support, training and partner-enablement services.
All of our technology is, and will remain free and open source.
Please visit the Hortonworks Data Platform page for more information on Hortonworks technology. For
more information on Hortonworks services, please visit either the Support or Training page. Feel free to
Contact Us directly to discuss your specific needs.
Except where otherwise noted, this document is licensed under
Creative Commons Attribution ShareAlike 4.0 License.
http://creativecommons.org/licenses/by-sa/4.0/legalcode
Hortonworks Data Platform December 15, 2017
iii
Table of Contents
1. HDP Security Overview ................................................................................................ 1
1.1. What's New in This Release ............................................................................... 1
1.2. Understanding Data Lake Security .................................................................... 5
1.3. HDP Security Features ....................................................................................... 6
1.3.1. Administration ....................................................................................... 7
1.3.2. Authentication and Perimeter Security ................................................... 8
1.3.3. Authorization ......................................................................................... 9
1.3.4. Audit .................................................................................................... 11
1.3.5. Data Protection .................................................................................... 11
2. Authentication ........................................................................................................... 12
2.1. Enabling Kerberos Authentication Using Ambari ............................................. 12
2.1.1. Kerberos Overview ............................................................................... 12
2.1.2. Kerberos Principals ............................................................................... 13
2.1.3. Installing and Configuring the KDC ....................................................... 14
2.1.4. Enabling Kerberos Security ................................................................... 19
2.1.5. Kerberos Client Packages ...................................................................... 24
2.1.6. Disabling Kerberos Security .................................................................. 24
2.1.7. Customizing the Attribute Template ..................................................... 25
2.1.8. Managing Admin Credentials ............................................................... 25
2.2. Configuring HDP Components for Kerberos Using Ambari ............................... 26
2.2.1. Configuring Kafka for Kerberos Using Ambari ...................................... 26
2.2.2. Configuring Storm for Kerberos Using Ambari ...................................... 41
2.3. Configuring Ambari Authentication with LDAP or AD ...................................... 46
2.3.1. Configuring Ambari for LDAP or Active Directory Authentication .......... 46
2.3.2. Configuring Ranger Authentication with UNIX, LDAP, or AD ................. 52
2.3.3. Encrypting Database and LDAP Passwords in Ambari ............................ 60
2.4. Configuring LDAP Authentication in Hue ......................................................... 62
2.4.1. Enabling the LDAP Backend ................................................................. 62
2.4.2. Enabling User Authentication with Search Bind ..................................... 62
2.4.3. Setting the Search Base to Find Users and Groups ................................. 63
2.4.4. Specifying the URL of the LDAP Server ................................................. 64
2.4.5. Specifying LDAPS and StartTLS Support ................................................ 64
2.4.6. Specifying Bind Credentials for LDAP Searches ...................................... 64
2.4.7. Synchronizing Users and Groups ........................................................... 64
2.4.8. Setting Search Bind Authentication and Importing Users and
Groups ........................................................................................................... 65
2.4.9. Setting LDAP Users' Filter ..................................................................... 65
2.4.10. Setting an LDAP Groups Filter ............................................................ 66
2.4.11. Setting Multiple LDAP Servers ............................................................. 66
2.5. Advanced Security Options for Ambari ............................................................ 67
2.5.1. Configuring Ambari for Non-Root ......................................................... 67
2.5.2. Optional: Ambari Web Inactivity Timeout ............................................. 71
2.5.3. Optional: Set Up Kerberos for Ambari Server ........................................ 72
2.5.4. Optional: Set Up Two-Way SSL Between Ambari Server and Ambari
Agents ........................................................................................................... 73
2.5.5. Optional: Configure Ciphers and Protocols for Ambari Server ................ 73
2.5.6. Optional: HTTP Cookie Persistence ........................................................ 73
2.6. Enabling SPNEGO Authentication for Hadoop ................................................. 74
Hortonworks Data Platform December 15, 2017
iv
2.6.1. Configure Ambari Server for Authenticated HTTP ................................. 74
2.6.2. Configuring HTTP Authentication for HDFS, YARN, MapReduce2,
HBase, Oozie, Falcon and Storm .................................................................... 74
2.6.3. Enabling Browser Access to a SPNEGO-enabled Web UI ........................ 75
2.7. Setting Up Kerberos Authentication for Non-Ambari Clusters ........................... 76
2.7.1. Preparing Kerberos ............................................................................... 76
2.7.2. Configuring HDP for Kerberos .............................................................. 82
2.7.3. Setting up One-Way Trust with Active Directory .................................. 110
2.7.4. Configuring Proxy Users ...................................................................... 112
2.8. Perimeter Security with Apache Knox ............................................................ 112
2.8.1. Apache Knox Gateway Overview ........................................................ 112
2.8.2. Configuring the Knox Gateway ........................................................... 115
2.8.3. Defining Cluster Topologies ................................................................ 120
2.8.4. Configuring a Hadoop Server for Knox ............................................... 121
2.8.5. Mapping the Internal Nodes to External URLs ..................................... 126
2.8.6. Configuring Authentication ................................................................ 130
2.8.7. Configuring Identity Assertion ............................................................ 149
2.8.8. Configuring Service Level Authorization .............................................. 158
2.8.9. Audit Gateway Activity ....................................................................... 162
2.8.10. Gateway Security .............................................................................. 164
2.8.11. Setting Up Knox Services for HA ....................................................... 168
2.8.12. Knox CLI Testing Tools ...................................................................... 171
2.9. Knox SSO ...................................................................................................... 172
2.9.1. Identity Providers (IdP) ....................................................................... 173
2.9.2. Setting up Knox SSO for Ambari ......................................................... 177
2.9.3. Setting up Knox SSO for Ranger Web UI ............................................. 178
2.9.4. Setting up the Knox Token Service for Ranger APIs ............................. 180
2.9.5. Setting up Knox SSO for Apache Atlas ................................................ 182
3. Configuring Authorization in Hadoop ...................................................................... 184
3.1. Installing Ranger Using Ambari ..................................................................... 184
3.1.1. Overview ............................................................................................ 184
3.1.2. Installation Prerequisites ..................................................................... 184
3.1.3. Ranger Installation ............................................................................. 193
3.1.4. Enabling Ranger Plugins ..................................................................... 234
3.1.5. Ranger Plugins - Kerberos Overview .................................................... 269
3.2. Using Ranger to Provide Authorization in Hadoop ......................................... 273
3.2.1. About Ranger Policies ......................................................................... 274
3.2.2. Using the Ranger Console ................................................................... 279
3.2.3. Configuring Resource-Based Services ................................................... 284
3.2.4. Resource-Based Policy Management ................................................... 301
3.2.5. Row-level Filtering and Column Masking in Hive .................................. 334
3.2.6. Adding Tag-based Service ................................................................... 348
3.2.7. Tag-Based Policy Management ........................................................... 350
3.2.8. Users/Groups and Permissions Administration ..................................... 369
3.2.9. Reports Administration ....................................................................... 381
3.2.10. Special Requirements for High Availability Environments ................... 385
3.2.11. Adding a New Component to Apache Ranger ................................... 386
3.2.12. Developing a Custom Authorization Module ..................................... 389
3.2.13. Apache Ranger Public REST API ........................................................ 389
4. Data Protection: Wire Encryption ............................................................................. 424
4.1. Enabling RPC Encryption ............................................................................... 424
Hortonworks Data Platform December 15, 2017
v
4.2. Enabling Data Transfer Protocol .................................................................... 425
4.3. Enabling SSL: Understanding the Hadoop SSL Keystore Factory ...................... 425
4.4. Creating and Managing SSL Certificates ......................................................... 427
4.4.1. Obtain a Certificate from a Trusted Third-Party Certification Authority
(CA) ............................................................................................................. 427
4.4.2. Create and Set Up an Internal CA (OpenSSL) ...................................... 429
4.4.3. Installing Certificates in the Hadoop SSL Keystore Factory (HDFS,
MapReduce, and YARN) .............................................................................. 432
4.4.4. Using a CA-Signed Certificate .............................................................. 433
4.5. Enabling SSL for HDP Components ................................................................ 434
4.6. Enable SSL for WebHDFS, MapReduce Shuffle, Tez, and YARN ....................... 435
4.7. Enable SSL for HttpFS .................................................................................... 438
4.8. Enable SSL on Oozie ...................................................................................... 439
4.8.1. Configure the Oozie Client to Connect Using SSL ................................ 439
4.8.2. Connect to the Oozie Web UI Using SSL ............................................. 440
4.8.3. Configure Oozie HCatalogJob Properties ............................................ 440
4.9. Enable SSL on the HBase REST Server ............................................................ 440
4.10. Enable SSL on the HBase Web UI ................................................................ 442
4.11. Enable SSL on HiveServer2 ........................................................................... 443
4.11.1. Setting up SSL with self-signed certificates ........................................ 444
4.11.2. Selectively disabling SSL protocol versions ......................................... 445
4.12. Enable SSL for Kafka Clients ........................................................................ 445
4.12.1. Configuring the Kafka Broker ........................................................... 445
4.12.2. Configuring Kafka Producer and Kafka Consumer ............................. 447
4.13. Enable SSL for Accumulo ............................................................................. 448
4.13.1. Generate a Certificate Authority ....................................................... 448
4.13.2. Generate a Certificate/Keystore Per Host .......................................... 449
4.13.3. Configure Accumulo Servers ............................................................. 450
4.13.4. Configure Accumulo Clients .............................................................. 451
4.14. Enable SSL for Apache Atlas ........................................................................ 451
4.14.1. Configuring Apache Atlas SSL ........................................................... 451
4.14.2. Credential Provider Utility Script ....................................................... 453
4.15. SPNEGO setup for WebHCat ........................................................................ 454
4.16. Configure SSL for Hue ................................................................................. 454
4.16.1. Enabling SSL on Hue by Using a Private Key ...................................... 455
4.16.2. Enabling SSL on Hue Without Using a Private Key ............................. 455
4.17. Configure SSL for Knox ............................................................................... 455
4.17.1. Self-Signed Certificate with Specific Hostname for Evaluations ........... 455
4.17.2. CA-Signed Certificates for Production ................................................ 456
4.17.3. Setting Up Trust for the Knox Gateway Clients .................................. 456
4.18. Securing Phoenix ......................................................................................... 457
4.19. Set Up SSL for Ambari ................................................................................. 457
4.19.1. Set Up Truststore for Ambari Server .................................................. 458
4.20. Configure Ambari Ranger SSL ...................................................................... 459
4.20.1. Configuring Ambari Ranger SSL Using Public CA Certificates .............. 459
4.20.2. Configuring Ambari Ranger SSL Using a Self-Signed Certificate .......... 474
4.20.3. Configure Ranger Admin Database for SSL-Enabled MySQL ............... 489
4.21. Configure Non-Ambari Ranger SSL .............................................................. 490
4.21.1. Configuring Non-Ambari Ranger SSL Using Public CA Certificates ....... 490
4.21.2. Configuring Non-Ambari Ranger SSL Using a Self Signed
Certificate .................................................................................................... 493
剩余638页未读,继续阅读
devalone
- 粉丝: 106
- 资源: 38
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- 2023年中国辣条食品行业创新及消费需求洞察报告.pptx
- 2023年半导体行业20强品牌.pptx
- 2023年全球电力行业评论.pptx
- 2023年全球网络安全现状-劳动力资源和网络运营的全球发展新态势.pptx
- 毕业设计-基于单片机的液体密度检测系统设计.doc
- 家用清扫机器人设计.doc
- 基于VB+数据库SQL的教师信息管理系统设计与实现 计算机专业设计范文模板参考资料.pdf
- 官塘驿林场林防火(资源监管)“空天地人”四位一体监测系统方案.doc
- 基于专利语义表征的技术预见方法及其应用.docx
- 浅谈电子商务的现状及发展趋势学习总结.doc
- 基于单片机的智能仓库温湿度控制系统 (2).pdf
- 基于SSM框架知识产权管理系统 (2).pdf
- 9年终工作总结新年计划PPT模板.pptx
- Hytera海能达CH04L01 说明书.pdf
- 数据中心运维操作标准及流程.pdf
- 报告模板 -成本分析与报告培训之三.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0