MapR Boosts Hadoop’s ‘Out-of-the-Box’ Security with Native Authentication, Authorization

MapR Technologies’ latest effort to enrich Hadoop with out-of-the-box enterprise features focuses on security. To make securing big data easier and more reliable MapR has natively integrated authentication and authorization into the beta of its MapR Distribution for Apache Hadoop. IDN speaks with MapR’s Jack Norris.

Tags: authentication, big data, Drill, Hadoop, Hive, HTTPS, Kerberos, MapR, security, expert voice,

Jack Norris
chief marketing officer


"We’re looking to take away both the risk and the complexity of securing Hadoop."

MapR Technologies’ latest effort to enrich Hadoop with out-of-the-box enterprise features focuses on security. To make securing big data easier and more reliable MapR has natively integrated authentication and authorization into the beta of its MapR Distribution for Apache Hadoop.

Delivering out-of-the-box authentication for Hadoop will let users more easily comply with security needs and avoid complicated coding or integration tasks, MapR’s chief marketing officer, Jack Norris, told IDN.

“Security is such an important issue for some users that some Hadoop deployments are not even connected to the internal network,” Norris told IDN. “So, we’re looking to take away both the risk and the complexity of securing Hadoop and this [MapR] release provides comprehensive access control with flexibility and ease of use.”

In detail, MapR’s latest secure-ready distro protects against user impersonation, rogue daemons and malicious remote procedure calls, Norris said. Moreover, MapR natively secures all operations on Hadoop (file reads and writes, HBase operations, MapReduce job submissions, etc.) Even intra-cluster node-node interactions, including RPCs, are protected.

Architecturally, MapR provides the security at the wire (or protocol) level. In that way, it provides admins and users easy access to fine-grained data protection for tables, columns, jobs, queues and volumes, he added.

Thanks to MapR’s approach to native security, Hadoop will initiate and maintain the secure communications across the cluster – without the use of any supplemental third-party infrastructure. This architecture provides a number of key admin and user benefits, Norris noted, including:

  • Users can authenticate themselves easily through a simple and secure login-password mechanism that integrates into standard enterprise directory services (e.g., LDAP, Active Directory and NIS.).
  • To secure complex Hadoop clusters, all cluster nodes are authenticated and can interact with each other through secure keys.
  • Intra-cluster node-to-node interactions are secured, including RPCs.
  • Inter-cluster operations are secured, including mirroring 

“We’re looking at how do we make Hadoop production ready and how do we really expand the use cases that are possible,” Norris said. “We feel the fastest ways to do that, and the way to really make Hadoop more ready for prime time, is to do these architectural innovations.”

Improving Hadoop’s Authentication for Log-in and Operations
Even though Hadoop’s authentication and security doesn’t often grab headlines, Norris said it is growing in importance among possible adopters, especially at larger firms and government agencies.

In fact, the time has come to improve Hadoop’s security readiness, Norris added. More than 95% of consumers access online banks using strong wire-level authentication, while less than 5% of companies using Hadoop have it, he said.

While Norris concedes there are Hadoop capabilities in open source or commercial offerings to help admins deliver some security features (set file permission, access control, etc.) they aren’t easy or foolproof. “Many of these [options] can be easy to get around and difficult to implement. So, MapR is addressing is securing at the lowest level to authenticate a user and encrypt and protect communication to and across the cluster,” Norris said.

Kerberos is a primary way companies use Hadoop for user authentication, but that can raise issues, Norris said. “Working with or integrating Kerberos is difficult for many companies. So, our goal is to make security as simple as using any online app – and give users a choice,” he said.  

With MapR, users will be able to choose to work with their existing Kerberos authentication schemes or use MapR’s native approach, he said. “For those organizations that don’t have Kerberos, or think it’s too complicated, MapR can natively provide authentication using traditional username/password, as well as smart card, certificate or even biometrics,” Norris said.   

Once the authentication takes place, MapR also secures information across the cluster during the session, letting admins use keys or certificates.
 
On that point, MapR’s architecture paid equal attention to delivering simplicity for Hadoop security during operations.  

Thanks to MapR’s use of HTTPS, users simply run their “maprlogin: commands and enter usernames/passwords (or other approved access methods). Then, the maprlogin obtains user key from cluster over HTTPS. The Hadoop client automatically uses user key to secure all RPCs. Further, all cluster operations and access are secured with the same user key. “There is a time-to-live parameter. We don’t go through a central authentication server for each interaction, that would be a performance killer,” Norris said.   

 

MapR should also be able to deliver all this native security without hits on performance, Norris added. “Because MapR is leveraging our dynamic read/write data platform, we can efficiently write keys and do updates so we don’t expect any performance hits,” he said. Also helping performance is MapR’s use of cryptography standards and automatic compression, he added.   

MapR’s latest update will also deliver security to all Hadoop ecosystem components through what Norris called “a simple, fast and self-contained security model.” Consequently, MapR’s native authentication will also protect Apache Hive and Drill, he added.

One analyst firm said MapR’s security support will make a big difference to many big data projects. “Very few Hadoop clusters today meet enterprise-grade security requirements. With MapR’s innovations, businesses can meet stringent security requirements and regulations easily with security functionality that come out-of-the-box with Hadoop,” said Ben Woo, a principal analyst with Neuralytix.

 




back