SlideShare une entreprise Scribd logo

Hive contributors meetup apache sentry

Brock Noland
Brock Noland
Technologie
1  sur  13
Télécharger pour lire hors ligne
Apache Sentry (incubating) On Hive Integration brock@cloudera.com November 18th, 2013
Current State of Authorization in Hive •  Advisory Authorization -  Facilitates self regulation to avoid safeguard against accidental changes -  Users can grant themselves privileges as necessary -  Problem: Insufficient to guard against malicious users •  Impersonation -  Data is protected at the file level by HDFS permissions -  Problem: File-level access is not granular enough -  Problem: Not role-based 2
Authorization Requirements •  Secure Authorization Ability to control access to data and/or privileges on data for authenticated users •  Fine-Grained Authorization Ability to give users access to a subset of data in files •  Role-Based Authorization Ability to create/apply templatized privileges based on functional roles •  Multi-Tenant Administration Ability for central admin group to empower lower-level admins to manage security for each database/schema 3
Introducing Sentry Authorization module for Hadoop ecosystem •  Unlocks Key RBAC Requirements ᵒ  Secure, fine-grained, role-based authorization ᵒ  Multi-tenant administration ᵒ  Open Source via Apache Incubator ᵒ  Modular RBAC Framework ᵒ  Multiple users in production for months 4
Sentry: Fine-Grained Authorization Concepts   Implementa=ons   Binding   Solr  Binding   Policy   Database   Policy   Search   Policy   Policy   Provider   5 Hive   Binding   File-­‐based   Provider   File-­‐based   Provider  
Sentry: Fine-Grained Authorization •  Ability to specify privileges on ᵒ  SERVER, DATABASE, TABLE, VIEW, URI •  Privilege Granularity ᵒ  SELECT ᵒ  INSERT ᵒ  ALL •  Multi-Tenant Administration ᵒ  Administration per database 6
Granting Privileges •  Example: Grant SELECT on table CUSTOMERS from database SALES: server=server1->db=sales->table=customer->action=SELECT! •  Objects represented by containment Hierarchy •  Privilege granted for the leaf object and its continues !! 7
Specifying Roles •  Roles are collection of Privileges •  Example: A role Seller that allows SELECT on table CUSTOMER and Insert on table ITEMS ! seller_role = server=server1->db=sales->table=customer->action=Select, ! ! 8 server=server1->db=sales->table=items->action=Insert!
Users and Groups •  Works with existing Authentication Mechanisms •  Group connects the authentication system with authorization system. ᵒ  A Set of Roles can be assigned to a Group !analyst = sales_reporting, data_export, audit_report! •  User to Group Mapping: ᵒ  Using Hadoop groups ᵒ  Or Specify Locally in sentry-site.xml file 9
User Feedback I have implemented Hiveserver2 Authentication (openLDAP) and Authorization (using Cloudera Sentry). I am super-excited because we know can open our Hive Data Platform in "read only" mode to remote clients in the company and SAS clients. Source: •  Apache user@hive.apache.org •  Tue, 17 Sep 2013 19:10:43 GMT •  http://s.apache.org/hive-sentry-user 10
Future Direction •  Integration with other systems •  More Granular Privileges •  Usability Improvements 11
Hive Requirements •  Sentry plugs into existing hooks such as the Semantic Analyzer hook interface •  Changes required are minor, estimating ~600 LOC including unit tests 12
Hive Requirements Follow Hive integration via SENTRY-67 •  HIVE-4670 - Authentication module should pass the instance part of the Kerberos principle •  HIVE-4390 - Enable capturing input URI entities for DML statements •  HIVE-4741 - Add Hive config API to modify the restrict list •  HIVE-4641 - Support post execution/fetch hook for HiveServer2 13

Recommandé

Servers names
Servers namesServers names
Servers namesSasidhar Kothuru
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The BasicsInterSystems Corporation
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentInterSystems Corporation
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19Smita B Kumar
 
IEEE KUET SPAC presentation
IEEE KUET SPAC presentationIEEE KUET SPAC presentation
IEEE KUET SPAC presentationahsanmm
 
A Quick Guide to Sql Server Availability Groups
A Quick Guide to Sql Server Availability GroupsA Quick Guide to Sql Server Availability Groups
A Quick Guide to Sql Server Availability GroupsPio Balistoy
 
Calling database with groovy in mule
Calling database with groovy in muleCalling database with groovy in mule
Calling database with groovy in muleAnirban Sen Chowdhary
 
Building Highly Scalable Java Applications on Windows Azure - JavaOne S313978
Building Highly Scalable Java Applications on Windows Azure - JavaOne S313978Building Highly Scalable Java Applications on Windows Azure - JavaOne S313978
Building Highly Scalable Java Applications on Windows Azure - JavaOne S313978David Chou
 

Recommandé

Servers names
Servers namesServers names
Servers namesSasidhar Kothuru
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The BasicsInterSystems Corporation
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentInterSystems Corporation
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19Smita B Kumar
 
IEEE KUET SPAC presentation
IEEE KUET SPAC presentationIEEE KUET SPAC presentation
IEEE KUET SPAC presentationahsanmm
 
A Quick Guide to Sql Server Availability Groups
A Quick Guide to Sql Server Availability GroupsA Quick Guide to Sql Server Availability Groups
A Quick Guide to Sql Server Availability GroupsPio Balistoy
 
Calling database with groovy in mule
Calling database with groovy in muleCalling database with groovy in mule
Calling database with groovy in muleAnirban Sen Chowdhary
 
Building Highly Scalable Java Applications on Windows Azure - JavaOne S313978
Building Highly Scalable Java Applications on Windows Azure - JavaOne S313978Building Highly Scalable Java Applications on Windows Azure - JavaOne S313978
Building Highly Scalable Java Applications on Windows Azure - JavaOne S313978David Chou
 
SQL Server Database as a Cloud Service
SQL Server Database as a Cloud ServiceSQL Server Database as a Cloud Service
SQL Server Database as a Cloud ServicePio Balistoy
 
Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure Guada Casuso
 
Implementing ASP.NET Role Based Security
Implementing ASP.NET Role Based SecurityImplementing ASP.NET Role Based Security
Implementing ASP.NET Role Based SecurityDean Willson
 
Stefaan Ponnet, Fusebox
Stefaan Ponnet, FuseboxStefaan Ponnet, Fusebox
Stefaan Ponnet, Fuseboxnascomgenk
 
Azure provisioning at your control
Azure provisioning at your controlAzure provisioning at your control
Azure provisioning at your controlGovind Kanshi
 
Leveraging azure and cello for delivering highly scalable multi tenant
Leveraging azure and cello for delivering highly scalable multi tenantLeveraging azure and cello for delivering highly scalable multi tenant
Leveraging azure and cello for delivering highly scalable multi tenantkanimozhin
 
Websphere - Introduction to logs and configuration
Websphere - Introduction to logs and configurationWebsphere - Introduction to logs and configuration
Websphere - Introduction to logs and configurationVibrant Technologies & Computers
 
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...turgaysahtiyan
 
An introduction to consuming remote APIs with Drupal 7
An introduction to consuming remote APIs with Drupal 7An introduction to consuming remote APIs with Drupal 7
An introduction to consuming remote APIs with Drupal 7Josh Kopel
 
AlwaysON Basics
AlwaysON BasicsAlwaysON Basics
AlwaysON BasicsHarsh Chawla
 
Event driven architecure
Event driven architecureEvent driven architecure
Event driven architecureTouraj Ebrahimi
 
Drupal Services 3 - Drupal Dev Days 2011, Brussels
Drupal Services 3 - Drupal Dev Days 2011, BrusselsDrupal Services 3 - Drupal Dev Days 2011, Brussels
Drupal Services 3 - Drupal Dev Days 2011, Brusselsheyrocker
 
CQRS
CQRSCQRS
CQRSTouraj Ebrahimi
 
Automating the Next Generation Datacenter
Automating the Next Generation DatacenterAutomating the Next Generation Datacenter
Automating the Next Generation DatacenterJosh Atwell
 
Cs seminar 20061207
Cs seminar 20061207Cs seminar 20061207
Cs seminar 20061207Todd Deshane
 
Always on in SQL Server 2012
Always on in SQL Server 2012Always on in SQL Server 2012
Always on in SQL Server 2012Fadi Abdulwahab
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basicsBlueinfy Solutions
 
ASP.NET lecture 8
ASP.NET lecture 8ASP.NET lecture 8
ASP.NET lecture 8Julie Iskander
 
#DFWVMUG - Automating the Next Generation Datacenter
#DFWVMUG - Automating the Next Generation Datacenter#DFWVMUG - Automating the Next Generation Datacenter
#DFWVMUG - Automating the Next Generation DatacenterJosh Atwell
 
Hive Correlation Optimizer
Hive Correlation OptimizerHive Correlation Optimizer
Hive Correlation OptimizerYin Huai
 
Hive query optimization infinity
Hive query optimization infinityHive query optimization infinity
Hive query optimization infinityShashwat Shriparv
 
Join optimization in hive
Join optimization in hive Join optimization in hive
Join optimization in hive Liyin Tang
 

Contenu connexe

Tendances

SQL Server Database as a Cloud Service
SQL Server Database as a Cloud ServiceSQL Server Database as a Cloud Service
SQL Server Database as a Cloud ServicePio Balistoy
 
Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure Guada Casuso
 
Implementing ASP.NET Role Based Security
Implementing ASP.NET Role Based SecurityImplementing ASP.NET Role Based Security
Implementing ASP.NET Role Based SecurityDean Willson
 
Stefaan Ponnet, Fusebox
Stefaan Ponnet, FuseboxStefaan Ponnet, Fusebox
Stefaan Ponnet, Fuseboxnascomgenk
 
Azure provisioning at your control
Azure provisioning at your controlAzure provisioning at your control
Azure provisioning at your controlGovind Kanshi
 
Leveraging azure and cello for delivering highly scalable multi tenant
Leveraging azure and cello for delivering highly scalable multi tenantLeveraging azure and cello for delivering highly scalable multi tenant
Leveraging azure and cello for delivering highly scalable multi tenantkanimozhin
 
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...turgaysahtiyan
 
An introduction to consuming remote APIs with Drupal 7
An introduction to consuming remote APIs with Drupal 7An introduction to consuming remote APIs with Drupal 7
An introduction to consuming remote APIs with Drupal 7Josh Kopel
 
Event driven architecure
Event driven architecureEvent driven architecure
Event driven architecureTouraj Ebrahimi
 
Drupal Services 3 - Drupal Dev Days 2011, Brussels
Drupal Services 3 - Drupal Dev Days 2011, BrusselsDrupal Services 3 - Drupal Dev Days 2011, Brussels
Drupal Services 3 - Drupal Dev Days 2011, Brusselsheyrocker
 
Automating the Next Generation Datacenter
Automating the Next Generation DatacenterAutomating the Next Generation Datacenter
Automating the Next Generation DatacenterJosh Atwell
 
Cs seminar 20061207
Cs seminar 20061207Cs seminar 20061207
Cs seminar 20061207Todd Deshane
 
Always on in SQL Server 2012
Always on in SQL Server 2012Always on in SQL Server 2012
Always on in SQL Server 2012Fadi Abdulwahab
 
#DFWVMUG - Automating the Next Generation Datacenter
#DFWVMUG - Automating the Next Generation Datacenter#DFWVMUG - Automating the Next Generation Datacenter
#DFWVMUG - Automating the Next Generation DatacenterJosh Atwell
 

Tendances (19)

SQL Server Database as a Cloud Service
SQL Server Database as a Cloud ServiceSQL Server Database as a Cloud Service
SQL Server Database as a Cloud Service
 
Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure
 
Implementing ASP.NET Role Based Security
Implementing ASP.NET Role Based SecurityImplementing ASP.NET Role Based Security
Implementing ASP.NET Role Based Security
 
Stefaan Ponnet, Fusebox
Stefaan Ponnet, FuseboxStefaan Ponnet, Fusebox
Stefaan Ponnet, Fusebox
 
Azure provisioning at your control
Azure provisioning at your controlAzure provisioning at your control
Azure provisioning at your control
 
Leveraging azure and cello for delivering highly scalable multi tenant
Leveraging azure and cello for delivering highly scalable multi tenantLeveraging azure and cello for delivering highly scalable multi tenant
Leveraging azure and cello for delivering highly scalable multi tenant
 
Websphere - Introduction to logs and configuration
Websphere - Introduction to logs and configurationWebsphere - Introduction to logs and configuration
Websphere - Introduction to logs and configuration
 
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...
High Availability & Disaster Recovery with SQL Server 2012 AlwaysOn Availabil...
 
An introduction to consuming remote APIs with Drupal 7
An introduction to consuming remote APIs with Drupal 7An introduction to consuming remote APIs with Drupal 7
An introduction to consuming remote APIs with Drupal 7
 
AlwaysON Basics
AlwaysON BasicsAlwaysON Basics
AlwaysON Basics
 
Event driven architecure
Event driven architecureEvent driven architecure
Event driven architecure
 
Drupal Services 3 - Drupal Dev Days 2011, Brussels
Drupal Services 3 - Drupal Dev Days 2011, BrusselsDrupal Services 3 - Drupal Dev Days 2011, Brussels
Drupal Services 3 - Drupal Dev Days 2011, Brussels
 
CQRS
CQRSCQRS
CQRS
 
Automating the Next Generation Datacenter
Automating the Next Generation DatacenterAutomating the Next Generation Datacenter
Automating the Next Generation Datacenter
 
Cs seminar 20061207
Cs seminar 20061207Cs seminar 20061207
Cs seminar 20061207
 
Always on in SQL Server 2012
Always on in SQL Server 2012Always on in SQL Server 2012
Always on in SQL Server 2012
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
ASP.NET lecture 8
ASP.NET lecture 8ASP.NET lecture 8
ASP.NET lecture 8
 
#DFWVMUG - Automating the Next Generation Datacenter
#DFWVMUG - Automating the Next Generation Datacenter#DFWVMUG - Automating the Next Generation Datacenter
#DFWVMUG - Automating the Next Generation Datacenter
 

En vedette

Hive Correlation Optimizer
Hive Correlation OptimizerHive Correlation Optimizer
Hive Correlation OptimizerYin Huai
 
Hive query optimization infinity
Hive query optimization infinityHive query optimization infinity
Hive query optimization infinityShashwat Shriparv
 
Join optimization in hive
Join optimization in hive Join optimization in hive
Join optimization in hive Liyin Tang
 
Hadoop World 2011: Replacing RDB/DW with Hadoop and Hive for Telco Big Data -...
Hadoop World 2011: Replacing RDB/DW with Hadoop and Hive for Telco Big Data -...Hadoop World 2011: Replacing RDB/DW with Hadoop and Hive for Telco Big Data -...
Hadoop World 2011: Replacing RDB/DW with Hadoop and Hive for Telco Big Data -...Cloudera, Inc.
 
Hive User Meeting August 2009 Facebook
Hive User Meeting August 2009 FacebookHive User Meeting August 2009 Facebook
Hive User Meeting August 2009 Facebookragho
 
How to understand and analyze Apache Hive query execution plan for performanc...
How to understand and analyze Apache Hive query execution plan for performanc...How to understand and analyze Apache Hive query execution plan for performanc...
How to understand and analyze Apache Hive query execution plan for performanc...DataWorks Summit/Hadoop Summit
 

En vedette (9)

Hive Correlation Optimizer
Hive Correlation OptimizerHive Correlation Optimizer
Hive Correlation Optimizer
 
Hive query optimization infinity
Hive query optimization infinityHive query optimization infinity
Hive query optimization infinity
 
Join optimization in hive
Join optimization in hive Join optimization in hive
Join optimization in hive
 
Hadoop World 2011: Replacing RDB/DW with Hadoop and Hive for Telco Big Data -...
Hadoop World 2011: Replacing RDB/DW with Hadoop and Hive for Telco Big Data -...Hadoop World 2011: Replacing RDB/DW with Hadoop and Hive for Telco Big Data -...
Hadoop World 2011: Replacing RDB/DW with Hadoop and Hive for Telco Big Data -...
 
Optimizing Hive Queries
Optimizing Hive QueriesOptimizing Hive Queries
Optimizing Hive Queries
 
Hive ppt (1)
Hive ppt (1)Hive ppt (1)
Hive ppt (1)
 
Hive User Meeting August 2009 Facebook
Hive User Meeting August 2009 FacebookHive User Meeting August 2009 Facebook
Hive User Meeting August 2009 Facebook
 
How to understand and analyze Apache Hive query execution plan for performanc...
How to understand and analyze Apache Hive query execution plan for performanc...How to understand and analyze Apache Hive query execution plan for performanc...
How to understand and analyze Apache Hive query execution plan for performanc...
 
Hive tuning
Hive tuningHive tuning
Hive tuning
 

Similaire à Hive contributors meetup apache sentry

Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access SecurityCloudera, Inc.
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop SecurityDataWorks Summit
 
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...Cloudera, Inc.
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop SecurityChris Nauroth
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
Securing Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise ContextSecuring Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise ContextHellmar Becker
 
Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj...
Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj...Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj...
Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj...Yahoo Developer Network
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Combat Cyber Threats with Cloudera Impala & Apache Hadoop
Combat Cyber Threats with Cloudera Impala & Apache HadoopCombat Cyber Threats with Cloudera Impala & Apache Hadoop
Combat Cyber Threats with Cloudera Impala & Apache HadoopCloudera, Inc.
 
Cloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and GovernanceCloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and GovernanceGoDataDriven
 
Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Shravan (Sean) Pabba
 
Apache Hive authorization models
Apache Hive authorization modelsApache Hive authorization models
Apache Hive authorization modelsThejas Nair
 
Bringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopBringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopDataWorks Summit
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Sentry - An Introduction
Sentry - An Introduction Sentry - An Introduction
Sentry - An Introduction Alexander Alten
 
Best Practices for Data Sharing Using Globus
Best Practices for Data Sharing Using GlobusBest Practices for Data Sharing Using Globus
Best Practices for Data Sharing Using GlobusGlobus
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideCourtney Llamas
 
Controlling Delegation of Windows Servers and Active Directory
Controlling Delegation of Windows Servers and Active DirectoryControlling Delegation of Windows Servers and Active Directory
Controlling Delegation of Windows Servers and Active DirectoryZoho Corporation
 
New Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's GuideNew Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's GuideHBaseCon
 

Similaire à Hive contributors meetup apache sentry (20)

Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access Security
 
August 2014 HUG : Hive 13 Security
August 2014 HUG : Hive 13 SecurityAugust 2014 HUG : Hive 13 Security
August 2014 HUG : Hive 13 Security
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop Security
 
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop Security
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Securing Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise ContextSecuring Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise Context
 
Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj...
Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj...Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj...
Apache Hadoop India Summit 2011 talk "Making Apache Hadoop Secure" by Devaraj...
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
 
Combat Cyber Threats with Cloudera Impala & Apache Hadoop
Combat Cyber Threats with Cloudera Impala & Apache HadoopCombat Cyber Threats with Cloudera Impala & Apache Hadoop
Combat Cyber Threats with Cloudera Impala & Apache Hadoop
 
Cloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and GovernanceCloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and Governance
 
Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015
 
Apache Hive authorization models
Apache Hive authorization modelsApache Hive authorization models
Apache Hive authorization models
 
Bringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopBringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache Hadoop
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Sentry - An Introduction
Sentry - An Introduction Sentry - An Introduction
Sentry - An Introduction
 
Best Practices for Data Sharing Using Globus
Best Practices for Data Sharing Using GlobusBest Practices for Data Sharing Using Globus
Best Practices for Data Sharing Using Globus
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners Guide
 
Controlling Delegation of Windows Servers and Active Directory
Controlling Delegation of Windows Servers and Active DirectoryControlling Delegation of Windows Servers and Active Directory
Controlling Delegation of Windows Servers and Active Directory
 
New Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's GuideNew Security Features in Apache HBase 0.98: An Operator's Guide
New Security Features in Apache HBase 0.98: An Operator's Guide
 

Dernier

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Dernier (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Hive contributors meetup apache sentry

  • 1. Apache Sentry (incubating) On Hive Integration brock@cloudera.com November 18th, 2013
  • 2. Current State of Authorization in Hive •  Advisory Authorization -  Facilitates self regulation to avoid safeguard against accidental changes -  Users can grant themselves privileges as necessary -  Problem: Insufficient to guard against malicious users •  Impersonation -  Data is protected at the file level by HDFS permissions -  Problem: File-level access is not granular enough -  Problem: Not role-based 2
  • 3. Authorization Requirements •  Secure Authorization Ability to control access to data and/or privileges on data for authenticated users •  Fine-Grained Authorization Ability to give users access to a subset of data in files •  Role-Based Authorization Ability to create/apply templatized privileges based on functional roles •  Multi-Tenant Administration Ability for central admin group to empower lower-level admins to manage security for each database/schema 3
  • 4. Introducing Sentry Authorization module for Hadoop ecosystem •  Unlocks Key RBAC Requirements ᵒ  Secure, fine-grained, role-based authorization ᵒ  Multi-tenant administration ᵒ  Open Source via Apache Incubator ᵒ  Modular RBAC Framework ᵒ  Multiple users in production for months 4
  • 5. Sentry: Fine-Grained Authorization Concepts   Implementa=ons   Binding   Solr  Binding   Policy   Database   Policy   Search   Policy   Policy   Provider   5 Hive   Binding   File-­‐based   Provider   File-­‐based   Provider  
  • 6. Sentry: Fine-Grained Authorization •  Ability to specify privileges on ᵒ  SERVER, DATABASE, TABLE, VIEW, URI •  Privilege Granularity ᵒ  SELECT ᵒ  INSERT ᵒ  ALL •  Multi-Tenant Administration ᵒ  Administration per database 6
  • 7. Granting Privileges •  Example: Grant SELECT on table CUSTOMERS from database SALES: server=server1->db=sales->table=customer->action=SELECT! •  Objects represented by containment Hierarchy •  Privilege granted for the leaf object and its continues !! 7
  • 8. Specifying Roles •  Roles are collection of Privileges •  Example: A role Seller that allows SELECT on table CUSTOMER and Insert on table ITEMS ! seller_role = server=server1->db=sales->table=customer->action=Select, ! ! 8 server=server1->db=sales->table=items->action=Insert!
  • 9. Users and Groups •  Works with existing Authentication Mechanisms •  Group connects the authentication system with authorization system. ᵒ  A Set of Roles can be assigned to a Group !analyst = sales_reporting, data_export, audit_report! •  User to Group Mapping: ᵒ  Using Hadoop groups ᵒ  Or Specify Locally in sentry-site.xml file 9
  • 10. User Feedback I have implemented Hiveserver2 Authentication (openLDAP) and Authorization (using Cloudera Sentry). I am super-excited because we know can open our Hive Data Platform in "read only" mode to remote clients in the company and SAS clients. Source: •  Apache user@hive.apache.org •  Tue, 17 Sep 2013 19:10:43 GMT •  http://s.apache.org/hive-sentry-user 10
  • 11. Future Direction •  Integration with other systems •  More Granular Privileges •  Usability Improvements 11
  • 12. Hive Requirements •  Sentry plugs into existing hooks such as the Semantic Analyzer hook interface •  Changes required are minor, estimating ~600 LOC including unit tests 12
  • 13. Hive Requirements Follow Hive integration via SENTRY-67 •  HIVE-4670 - Authentication module should pass the instance part of the Kerberos principle •  HIVE-4390 - Enable capturing input URI entities for DML statements •  HIVE-4741 - Add Hive config API to modify the restrict list •  HIVE-4641 - Support post execution/fetch hook for HiveServer2 13