[
https://issues.apache.org/jira/browse/HBASE-11791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14104871#comment-14104871
]
Misty Stanley-Jones commented on HBASE-11791:
---------------------------------------------
First level of notes based on slides. Any corrections of misunderstandings or
things that have changed since the slide deck appreciated. Organization is very
rough and I haven't actually looked at the existing docs on this yet (I am sure
they are completely out of date).
Notes on ACLs / Tags
Security Model
Definitions
Tags - metadata on a cell, distinct from the key and value.
Compressed when persisted to HFiles. Server-side only -- clients cannot get or
send. Replicated correctly if cross-cluster replication enabled.
Role-Based Access Control - uses groups and ACLs to control
access
Attribute-Based Access Control - uses labels to control access
Cell ACLs (HBASE-7662) - ability to set ACLs (RWXAC) at cell
level (NS -> Table -> CF -> Cell). WOrks same as other ACLs. Scoped to same
point in time as the cell. Union of user's table perms, CF perms, and cell
perms grants permission for the mutation (CRUD). Can be used with labels
(VisibilityController).
Groups
Cell Labels (HBASE-7663) - arbitrary strings (such as secret,
topsecret) and boolean expressions. Admin API and shell commands for
management. Schema / set of labels defined up front. Users label cells during
Puts, authorization is checked on gets and scans. Effective set of auths for a
user are built uper request. Scan results are filtered according to user's
authorizations. Can be used with ACLs (Access Controller).
Transparent Encryption (HBASE-7544) - HFile blocks are
encrypted during write and decrypted for read. WAL serialization pluggable --
secure readers and writers provided. Simple key management, default provider
integrates with Java keystore. Per-CF configuration, to allow placement of
sensitive info in a subset of CFs.
Endpoint EXEC Grants (HBASE-6104) - RWXCA granted to users /
groups - X is new in 0.98. Coprocessor endpoints can be controlled
global/table/CF.
Components of a Security Policy
Groups
Employee
Developer
Test Account
Service Account
Admin
Permission Hierarchy
Global
Table
Column Family
Cell
Grants Table (slide 14/15)
Cell Labels
Server Configuration
1. Enable hfile v3 (hfile.fmrlat.version=3)
2. Enable SASL + Kerberos authentication
RPC: https://hbase.apache.org/book/security.html
ZooKeeper: https://hbase.apache.org/book/zk.sasl.auth.html
3. Install security coprocessors:
hbase.coprocessor.region.classes=org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.visibility.VisibilityController,
org.apache.hadoop.hbase.security.token.TokenProvider
hbase.coprocessor.master.classes=org.apache.hadoop.hbase.security.access.AccessController,
org.apache.hadoop.hbase.security.visibility.VisibilityController
hbase.coprocessor.regionserver.classes=org.apache.hadoop/hbase.security.access.AccessController
4. Enable endpoint exec checks:
hbase.security.exec.permission.checks=true
5. Enable transport security (optional): hbase.rpc.protection=auth-conf
RBAC: Hadoop Group Mapping Service and ACLs
1. Map each role to an LDAP entity
2. Set up a Hadoop group mapper (core-site.xml)
3. Use hbase shell "whoami" command to confirm
4. Grant permission to groups
Labels:
1. Define labels to correspond to groups
2. Express access rules as visibility expressions (admin|service,
admin|service|developer, etc)
3. Define labels in HBase Shell
4. Assign labels to users using set_auths (set_auths 'qa', [ 'test',
'developer' ]) (slide 24)
5. Apply visibility expressions to cells using set_visibility (slide 25)
Administration
Preventing data leaks:
1. Protect data at rest
a. HFiles
1. create keystore, deploy it to all nodes with
appropriate permissions
2. Enable hfile v3
3. Set key provider config (slide 33)
4. Restrict access to hbase-site.xml
5. You can store the password in an external
file
b. WAL (slide 34)
c. Transparent encryption for columns which contain
sensitive data, major compact to do the transform
- real-time modifiable and reversible
- Stored in each HFile, wrapped by master key.
Re-keying can be done per region via major compact operation
- Master key rotation is possible (slide 37)
Using a different key provider
Using a different cipher provider
Performance Considerations
WAL encryption 8-10% lower depending on JVM
ACLs - table and CF are inexpensive compared to cell-level
- Caching
- Table or CF grant allows us to stop checking early
- If a user will always be granted cell-level perms, give them
CF or table level grant
> Update docs on visibility tags and ACLs
> ---------------------------------------
>
> Key: HBASE-11791
> URL: https://issues.apache.org/jira/browse/HBASE-11791
> Project: HBase
> Issue Type: Task
> Components: documentation
> Reporter: Misty Stanley-Jones
> Assignee: Misty Stanley-Jones
> Attachments: HBase Security Features Operators Guide - HBaseCon 2014
> - v5.pptx
>
>
> Do a pass on the ACL and tag docs and make sure they are up to date and
> accurate, expand to cover HBASE-10885, HBASE-11001, HBASE-11002, HBASE-11434
--
This message was sent by Atlassian JIRA
(v6.2#6252)
