Security Support Matrix

The tables in this section show component support for authentication, impersonation, and wire-level encryption.

See these sections:

Table 1 - Authentication in Release 7.0.0 and Later
Table 2 - Impersonation and Wire-Level Encryption in Release 7.0.0 and Later

Table 1 shows component support for authentication using MapR-SASL, Kerberos, and PAM.

Table 2 shows component support for impersonation and wire-level encryption.

Table Symbols

The tables in this section use dashes to indicate non-support and directional arrows to convey inbound and outbound communication:

A dash (—) indicates that the feature is currently not supported, not needed, or not applicable.
A right arrow (A → B) means OUTBOUND from A and INBOUND to B.
A double arrow (A ↔ B) means OUTBOUND from A and INBOUND to B, and vice versa.
No arrow indicates OUTBOUND communication from the subcomponent to all components with which it communicates.

Authentication in Release 7.0.0 and Later

Table 1. Component Support for Authentication
Main Component	Subcomponent	Authentication
Main Component	Subcomponent	MapR-SASL	Kerberos	PAM¹
CORE COMPONENTS
Data Fabric for Kubernetes	N/A	—	—	—
FUSE POSIX Client	N/A	—	—	—
JobClient to Resource Manager	N/A	Yes	Yes	—
Installer	N/A	—	—	Yes
file system	FileClient C → file system	Yes	—	—
	FileClient Java → file system	Yes	Yes²	—
	file system ↔ file system³	Yes	—	—
	CLDB ↔ file system⁴	Yes	—	—
	FileClient → CLDB⁴	Yes	Yes²	—
	NFSv3 → file system	Yes	—	—
	NFSv3 → CLDB⁵	Yes	—	—
HPE Ezmeral Data Fabric Database	HPE Ezmeral Data Fabric Database Java Client → HPE Ezmeral Data Fabric Database⁶	Yes	Yes²	—
	HPE Ezmeral Data Fabric Database C Client → HPE Ezmeral Data Fabric Database⁶	Yes	—	—
	AsyncHBase Client → HPE Ezmeral Data Fabric Database⁶	Yes	Yes²	—
	Hive Job Using Connector to HPE Ezmeral Data Fabric Database⁶	Yes	—	—
	Spark Job Using Connector to HPE Ezmeral Data Fabric Database⁶	Yes	—	—
	Client → HBase Thrift Gateway⁶	—	—	Yes
	HBase Thrift Gateway for HPE Ezmeral Data Fabric Database (Binary)⁷	Yes	—	—
	Client → Data Access Gateway	—	—	Yes
	Data Access Gateway → HPE Ezmeral Data Fabric Database (JSON)	Yes	—	—
	Client → HBase REST Gateway	—	Yes	Yes
	HBase REST Gateway for HPE Ezmeral Data Fabric Database (Binary)	Yes	—	—
HPE Ezmeral Data Fabric Streams	Java Client → HPE Ezmeral Data Fabric Streams	Yes	—	—
	librdkafka C/C#/Python Client → HPE Ezmeral Data Fabric Streams	Yes	—	—
	Client Kafka REST Gateway	—	—	Yes
	Kafka REST Gateway → HPE Ezmeral Data Fabric Streams	Yes	—	—
	REST Client → Kafka Connect Gateway	—	—	Yes
	Kafka Connect Gateway → HPE Ezmeral Data Fabric Streams	Yes	—	—
Control System⁸	Control System CLI Command	Yes	Yes	—
Control System⁸	Control System Web Command (REST Interface)	—	Yes	Yes
NFSv3	N/A	—	—	—
NFSv4	N/A	—	Yes	—
ZooKeeper⁹	ZK client → ZK server	Yes	—	—
ZooKeeper⁹	ZK server ↔ ZK server	Yes	—	—
BUNDLED CLIENTS¹⁰
Data Science Refinery (DSR)	N/A	—	—	—
Persistent Application Client Container (PACC)	N/A	—	—	—
ECOSYSTEM COMPONENTS
Airflow	Airflow → HiveCLI	Yes	Yes	Yes
	Airflow → Hive Server2/Hive Metastore/HttpFS	Yes	Yes	—
	Airflow → Spark/HPE Ezmeral Data Fabric Database Binary/HPE Ezmeral Data Fabric Database JSON/Livy	Yes	—	—
	Airflow → S3 (`mapr-s3server`)¹³	—	—	—
Drill¹¹	Web client → Drillbit	—	Partial (using SPNEGO WIP)	Yes
	Drillbit ↔ Drillbit	Yes	Yes	—
	Java/C++ Client/JDBC/ODBC → Drillbit	Yes	Yes	Yes
	Drill → Hive Storage Plugin	Yes	—	—
HBase	Client → HBase Thrift Gateway	Yes	Yes	Yes
	Client → HBase REST Gateway	Yes	Yes	Yes
	Hue → HBase Thrift	Yes	Yes	Yes
Hive	HiveServer2 → Metastore	Yes	Yes	—
	JDBC Client → HiveServer2	Yes	Yes	Yes
	ODBC Client → HiveServer2	—	Yes	Yes
	WebHCat → Metastore	—	Yes	—
	Hive Shell → MetaStore	Yes	Yes	—
	Beeline → HiveServer2	Yes	Yes	Yes
	Client (Browser) → HiveServer2 Web UI Server	—	—	Yes
	REST Client → WebHCat	—	Yes	—
HttpFS	Client (REST) → HttpFS	—	Yes	Yes
HttpFS	HttpFS → file system	Yes	—	—
Hue	Hue → YARN	Yes	Yes	—
	Hue → Oozie¹²	Yes	Yes	—
	Hue → HbaseThrift	Yes	Yes	—
	Hue → HttpFS	Yes	Yes	—
	Hue → HiveServer2	Yes	Yes	Yes
	Hue → Livy Server	Yes	Yes	No
KSQL	KSQL → HPE Ezmeral Data Fabric Streams (Java client)	—	—	—
	KSQL Server ↔ ZooKeeper	Yes	—	—
	KSQL client (KSQL CLI/REST API) ↔ KSQL server	Yes	—	Yes
	KSQL Server ↔ Schema Registry	Yes	—	Yes
	KSQL → Kafka Streams	Yes	—	—
Kafka Schema Registry	Kafka Client ↔ HPE Ezmeral Data Fabric Streams	—	—	—
	Schema Registry Server ↔ ZooKeeper	Yes	—	—
	Schema Registry Client ↔ Schema Registry Server	Yes	—	Yes
	Schema Registry Server ↔ Schema Registry Server	Yes	—	Yes
Kafka Streams	Kafka Streams → HPE Ezmeral Data Fabric Streams (Java client)	—	—	—
Livy	REST Client → Livy Server	Yes	Yes	Yes
NiFi	N/A	—	Yes¹⁴	—
OTel	MaprCli ↔ CLDB	Yes	—	—
Spark	Web Clients → Spark Component UI	No, but uses Spark's shared secret with DIGEST-MD5
	Spark Driver → Executor	No, but uses Spark's shared secret with DIGEST-MD5
	Spark Job Using Connector → HPE Ezmeral Data Fabric Database	Yes	—	—
	Spark Job Using Connector → HPE Ezmeral Data Fabric Streams	Yes	Yes	—
	JDBC Client → Spark Thrift Server	Yes	Yes	Yes
	ODBC Client → Spark Thrift Server	–	Yes	Yes
YARN	REST/Browser → RM/JHS/ATS	–	Yes	Yes
	Internal communication (RM/NM/JHS)	Yes	Yes	—
	Containers → YARN Services (RM/NM)	No, but uses YARN's shared secret with DIGEST-MD5
	Timeline Server	Yes	Yes	—

¹If LDAP is required, LDAP can be supported through PAM.

² Kerberos support is provided by implicit conversion of Kerberos tickets to data-fabric tickets.

³Payload not encrypted by default.

⁴All data exchanged with CLDB is in protobufs only and hence encrypted in secure clusters.

⁵Only admin ops to CLDB are audited. NFSv3 communication with CLDB is usually not admin-related.

⁶Accessed through the data-fabric client, which reads security settings from /opt/mapr/conf/mapr-clusters.conf; hence, this interface follows the secure-by-default model.

⁷MapR-SASL is supported but not enabled during installation.

⁸The Control System is secure between client and webserver (API Server). The server may invoke other commands through the maprcli interface that themselves do not use secure communication.

⁹HPE Ezmeral Data Fabric uses MapR-SASL for communication with ZooKeeper.

¹⁰Includes a FUSE POSIX client, YARN client, and other client components.

¹¹Support for Kerberos has not been verified, but SPNEGO can be used in conjunction with HTTPS.

¹²Auditing user administration operations with Hue. Note that Oozie is deprecated. See Discontinued Ecosystem Components.

¹³The Airflow-to-S3 connection is authenticated using access and secret keys generated by the maprcli s3keys generate command.

¹⁴For more information, see NiFi Security.

Impersonation and Wire-Level Encryption in Release 7.0.0 and Later

Table 2. Component Support for Impersonation and Wire-Level Encryption
Main Component	Subcomponent	Impersonation	Wire-Level Encryption
Main Component	Subcomponent	Impersonation	MapR-SASL	Kerberos	SSL/TLS
CORE COMPONENTS
Data Fabric for Kubernetes	N/A	—	—	—	—
FUSE POSIX Client	N/A	—	—	—	—
JobClient to Resource Manager	N/A	Yes	Yes	Yes	—
Installer	N/A	—	—	—	Yes
file system	FileClient C → file system	Yes	Yes	—	—
	FileClient Java → file system	Yes	Yes	—	—
	file system ↔ file system	—	Yes	—	—
	CLDB ↔ file system	—	Yes	—	—
	FileClient → CLDB	Yes	Yes	—	—
	NFSv3 → file system	Yes	Yes	—	—
	NFSv3 → CLDB	Yes	Yes	—	—
HPE Ezmeral Data Fabric Database	HPE Ezmeral Data Fabric Database Java Client → HPE Ezmeral Data Fabric Database	Yes	Yes	—	—
	HPE Ezmeral Data Fabric Database C Client → HPE Ezmeral Data Fabric Database	Yes	Yes	—	—
	AsyncHBase Client → HPE Ezmeral Data Fabric Database	Yes	Yes	—	—
	Hive Job Using Connector to HPE Ezmeral Data Fabric Database	Yes	Yes	—	—
	Spark Job Using Connector to HPE Ezmeral Data Fabric Database	Yes	Yes	—	—
	Client → HBase Thrift Gateway	—	—	—	Yes
	HBase Thrift Gateway for HPE Ezmeral Data Fabric Database (Binary)	Yes	Yes	—	—
	Client → Data Access Gateway	—	—	—	Yes
	Data Access Gateway → HPE Ezmeral Data Fabric Database (JSON)	Yes	Yes	—	—
	Client → HBase REST Gateway	—	—	—	Yes
	HBase REST Gateway for HPE Ezmeral Data Fabric Database (Binary)	Yes	Yes	—	—
HPE Ezmeral Data Fabric Streams	Java Client → HPE Ezmeral Data Fabric Streams	Yes	Yes	—	—
	librdkafka C/C#/Python Client → HPE Ezmeral Data Fabric Streams	—	Yes	—	—
	Client → Kafka REST Gateway	—	—	—	Yes
	Kafka REST Gateway → HPE Ezmeral Data Fabric Streams	Yes	Yes	—	—
	REST Client → Kafka Connect Gateway	Yes	—	—	Yes
	Kafka Connect Gateway → HPE Ezmeral Data Fabric Streams	—	Yes	—	—
Control System	Control System CLI Command	—	Yes	—	—
Control System	Control System Web Command (REST Interface)	—	—	—	Yes
NFSv3	N/A	—	—	—	—
NFSv4	N/A	—	—	Yes	—
ZooKeeper	ZK client → ZK server	—	Yes	—	—
ZooKeeper	ZK server ↔ ZK server	—	—	—	—
BUNDLED CLIENTS¹
Data Science Refinery (DSR)	N/A	—	—	—	—
Persistent Application Client Container (PACC)	N/A	—	—	—	—
ECOSYSTEM COMPONENTS
Airflow	Airflow → HiveCLI	Yes²	Yes	Yes	Yes
	Airflow → Hive Server2/Hive Metastore/HttpFS	Yes²	Yes	Yes	Yes
	Airflow → Spark/HPE Ezmeral Data Fabric Database Binary/HPE Ezmeral Data Fabric Database JSON/Livy	Yes²	Yes	—	Yes
	Airflow → S3 (`mapr-s3server`)	—	—	—	Yes
Drill	Web client → Drillbit	Yes	—	—	Yes
	Drillbit ↔ Drillbit	Yes	Yes	Yes	—
	Java/C++ client → Drillbit	Yes	Yes	Yes	Yes
	Drill → Hive storage plugin	Yes	Yes	—	—
HBase	Client → HBase Thrift Gateway	Yes	Yes	Yes	Yes
	Client → HBase REST Gateway	Yes	—	—	Yes
	Hue → HBase Thrift	Yes	Yes	Yes	Yes
Hive	HiveServer2 → Metastore	Yes	Yes	Yes	Yes
	JDBC Client → HiveServer2	Yes	Yes	Yes	Yes
	ODBC Client → HiveServer2	Yes	—	Yes	Yes
	WebHCat → Metastore	Yes	—	Yes	—
	Hive Shell → MetaStore	Yes	Yes	Yes	—
	Beeline → HiveServer2	Yes	Yes	Yes	Yes
	Client (Browser) → HiveServer2 Web UI Server	—	—	—	Yes
	REST Client → WebHCat	Yes	—	Yes	—
HttpFS	Client (REST) → HttpFS	Yes	—	—	Yes
HttpFS	HttpFS → file system	Yes	Yes	—	—
Hue	Hue → YARN	Yes	—	—	Yes
	Hue → Oozie³	Yes	—	—	Yes
	Hue → HBaseThrift	Yes	Yes	Yes	Yes
	Hue → HttpFS	Yes	—	—	Yes
	Hue → HiveServer2	Yes	Yes	Yes	Yes
	Hue → Livy Server	Yes	—	—	Yes
KSQL	KSQL → HPE Ezmeral Data Fabric Streams (Java client)	Yes	—	—	—
	KSQL Server ↔ ZooKeeper	—	Yes	—	—
	KSQL client (KSQL CLI/REST API) ↔ KSQL server	Yes	Yes	—	Yes
	KSQL Server ↔ Schema Registry	Yes	Yes	—	Yes
	KSQL → Kafka Streams	Yes	Yes	—	—
Kafka Schema Registry	Schema Registry Server ↔ ZooKeeper	—	Yes	—	—
	Schema Registry Client ↔ Schema Registry Server	Yes	Yes	—	Yes
	Schema Registry Server ↔ Schema Registry Server	Yes	Yes	—	Yes
	Schema Registry Server ↔ Streams for Apache Kafka	Yes	—	—	—
Kafka Streams	Kafka Streams → HPE Ezmeral Data Fabric Streams (Java client)	Yes	—	—	—
Livy	REST Client → Livy Server	Yes	—	—	Yes
NiFi	REST/Browser → NiFi	Yes	—	Yes⁴	Yes
	NiFi → ZooKeeper	—	Yes	—	Yes
	NiFi → Hadoop	—	Yes	—	—
	NiFi → Kafka	—	Yes	—	—
	NiFi → Hive	—	Yes	—	Yes
	NiFi → HBase	—	Yes	—	—
	NiFi → Object Store	Yes	—	—	Yes
OTel	TBD	TBD	TBD	TBD	TBD
Spark	Web clients → Spark Component UI	—	—	—	Yes
	Spark Driver → Executor	—	When running Spark-on-YARN, Driver-To-Executor communication is through YARN (Hadoop protocol), so it is fully secured.
	Spark Job Using Connector → HPE Ezmeral Data Fabric Database	—	Yes	—	—
	Spark Job Using Connector → HPE Ezmeral Data Fabric Streams	—	Yes	—	Yes
Tez	Browser → Tez UI	—	—	—	Yes
	Tez UI → YARN RM	—	—	—	Yes
	Tez UI → Timeline Server	—	—	—	Yes
	Tez Containers → YARN ShuffleHandler Service	—	—	—	Yes
YARN	REST/Browser → RM/JHS/ATS	Yes	—	—	Yes
	Internal communication (RM/NM/JHS)	—	Yes	Yes	—
	Containers → YARN Services (RM/NM)	—	Yes	Yes	—
	Timeline Server	—	Yes	Yes	—

¹Includes a FUSE POSIX client, YARN client, and other client components.

²Airflow supports impersonation but requires a specific cluster configuration to do so. See this page.

³Oozie is deprecated. See Discontinued Ecosystem Components.

⁴For more information, see NiFi Security.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0