Configuring Data Fabric Security
Provides usage information for frequently used security functionality, including Access Control Lists (ACLs), Access Control Expressions (ACEs), file permissions, and subnet allowlisting.
Wired encryption and authentication (including impersonation) for the Data Fabric platform and for all supported ecosystem products are
enabled on all new installations through Installer. Alternatively,
enable security manually by running the configure.sh
command with the -secure
option.
Enable security features at any time, but additional configuration is required for the individual components to work with security enabled. This section discusses initial configuration of a secure cluster as well as other forms of security.
The following access control elements are available irrespective of whether security features are enabled for your cluster. After security features are enabled, these elements benefit from encrypted traffic within the cluster and strong authentication to the cluster.
- ACLs for the cluster, the volumes in the cluster, and the MapReduce application queue
- Access Control Expression (ACE)s control user permissions for directories, files, and HPE Ezmeral Data Fabric Database tables that are stored natively
- File permissions for objects in the file system layer
- Subnet allowlisting restricts access to the cluster's FileServer service
On clusters with security features enabled, ecosystem components may require additional configuration. For example, Hive functionality has different security requirements depending on the interaction between the HiveServer2 component, the Hive command-line interface, and the Hive metastore.
See the Security Support Matrix for more information about supported security options for Ecosystem components. See the specific Ecosystem component in Ecosystem Components for information on security configuration.
See Security Vulnerabilities for a list of known vulnerabilities.
Verifying if Files Needed for Security are Present
When you run configure.sh
with the -secure
option, the following files are automatically
created in the /opt/mapr/conf
directory. To ensure that security is properly
configured, navigate to the /opt/mapr/conf
directory and verify that the files are
present.
- Master value controlling the cluster secure or non-secure state
- File or command:
/opt/mapr/conf/mapr-clusters.conf
maprcli dashboard info -cluster <clusterName> -json | grep secure
- Data Fabric service account
- File or command:
sudo passwd -S mapr
- CLDB key file
- File or command:
/opt/mapr/conf/cldb.key
- Server ticket
- File or command:
/opt/mapr/conf/maprserverticket
- User ticket
- File or command:
/opt/mapr/conf/mapruserticket
- SSL keys
- File or command:
/opt/mapr/conf/ssl_truststore
/opt/mapr/conf/ssl_keystore
- Java (JAAS) authentication service settings
- File or command:
/opt/mapr/conf/mapr.login.conf
- Roles for use with ACEs
- File or command:
/opt/mapr/conf/m7_permissions_roles_refimpl.conf
- Default security settings for some Data Fabric services
- File or command:
/opt/mapr/conf/env.sh
- ZooKeeper security setting
- File or command:
/opt/mapr/zookeeper/zookeeper-$zkver/conf/zoo.cfg
- JMX remote access (debug and metrics monitoring)
- File or command:
/opt/mapr/conf/jmxremote.{access,password}
Determining if Wire-Level Security is Enabled Using the CLI
If you run configure.sh
with the -secure
option,
wire-level security is automatically enabled at the cluster level. You can, optionally,
disable wire-level security at the individual volume-level. To determine if wire-level
security is enabled for a volume, run the following command:
/opt/mapr/bin/maprcli volume list -json |grep wire
This command returns the value of wireSecurity
as 1
if
wire-level security is enabled for the volume; 0
otherwise.
Enabling Cluster Wide Data Access Auditing
To enable auditing data access operations at a cluster level, run:
/opt/mapr/bin/maprcli audit data -enabled
Determining if per Volume Data Access Auditing is Enabled
To determine if auditing data access operations is enabled for a volume, run:
/opt/mapr/bin/maprcli volume info -name <volume_name> -json | grep -i 'audited\|coalesce'
This command returns the value of audited
as 1
if data
access auditing is enabled for the volume; 0
otherwise.