jprdonnelly/impala
1
0
Fork 0
mirror of https://github.com/apache/impala.git synced 2026-01-10 00:00:16 -05:00
Code Issues Projects Releases Wiki Activity
Files
3db5ced4cee8967f28e337747efba902ce71cfee
impala/docs/topics/impala_security.xml
Jim Apple 3be0f122a5 IMPALA-3398: Add docs to main Impala branch. 
These are refugees from doc_prototype. They can be rendered with the
DITA Open Toolkit version 2.3.3 by:

/tmp/dita-ot-2.3.3/bin/dita \
  -i impala.ditamap \
  -f html5 \
  -o $(mktemp -d) \
  -filter impala_html.ditaval

Change-Id: I8861e99adc446f659a04463ca78c79200669484f
Reviewed-on: http://gerrit.cloudera.org:8080/5014
Reviewed-by: John Russell <jrussell@cloudera.com>
Tested-by: John Russell <jrussell@cloudera.com>
2016-11-17 22:38:44 +00:00

124 lines
5.5 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept id="security">
<title><ph audience="standalone">Impala Security</ph><ph audience="integrated">Overview of Impala Security</ph></title>
<prolog>
<metadata>
<data name="Category" value="Security"/>
<data name="Category" value="Impala"/>
<data name="Category" value="Concepts"/>
<data name="Category" value="Auditing"/>
<data name="Category" value="Governance"/>
<data name="Category" value="Authentication"/>
<data name="Category" value="Authorization"/>
<data name="Category" value="Administrators"/>
</metadata>
</prolog>
<conbody>
<p>
Impala includes a fine-grained authorization framework for Hadoop, based on the Sentry
open source project. Sentry authorization was added in Impala 1.1.0. Together with the Kerberos authentication
framework, Sentry takes Hadoop security to a new level needed for the requirements of highly regulated industries
such as healthcare, financial services, and government. Impala also includes
an auditing capability; Impala generates the audit data, the Cloudera Navigator product consolidates
the audit data from all nodes in the cluster, and Cloudera Manager lets you filter, visualize, and produce
reports. The auditing feature was added in Impala 1.1.1.
</p>
<p>
The Impala security features have several objectives. At the most basic level, security prevents
accidents or mistakes that could disrupt application processing, delete or corrupt data, or reveal data to
unauthorized users. More advanced security features and practices can harden the system against malicious
users trying to gain unauthorized access or perform other disallowed operations. The auditing feature
provides a way to confirm that no unauthorized access occurred, and detect whether any such attempts were
made. This is a critical set of features for production deployments in large organizations that handle
important or sensitive data. It sets the stage for multi-tenancy, where multiple applications run
concurrently and are prevented from interfering with each other.
</p>
<p>
The material in this section presumes that you are already familiar with administering secure Linux systems.
That is, you should know the general security practices for Linux and Hadoop, and their associated commands
and configuration files. For example, you should know how to create Linux users and groups, manage Linux
group membership, set Linux and HDFS file permissions and ownership, and designate the default permissions
and ownership for new files. You should be familiar with the configuration of the nodes in your Hadoop
cluster, and know how to apply configuration changes or run a set of commands across all the nodes.
</p>
<p>
The security features are divided into these broad categories:
</p>
<dl>
<dlentry>
<dt>
authorization
</dt>
<dd>
Which users are allowed to access which resources, and what operations are they allowed to perform?
Impala relies on the open source Sentry project for authorization. By default (when authorization is not
enabled), Impala does all read and write operations with the privileges of the <codeph>impala</codeph>
user, which is suitable for a development/test environment but not for a secure production environment.
When authorization is enabled, Impala uses the OS user ID of the user who runs
<cmdname>impala-shell</cmdname> or other client program, and associates various privileges with each
user. See <xref href="impala_authorization.xml#authorization"/> for details about setting up and managing
authorization.
</dd>
</dlentry>
<dlentry>
<dt>
authentication
</dt>
<dd>
How does Impala verify the identity of the user to confirm that they really are allowed to exercise the
privileges assigned to that user? Impala relies on the Kerberos subsystem for authentication. See
<xref href="impala_kerberos.xml#kerberos"/> for details about setting up and managing authentication.
</dd>
</dlentry>
<dlentry>
<dt>
auditing
</dt>
<dd>
What operations were attempted, and did they succeed or not? This feature provides a way to look back and
diagnose whether attempts were made to perform unauthorized operations. You use this information to track
down suspicious activity, and to see where changes are needed in authorization policies. The audit data
produced by this feature is collected by the Cloudera Manager product and then presented in a
user-friendly form by the Cloudera Manager product. See <xref href="impala_auditing.xml#auditing"/> for
details about setting up and managing auditing.
</dd>
</dlentry>
</dl>
<p outputclass="toc"/>
<p audience="integrated">
These other topics in the <cite>Security Guide</cite> cover how Impala integrates with security frameworks
such as Kerberos, LDAP, and Sentry:
<ul>
<li>
<xref href="impala_authentication.xml#authentication"/>
</li>
<li>
<xref href="impala_authorization.xml#authorization"/>
</li>
</ul>
</p>
</conbody>
</concept>
Reference in New Issue View Git Blame Copy Permalink