Protecting Enterprise Data in Apache Hadoop · PDF fileThreat: Hadoop Admin in Cluster Page 11 © Hortonworks Inc. 2015 HDFS Encryption Page 12 © Hortonworks Inc. 2015 KeyProvider

© Hortonworks Inc. 2015

Protecting Enterprise Data in Apache Hadoop

September2015

Page 1

Owen O’Malley [email protected] @owen_omalley


Security

Page 2


Security Architecture

Page 3


Attack Vectors

Page 4


Attack Vectors

Page 5


Threat: Accidental Damage

Page 6


Threat: Remote Access

Page 7


Threat: Eavesdropping

Page 8


Threat: User accesses private data

Page 9


Threat: Physical access

Page 10


Threat: Hadoop Admin in Cluster

Page 11


HDFS Encryption

Page 12


KeyProvider API

Page 13


Encryption Scheme

Page 14


Original Hive Architecture

Page 15


Threat: User Accesses DB directly

Page 16


Hive Architecture with Metastore

Page 17


Threat: User Deletes Hive tables

Page 18


Hive Architecture with Storage-Based Auth

Page 19


Threat: User reads private columns

Page 20


Hive Architecture with Hive Server 2

Page 21


Threat: User reads private columns

Page 22


ORC File Layout

Page 23

File Footer

Postscript

Index Data

Row Data

Stripe Footer25

6 M

B St

ripe

Index Data

Row Data

Stripe Footer

256

MB

Strip

e

Index Data

Row Data

Stripe Footer

256

MB

Strip

e

Column 1

Column 2

Column 7

Column 8

Column 3

Column 6

Column 4

Column 5

Column 1

Column 2

Column 7

Column 8

Column 3

Column 6

Column 4

Column 5

Stream 2.1

Stream 2.2

Stream 2.3

Stream 2.4


Threat: User reads hidden values

Page 24


Threat: Shadow Security

Page 25


Resources

Page 26


Other talks

Page 27


Thank You!

Page 28

Protecting Enterprise Data in Apache Hadoop · PDF fileThreat: Hadoop Admin in Cluster Page 11 © Hortonworks Inc. 2015 HDFS Encryption Page 12 © Hortonworks Inc. 2015 KeyProvider

Documents