In this chapter, we will configure Hadoop cluster to run in secure mode and enable authentication, authorization, and secure transit data. By default, Hadoop runs in nonsecure mode with no access control on data blocks or service-level access. We can run all the Hadoop daemons with a single user hadoop, without worrying about security and which daemons access what.

In addition to this, it is important to encrypt the disk, HDFS data at rest, and also to enable Kerberos for the authentication of service access. By default, a HDFS block can be accessed by any map or reduce task, but when Kerberos is enabled all this access is verified.

Before we even start with Hadoop, it is important to secure at the operating system and network level. It is expected of the users to have prior knowledge for securing Linux and networks, and in this recipe, we will only look at disk encryption.

It is good practice to encrypt the data disk, so that even if they are stolen, the data is safe. The entire disk can be encrypted or just the disk where critical data resides.

In this recipe, we will configure users to run Hadoop services so as to have better control of access by daemons.

In all the recipes so far, we have configured all services/daemons, whether it's HDFS, YARN, or Hive to run with user hadoop. This is not the right practice for production clusters as it would be difficult to control services in a fine and granular manner.

It is recommended to segregate services to run with different users, for example, HDFS daemons as hdfs:hadoop, YARN daemons as yarn:hadoop, and other services such as Hive or HBase with their own respective users.

In this recipe, we will look at transparent HDFS encryption, which is encryption of data at rest. A typical use case could be a cluster used by a financial domain and others within a company using HDFS to store critical data.

The concept involves Key Management Server (KMS), which provides keys and encryption zones that secure data using the key. To access data, we need the key and data from the encrypted zone that cannot be moved to nonencrypted zones without a proper key.

In this recipe, we will configure SSL for Hadoop services. We can configure SSL for Web UI, WebHDFS, YARN, shuffle phase, RPC, and so on. The important components for enabling SSL are certificates, keystore, and truststore. These must individually be kept secure and safe.

We can have SSL single or two-way, but the preferred method is a single way in which the clients validate the server's identity. Using 2-way SSL increases latency and involves configuration overhead.

In this recipe, we will configure in-transit encryption for securing the transfer of data between nodes during the shuffle phase. The mapper output is consumed by reducers, which can run on different nodes, so to secure the transfer channel, we secure the communication between Mappers and Reducers. We will be securing the RPC communication channel as well, although it induces a slight overhead and must be setup only if it is absolutely necessary.

In this recipe, we will look at service level authorization, which is a mechanism to ensure that the clients connecting to Hadoop services have the right permissions and authorization to access them. This is more of a global control in comparison to the control at the job queue level. Which users can submit jobs to the cluster or which Datanodes can connect to the Namenode based on the Datanode service user.

Service level authorization checks are performed much before any other checks, such as file permissions or permissions on sub queues.

Another important component to secure is ZooKeeper, as it is a very important component in the Hadoop cluster. The nodes contributing towards quorum should communicate over a secure channel and should be safeguarded against any clear text exchanges.

In this recipe, we will configure ZooKeeper to run in secure mode by enabling SSL. The ZooKeeper to be used for this secure connection must support Netty and we will enable Netty in the existing ZooKeeper setup previously in Chapter 11, Troubleshooting, Diagnostics, and Best Practices.

In this recipe, we will touch base upon auditing in Hadoop, which is important to keep track of who did what and at what time. All users must hold accountability for their actions, and to make that possible, we need to track the activities of users by enabling audit logs. There are two audit logs, one for users and the other for services, which help to answer important questions such as Who touched my files? Is data accessed from protected IPs?

In this recipe, we will configure Kerberos server and look at some of the fundamental components of Kerberos, which are important to understand its working and lay the foundation for setting up Kerberos for Hadoop. Refer to the following diagram, which explains the working of Kerberos:

Kerberos consists of two main components, authentication server (AS) and Key distribution center (KDC, subcomponent KGS). The clients, which could be users, hosts, or services are called principal, authenticate to AS and, on being successful, are granted a ticket (TGT), which is a token to use other services in the respective realm (domain).

The password is never sent over the wire and the TGT granted to the client by the KDC is encapsulated with the client password. The TGT received will be cached by the client and can be used to connect to any service or host within the realm or across domains, if a trust relationship is configured.

KDC is the middleman between clients and services...

In this recipe, we will be configuring Kerberos for a Hadoop cluster and enabling the authentication of services using tokens. Each service and user must have its principal created and imported to the keytab files. These keytab files should be available to the Hadoop daemons to read the passwords and perform operations.

It is assumed that the user has completed the previous recipe "Kerberos Server Setup" and is comfortable using Kerberos.