Hadoop Security Analysis - Google Drive.pdf

《Hadoop Security Analysis - Google Drive.pdf》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、HadoopSecurityAnalysisNOTE:Thisisaworkingdraft.Notesarebeingcollectedandwillbeeditedforreadability.IntroductionThisdocumentdescribesthestateofsecurityinaHadoopYARNcluster.First,thisdocumentdescribesthefollowingentitiesandtheirinteractionsinasecureHadoopcluster:

2、tokens,principals,authenticationmechanisms,authenticatingparties,authorizationmechanisms,authorizedparties,andexecutionenvironment.Second,itexaminestheseentitiesthroughthelensofadherencetocommonlyheldsecurityprinciples.TokensIngeneral,tokensareaddedtothecurrent

3、UGI(UserGroupInformation.java).ThisresultsinthosetokensbeingaddedascredentialstotheJAASSubjectassociatedwiththatUGI.AnRPCcallisthenmadeinthecontextofaUGI.doAswhichpushestheSubjectontothethreadcontext.Whenaconnectiontoaserveriscreated,anappropriatetokenisselecte

4、dfromaUGIcreatedfromthecurrentJAASSubject.ThiscanbeseeninthegetProtocolProxymethodsoftheRPCclass:hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/RPC.java.Thisselectionisbasedonthetypeofservertowhichtheconnectionisbeingestablishedandthety

5、peoftokenitrequires.(SeeConnectorconstructorinhadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java.)SeemethodgetProxy(lines182-198)inClientServiceDelegateforanexampleofhowtokensaresetupbyclients:hadoop-mapreduce-project/hadoop-map

6、reduce-client/hadoop-mapreduce-client-jobclient/src/main/java/org/apache/hadoop/mapred/ClientServiceDelegate.java.EachservicethatgeneratestokenshasamasterkeythatisusedtogenerateaMessageAuthenticationCode(MAC)forthetoken.Thisisalsoreferredtoasthetokenpassword.Se

7、rversstoretheirmasterkeyinaSecretManagerusedwitheachRPCserver.Inseveralsituationsthismasterkeyisdistributedbetweenmasterandslavesservicesbyregistrationorheartbeatinteractionsinitiatedbytheslaveservices.PrincipalsHerewedefinetheentitiesthatmaybeauthenticatedandg

8、rantedrightswithinaHadoopcluster.UserUsersareinternallyrepresentedwithinHadoopassimplestrings.Attheboundariesvariousmechanismsareusedtoderivethesesimplestrings.Forexamplethe