Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

HDFS Encryption Data at Rest - in Non-Kerberized Environment

avatar
author-rank karan_alang1
Expert Contributor

Created ‎01-20-2017 01:44 AM

Hi All,

I'm trying to set-up HDFS Encryption at Rest - in HDP 2.4 using Ranger KMS.

My cluster is Non-Kerberized, do i need to Kerberize the cluster before i can set-up HDFS Encryption ?

is that mandatory, or i can setup HDFS encryption in Non-Kerberized cluster also ?

Pls. note - the Docs mention kerberos setting (but not that Kerberos is mandatory)

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_Security_Guide/content/ch06s01s01s01.htm...

Pls let me know.

1,726 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank stevel author-rank
Guru

Created ‎01-20-2017 02:15 PM

Without Kerberos, you don't have any authentication, hence no real security. Even if you encrypt the data, there's nothing to stop anyone talking to the cluster claiming to be the administrative user —so able to do lots of damage to the system.

Same for yarn: everything is executed in the cluster as the same user, so code by user Alice, running on the same host as user Bob, can use OS-level permissions and debuggers to get at all the secret's Bob's code has (including decryption keys)

I would recommend embracing Kerberos as the first step to having a secure cluster

View solution in original post

1,558 Views
0 Kudos
0
3 REPLIES 3

avatar
author-rank stevel author-rank
Guru

Created ‎01-20-2017 02:15 PM

Without Kerberos, you don't have any authentication, hence no real security. Even if you encrypt the data, there's nothing to stop anyone talking to the cluster claiming to be the administrative user —so able to do lots of damage to the system.

Same for yarn: everything is executed in the cluster as the same user, so code by user Alice, running on the same host as user Bob, can use OS-level permissions and debuggers to get at all the secret's Bob's code has (including decryption keys)

I would recommend embracing Kerberos as the first step to having a secure cluster

1,559 Views
0 Kudos
0

avatar
author-rank pvillard author-rank
Guru

Created ‎01-20-2017 02:44 PM

I agree with @stevel comment, I'd just add that encrypting the data at rest without Kerberos could only be useful in case disks are stolen. But if this is what you are trying to achieve it might be easier to rely on OS/disks native solutions.

1,558 Views
0 Kudos

avatar
author-rank karan_alang1
Expert Contributor

Created ‎01-26-2017 06:37 AM

@stevel, @Pierre Villard - agreed.. i'll be using kerberos as first step, but still wanted to confirm if this was mandatory for hdfs encryption at rest.

1,558 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements