Database Reference
In-Depth Information
The BigInsights Web Console has been structured to act as a gateway to the
cluster. It features enhanced security by supporting Lightweight Directory
Access Protocol (LDAP) authentication. LDAP and reverse-proxy support
help administrators restrict access to authorized users. In addition, clients out-
side of the cluster must use secured
REST
interfaces to gain access to the cluster
through the gateway. In contrast, Apache Hadoop has open ports on every
node in the cluster. The more ports you need to have open (and there are a lot
of them in open source Hadoop), the less secure the environment and the
more likely you won't pass internal audit scans.
BigInsights can be configured to communicate with an LDAP credentials
server for authentication. All communication between the console and the
LDAP server occurs using LDAP (by default) or both LDAP and LDAPS
(LDAP over HTTPS). The BigInsights installer helps you to define mappings
between your LDAP users and groups and the four BigInsights roles (System
Administrator, Data Administrator, Application Administrator, and User).
After BigInsights has been installed, you can add or remove users from the
LDAP groups to grant or revoke access to various console functions.
Kerberos security is integrated into open source Hadoop, and offers ser-
vices and some operational tooling, but does not support alternative
authentication. BigInsights uses LDAP as the default authentication proto-
col. BigInsights emphasizes the use of LDAP because when compared to
Kerberos and other alternatives, it's a much simpler protocol to install and
configure. Finally, BigInsights supports alternate authentication options
such as Linux Pluggable Authentication Modules (PAM). You can use this
to deploy Kerberos token authentication, or even biometric authentication.
Putting the cluster behind the Web Console's software firewall and estab-
lishing user roles helps to lock down BigInsights and its data, but a complete
security story has to include regulatory compliance. For example, any business
that accepts credit cards must be in compliance with the Payment Card Industry
Data Security Standard (PCI DSS), which requires customer data to be secured
and any accesses logged. Guardium is the market leader in the compliance
market, and processes the audit logs generated by relational databases. IBM
has built extensions to BigInsights, to store audit logs for data accesses in the
cluster. Audit logs are generated for any data access activity involving the
following components: Hadoop RPC, HDFS, MapReduce, Oozie, and HBase.
