Big Data Management Administrator Guide > Authentication and Authorization > Authorization
  

Authorization

Authorization controls what a user can do on a Hadoop cluster. For example, a user must be authorized to submit jobs to the Hadoop cluster.
You can use the following systems to manage authorization for Big Data Management:
HDFS permissions
By default, Hadoop uses HDFS permissions to determine what a user can do to a file or directory on HDFS. Additionally, Hadoop implements transparent data encryption in HDFS directories.
Apache Sentry
Sentry is a security plug-in that you can use to enforce role-based authorization for data and metadata on a Hadoop cluster. You can enable high availability for Sentry in the Hadoop cluster. Sentry can secure data and metadata at the table and column level. For example, Sentry can restrict access to columns that contain sensitive data and prevent unauthorized users from accessing the data.
Apache Ranger
Ranger is a security plug-in that you can use to authenticate users of a Hadoop cluster. Ranger manages access to files, folders, databases, tables, and columns. When you perform an action, Ranger verifies that the user meets the policy requirements and has the correct permissions on HDFS. You can enable high availability for Ranger in the Hadoop cluster.
Fine-Grained SQL Authorization
SQL standards-based authorization enables database administrators to impose column-level authorization on Hive tables and views. A more fine-grained level of SQL standards-based authorization enables administrators to impose row and column level authorization. You can configure a Hive connection to observe fine-grained SQL standards-based authorization.

HDFS Permissions

HDFS permissions determine what a user can do to files and directories stored in HDFS. To access a file or directory, a user must have permission or belong to a group that has permission.
HDFS permissions are similar to permissions for UNIX or Linux systems. For example, a user requires the r permission to read a file and the w permission to write a file.
When a user or application attempts to perform an action, HDFS checks if the user has permission or belongs to a group with permission to perform that action on a specific file or directory.

Fine-Grained SQL Authorization for Hive

SQL standards-based authorization enables database administrators to impose fine-grained authorization on Hive tables and views when you read data from a Hive source or a target.
Informatica supports fine-grained SQL authorization for Hive sources with Blaze engine, and Hive sources and targets with Spark engines. You can use the Ranger authorization plug-in when you enable fine-grained SQL authorization for mappings that run on a Hortonworks HDP cluster.
You can use the Sentry authorization plug-in when you enable fine-grained SQL authorization for mappings that run on a Cloudera cluster. When the mapping accesses Hive sources in Blaze engine and Hive sources and targets in Spark engine on a cluster that uses Sentry authorization and runs in native mode, you can use fine-grained SQL authorization on the column level if you configure hive.server2.proxy.user in the Hive JDBC connect string.
In this case, the mapping uses the hive.server2.proxy.user value to access Hive sources and targets. When you also configure the mappingImpersonationUserName property, then the mapping uses the mappingImpersonationUserName value to access Hive sources and targets.
You can configure a Hive connection to observe fine-grained SQL authorization.

Key Management Servers

Key Management Server (KMS) is an open source key management service that supports HDFS data at rest encryption. You can use the cluster administration utility to configure the KMS for Informatica user access.
You can use the following key management servers to encrypt the data at rest:
KMS enables the following functions:
Key management
You can create, update, or delete encryption key zones that control access to functionality.
Access control policies
You can administer access control policies for encryption keys. You can create or edit keys to control access by users to functionality.

Configuring KMS for Informatica User Access

If you use a KMS to encrypt HDFS data at rest, use the cluster administration utility to configure the KMS for Informatica user access.
    1. Create a KMS user account for the Informatica user. Add the Informatica user to a new KMS repository, or to an existing KMS repository.
    The user corresponds to the Data Integration Service user or the Kerberos SPN user.
    2. Grant permissions to the Informatica user.
    3. Create and configure an encryption key.
    4. Create an encryption zone that uses the encryption key you created.
    For example:
    hdfs dfs -mkdir /zone_encr_infa
    hdfs crypto -createZone -keyName infa_key -path /zone_encr_infa
    5. Browse to the Custom KMS Site page and add the following properties:
    hadoop.kms.proxyuser.<user>.groups=*
    hadoop.kms.proxyuser.<user>.hosts=*
    hadoop.kms.proxyuser.<user>.users=*
    where <user> is the Informatica user name you configured in Step 1.
    6. Update the following properties:
    hadoop.kms.proxyuser.<user>.hosts
    hadoop.kms.proxyuser.<user>.groups
    7. Search for proxyuser in the KMS Configurations area. To register all Hadoop system users with the KMS, add the following properties:
    hadoop.kms.proxyuser.HTTP.hosts=*
    hadoop.kms.proxyuser.HTTP.users=*
    hadoop.kms.proxyuser.hive.hosts=*
    hadoop.kms.proxyuser.hive.users=*
    hadoop.kms.proxyuser.keyadmin.hosts=*
    hadoop.kms.proxyuser.keyadmin.users=*
    hadoop.kms.proxyuser.nn.hosts=*
    hadoop.kms.proxyuser.nn.users=*
    hadoop.kms.proxyuser.rm.hosts=*
    hadoop.kms.proxyuser.rm.users=*
    hadoop.kms.proxyuser.yarn.hosts=*
    hadoop.kms.proxyuser.yarn.users=*