Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How Apache Ranger and Chuck Norris help secure Hadoop

Andrew C. Oliver | Aug. 21, 2015
The Hadoop ecosystem has always been a bag of parts, each of which needs to be secured separately -- at least they did need that, until Apache Ranger came to town

Ranger Hadoop security project

A policy creation screen from Ranger documentation

A GUI with a central view of who is allowed to do what brings much needed simplicity to the Hadoop ecosystem, but that's not all that Ranger offers. It also provides audit logging. Although this can't supplant all the application audit logging you could ever want, if you simply need to know who accessed what on HDFS or what policies were enforced where, it's probably exactly what you need.

In addition, Ranger can provide Key Management Services in order to work with HDFS's new TDE (transparent data encryption). So if you need end-to-end encryption and a clean way to manage the keys associated with it, Ranger is not a bad place to start.

Ranger looks ahead

I think the biggest hope for Ranger comes from its extensibility. You can create your own plug-ins for areas that are not covered.

If you were hoping this was the end of the story on Hadoop security, unfortunately, Cloudera has its own Apache project called Sentry (which MapR appears to also support) that covers much the same area. To be fair, Sentry was first, then Hortonworks acquired XA Secure. That said, the documentation for Sentry is virtually nonexistent, the coverage is more constrained, and the project website is in disrepair (although activity on GitHub recently picked up).

Hadoop security has come a long way. Ranger gives a fairly comprehensive, if still a little incomplete, way to manage the ecosystem. The holes that persist are mainly due to vendor competition throughout the big data world. These can be filled via the extensibility of the project, but it would be nice to see more collaboration and community in the Apache world.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.