Page tree
Skip to end of metadata
Go to start of metadata

Apache Ranger is getting a lot of momentum in the open source community, and 0.5 release promises to be a bigger step towards the vision of providing comprehensive security for Hadoop. The 0.5 release is focused on the following areas

 

Release ThemeDescriptionBenefit to usersApache JIRA#Documentation Link
Extensibility - Ranger StacksComplete re-architecting of Ranger to enable adding new plugins easily using JSON specificationEasily add custom plugins and use Ranger to centralize security across multiple datastores RANGER-203 - Framework to extend Ranger security to new components in a pluggable way Resolved Ranger Stacks - How to add a custom plugin?
Hooks for dynamic access controlUsers need to support dynamic access control conditions such as geo, time etcUsers can add dynamic rules in addition to existing static RBAC policies. Dynamic controls give users greater flexibility in managing security policies, also provides a framework for potentially achieving attribute based access control (ABAC) RANGER-256 - Enable pluggable way to add context data to request Resolved  
Authorization and auditing support for YARNProvide ability to manage queue level authorization within Yarn and also audit jobs submitted to Yarn queueUsers can manage Yarn ACLs along with other Hadoop components in a single UI. Yarn is defacto standard for resource management for big data, and more applications are being enabled to run over Yarn. Ranger support for Yarn adds a layer of securityRANGER-248 
Authorization and auditing support for KafkaManage Kafka authorization policies in Ranger and also audit KafkaLike Yarn, users can manage Kafka security through the centralized security console that other Hadoop components are using. Kafka is being adopted for real time streaming use cases and Ranger integration for Kafka enables it be adopted faster in security conscious environments. RANGER-246 - Add support for Authorization and Auditing of Apache Kafka Closed  
Audit Optimization

Couple of things

  1. We would want to summarize audit at source, to handle high volume audit scenarios such as in Kafka or HBase
  2. Include Policy id in the audit logs
Ranger audit would included audit data from newer integrated components such as Kafka and Solr. With audit summarization, we would be able to manage audit volumes for large event systems like Kafka while still maintaining the traceability required by auditors and compliance teams RANGER-276 - Add support for aggregating audit logs at source Closed  
Metadata tags and tag based policiesAs complexity of data increases, it is important to classify and tag data it is coming into Hadoop. This feature provides a method to create security policies based on the metadata tagsUsers can classify data as "sensitive" or "PII" and then would be able to create policies in Ranger at a tag level. Ranger can then automatically enforce policies for any resources classified under that tag RANGER-274 - Add support for TAG based policies Resolved  
Ranger support for HDFS Transparent Encryption

HDFS Transparent was introduce in Hadoop 2.6. The encryption feature included a key provider interface and open source KMS. More details can be found here

Ranger would provide an implementation of open source KMS, with credential and keys stored in a server

Users can potentially used HDFS encryption integrated with Ranger KMS in a production scenario, enabling them to identify sensitive data and encrypt them. Encryption adds in layer of security and is a must in many compliance driven environments RANGER-247 - Provide scalable/HA Hadoop KMS to support Hadoop TDE Resolved  
Query audit stored in HDFSCurrently, Ranger portal provides UI for querying audit data stored in RDMBS. Ranger introduced storage of audit logs in HDFS as part of 0.4 release. In this release, Ranger is moving away from storing audit logs in RDBMS and enabling audit query directly over HDFS dataHDFS storage of audit provides a scalable model for storing audit data and have security built to protect the data. This feature provides users an easy method to query audit logs using Solr RANGER-253 - Add support for audit reporting for the data stored in HDFS Open  
  • No labels