towards abac in hadoop ecosystemtowards abac in hadoop ecosystem prof. ravi sandhu executive...

Towards ABAC in Hadoop Ecosystem

Prof. Ravi SandhuExecutive Director and Endowed Chair

Institute for Cyber Security, University of Texas at San [email protected], www.profsandhu.com

Ford EEIT & GDIA Big Data Access Control Symposium

Dearborn, MichiganMay 2, 2017

Institute for Cyber Security

© Ravi Sandhu World-Leading Research with Real-World Impact! 1

http://www.profsandhu.com/

PEI Models: 3 Layers


Security and system goals(objective policy)

Actual Code

Policy Models

Enforcement Models

Implementation Models

Necessarily Informal

Formal/ quasi-formal

System block diagrams,

protocol flows

Pseudo-code




Actual Code

Policy Models

Enforcement Models





protocol flows

Pseudo-code


Multi-Layer Authorization

Services

Data and ObjectsCluster Resources and Applications


Hadoop Ecosystem Enforcement Model

Apache Ranger, Apache SentryApache Knox

Apache Hive, HDFS, Apache Storm, Apache Kafka, YARN




Actual Code

Policy Models

Enforcement Models





protocol flows

Pseudo-code

AC Model: Hadoop View


): NameNode, YARN ResourceManager

: access / communicate: Files and Directories in HDFS

) : read, write, execute

AC Model: Ranger View


) : Hive, HDFS, Kafka, HBase: Files and Directories in HDFS; Tables, columns in Hive

) : read, write, execute, select, create: PII, top-secret


AC Model: Sentry View

AC Model: Consolidated View



Proposed OT-RBAC ModelObject-Tagged RBAC


Adding Attributes to OT-RBAC




Actual Code

Policy Models

Enforcement Models





protocol flows

Pseudo-code


Publications

towards abac in hadoop ecosystemtowards abac in hadoop ecosystem prof. ravi sandhu executive...

Documents