towards abac in hadoop ecosystemtowards abac in hadoop ecosystem prof. ravi sandhu executive...
TRANSCRIPT
Towards ABAC in Hadoop Ecosystem
Prof. Ravi SandhuExecutive Director and Endowed Chair
Institute for Cyber Security, University of Texas at San [email protected], www.profsandhu.com
Ford EEIT & GDIA Big Data Access Control Symposium
Dearborn, MichiganMay 2, 2017
Institute for Cyber Security
© Ravi Sandhu World-Leading Research with Real-World Impact! 1
PEI Models: 3 Layers
© Ravi Sandhu World-Leading Research with Real-World Impact! 2
Security and system goals(objective policy)
Actual Code
Policy Models
Enforcement Models
Implementation Models
Necessarily Informal
Formal/ quasi-formal
System block diagrams,
protocol flows
Pseudo-code
PEI Models: 3 Layers
© Ravi Sandhu World-Leading Research with Real-World Impact! 3
Security and system goals(objective policy)
Actual Code
Policy Models
Enforcement Models
Implementation Models
Necessarily Informal
Formal/ quasi-formal
System block diagrams,
protocol flows
Pseudo-code
© Ravi Sandhu World-Leading Research with Real-World Impact! 4
Multi-Layer Authorization
Services
Data and ObjectsCluster Resources and Applications
© Ravi Sandhu World-Leading Research with Real-World Impact! 5
Hadoop Ecosystem Enforcement Model
Apache Ranger, Apache SentryApache Knox
Apache Hive, HDFS, Apache Storm, Apache Kafka, YARN
PEI Models: 3 Layers
© Ravi Sandhu World-Leading Research with Real-World Impact! 6
Security and system goals(objective policy)
Actual Code
Policy Models
Enforcement Models
Implementation Models
Necessarily Informal
Formal/ quasi-formal
System block diagrams,
protocol flows
Pseudo-code
AC Model: Hadoop View
© Ravi Sandhu World-Leading Research with Real-World Impact! 7
): NameNode, YARN ResourceManager
: access / communicate: Files and Directories in HDFS
) : read, write, execute
AC Model: Ranger View
© Ravi Sandhu World-Leading Research with Real-World Impact! 8
) : Hive, HDFS, Kafka, HBase: Files and Directories in HDFS; Tables, columns in Hive
) : read, write, execute, select, create: PII, top-secret
© Ravi Sandhu World-Leading Research with Real-World Impact! 11
Proposed OT-RBAC ModelObject-Tagged RBAC
PEI Models: 3 Layers
© Ravi Sandhu World-Leading Research with Real-World Impact! 13
Security and system goals(objective policy)
Actual Code
Policy Models
Enforcement Models
Implementation Models
Necessarily Informal
Formal/ quasi-formal
System block diagrams,
protocol flows
Pseudo-code