blob: 2aecb8fcc77724863519d3884f23af387a3c61b7 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<meta name="description" content="A new open source Apache Hadoop ecosystem project, Apache Kudu completes Hadoop's storage layer to enable fast analytics on fast data" />
<meta name="author" content="Cloudera" />
<title>Apache Kudu - Apache Kudu Security</title>
<!-- Bootstrap core CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"
integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7"
crossorigin="anonymous">
<!-- Custom styles for this template -->
<link href="/css/kudu.css" rel="stylesheet"/>
<link href="/css/asciidoc.css" rel="stylesheet"/>
<link rel="shortcut icon" href="/img/logo-favicon.ico" />
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.1/css/font-awesome.min.css" />
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<div class="kudu-site container-fluid">
<!-- Static navbar -->
<nav class="navbar navbar-default">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="logo" href="/"><img
src="//d3dr9sfxru4sde.cloudfront.net/i/k/apachekudu_logo_0716_80px.png"
srcset="//d3dr9sfxru4sde.cloudfront.net/i/k/apachekudu_logo_0716_80px.png 1x, //d3dr9sfxru4sde.cloudfront.net/i/k/apachekudu_logo_0716_160px.png 2x"
alt="Apache Kudu"/></a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav navbar-right">
<li >
<a href="/">Home</a>
</li>
<li >
<a href="/overview.html">Overview</a>
</li>
<li class="active">
<a href="/docs/">Documentation</a>
</li>
<li >
<a href="/releases/">Releases</a>
</li>
<li >
<a href="/blog/">Blog</a>
</li>
<!-- NOTE: this dropdown menu does not appear on Mobile, so don't add anything here
that doesn't also appear elsewhere on the site. -->
<li class="dropdown">
<a href="/community.html" role="button" aria-haspopup="true" aria-expanded="false">Community <span class="caret"></span></a>
<ul class="dropdown-menu">
<li class="dropdown-header">GET IN TOUCH</li>
<li><a class="icon email" href="/community.html">Mailing Lists</a></li>
<li><a class="icon slack" href="https://getkudu-slack.herokuapp.com/">Slack Channel</a></li>
<li role="separator" class="divider"></li>
<li><a href="/community.html#meetups-user-groups-and-conference-presentations">Events and Meetups</a></li>
<li><a href="/committers.html">Project Committers</a></li>
<!--<li><a href="/roadmap.html">Roadmap</a></li>-->
<li><a href="/community.html#contributions">How to Contribute</a></li>
<li role="separator" class="divider"></li>
<li class="dropdown-header">DEVELOPER RESOURCES</li>
<li><a class="icon github" href="https://github.com/apache/incubator-kudu">GitHub</a></li>
<li><a class="icon gerrit" href="http://gerrit.cloudera.org:8080/#/q/status:open+project:kudu">Gerrit Code Review</a></li>
<li><a class="icon jira" href="https://issues.apache.org/jira/browse/KUDU">JIRA Issue Tracker</a></li>
<li role="separator" class="divider"></li>
<li class="dropdown-header">SOCIAL MEDIA</li>
<li><a class="icon twitter" href="https://twitter.com/ApacheKudu">Twitter</a></li>
<li><a href="https://www.reddit.com/r/kudu/">Reddit</a></li>
<li role="separator" class="divider"></li>
<li class="dropdown-header">APACHE SOFTWARE FOUNDATION</li>
<li><a href="https://www.apache.org/security/" target="_blank">Security</a></li>
<li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank">Sponsorship</a></li>
<li><a href="https://www.apache.org/foundation/thanks.html" target="_blank">Thanks</a></li>
<li><a href="https://www.apache.org/licenses/" target="_blank">License</a></li>
</ul>
</li>
<li >
<a href="/faq.html">FAQ</a>
</li>
</ul><!-- /.nav -->
</div><!-- /#navbar -->
</div><!-- /.container-fluid -->
</nav>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<div class="container">
<div class="row">
<div class="col-md-9">
<h1>Apache Kudu Security</h1>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Kudu includes security features which allow Kudu clusters to be hardened against
access from unauthorized users. This guide describes the security features
provided by Kudu. <a href="#configuration">Configuring a Secure Kudu Cluster</a> lists essential configuration options when
deploying a secure Kudu cluster. <a href="#known-limitations">Known Limitations</a> contains a list of
known deficiencies in Kudu&#8217;s security capabilities.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_authentication"><a class="link" href="#_authentication">Authentication</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>Kudu can be configured to enforce secure authentication among servers, and
between clients and servers. Authentication prevents untrusted actors from
gaining access to Kudu, and securely identifies the connecting user or services
for authorization checks. Authentication in Kudu is designed to interoperate
with other secure Hadoop components by utilizing Kerberos.</p>
</div>
<div class="paragraph">
<p>Authentication can be configured on Kudu servers using the
<code>--rpc_authentication</code> flag, which can be set to <code>required</code>, <code>optional</code>, or
<code>disabled</code>. By default, the flag is set to <code>optional</code>. When <code>required</code>, Kudu
will reject connections from clients and servers who lack authentication
credentials. When <code>optional</code>, Kudu will attempt to use strong authentication.
When <code>disabled</code> or strong authentication fails for 'optional', by default Kudu
will only allow unauthenticated connections from trusted subnets, which are
private networks (127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,
169.254.0.0/16) and local subnets of all local network interfaces. Unauthenticated
connections from publicly routable IPs will be rejected.</p>
</div>
<div class="paragraph">
<p>The trusted subnets can be configured using the <code>--trusted_subnets</code> flag,
which can be set to IP blocks in CIDR notation separated by comma. Set it to
'0.0.0.0/0' to allow unauthenticated connections from all remote IP addresses.
However, if network access is not otherwise restricted by a firewall,
malicious users may be able to gain unauthorized access. This can be mitigated
if authentication is configured to be required.</p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
When the <code>--rpc_authentication</code> flag is set to <code>optional</code>,
the cluster does not prevent access from unauthenticated users. To secure a
cluster, use <code>--rpc_authentication=required</code>.
</td>
</tr>
</table>
</div>
<div class="sect2">
<h3 id="_internal_pki"><a class="link" href="#_internal_pki">Internal PKI</a></h3>
<div class="paragraph">
<p>Kudu uses an internal PKI system to issue X.509 certificates to servers in
the cluster. Connections between peers who have both obtained certificates will
use TLS for authentication, which doesn&#8217;t require contacting the Kerberos KDC.
These certificates are <em>only</em> used for internal communication among Kudu
servers, and between Kudu clients and servers. The certificates are never
presented in a public facing protocol.</p>
</div>
<div class="paragraph">
<p>By using internally-issued certificates, Kudu offers strong authentication which
scales to huge clusters, and allows TLS encryption to be used without requiring
you to manually deploy certificates on every node.</p>
</div>
</div>
<div class="sect2">
<h3 id="_authentication_tokens"><a class="link" href="#_authentication_tokens">Authentication Tokens</a></h3>
<div class="paragraph">
<p>After authenticating to a secure cluster, the Kudu client will automatically
request an authentication token from the Kudu master. An authentication token
encapsulates the identity of the authenticated user and carries the master&#8217;s
RSA signature so that its authenticity can be verified.</p>
</div>
<div class="paragraph">
<p>This token will be used to authenticate subsequent connections. By default,
authentication tokens are only valid for seven days, so that even if a token
were compromised, it could not be used indefinitely. For the most part,
authentication tokens should be completely transparent to users. By using
authentication tokens, Kudu takes advantage of strong authentication without
paying the scalability cost of communicating with a central authority for every
connection.</p>
</div>
<div class="paragraph">
<p>When used with distributed compute frameworks such as Spark, authentication
tokens can simplify configuration and improve security. For example, the Kudu
Spark connector will automatically retrieve an authentication token during the
planning stage, and distribute the token to tasks. This allows Spark to work
against a secured Kudu cluster where only the planner node has Kerberos
credentials.</p>
</div>
</div>
<div class="sect2">
<h3 id="_client_authentication_to_secure_kudu_clusters"><a class="link" href="#_client_authentication_to_secure_kudu_clusters">Client Authentication to Secure Kudu Clusters</a></h3>
<div class="paragraph">
<p>Users running client Kudu applications must first run the <code>kinit</code> command to
obtain a Kerberos ticket-granting ticket. For example:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">$ kinit admin@EXAMPLE-REALM.COM</code></pre>
</div>
</div>
<div class="paragraph">
<p>Once authenticated, you use the same client code to read from and write to Kudu
servers with and without Kerberos configuration.</p>
</div>
</div>
<div class="sect2">
<h3 id="_scalability"><a class="link" href="#_scalability">Scalability</a></h3>
<div class="paragraph">
<p>Kudu authentication is designed to scale to thousands of nodes, which requires
avoiding unnecessary coordination with a central authentication authority (such
as the Kerberos KDC). Instead, Kudu servers and clients will use Kerberos to
establish initial trust with the Kudu master, and then use alternate credentials
for subsequent connections. In particular, the master will issue internal
X.509 certificates to servers, and temporary authentication tokens to clients.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_coarse_grained_authorization"><a class="link" href="#_coarse_grained_authorization">Coarse-Grained Authorization</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>Kudu supports coarse-grained authorization of client requests based on the
authenticated client Kerberos principal (i.e. user or service). The two levels
of access which can be configured are:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>Superuser</strong> - principals authorized as a superuser are able to perform
certain administrative functionality such as using the <code>kudu</code> command line tool
to diagnose or repair cluster issues.</p>
</li>
<li>
<p><strong>User</strong> - principals authorized as a user are able to access and modify all
data in the Kudu cluster. This includes the ability to create, drop, and alter
tables as well as read, insert, update, and delete data.</p>
</li>
</ul>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Internally, Kudu has a third access level for the daemons themselves.
This ensures that users cannot connect to the cluster and pose as tablet
servers.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Access levels are granted using whitelist-style Access Control Lists (ACLs), one
for each of the two levels. Each access control list either specifies a
comma-separated list of users, or may be set to <code>*</code> to indicate that all
authenticated users are able to gain access at the specified level. See
<a href="#configuration">Configuring a Secure Kudu Cluster</a> below for examples.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
The default value for the User ACL is <code>*</code>, which allows all users access
to the cluster. However, if authentication is enabled, this still restricts access
to only those users who are able to successfully authenticate via Kerberos.
Unauthenticated users on the same network as the Kudu servers will be unable
to access the cluster.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="fine_grained_authz"><a class="link" href="#fine_grained_authz">Fine-Grained Authorization</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>As of Kudu 1.10.0, Kudu can be configured to enforce fine-grained authorization
across servers. This ensures that users can see only the data they are
explicitly authorized to see. Kudu currently supports this by leveraging
policies defined in Apache Sentry 2.2 and later.</p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
Fine-grained authorization policies are not enforced when accessing
the web UI. User data may appear on various pages of the web UI (e.g. in logs,
metrics, scans, etc.). As such, it is recommended to either limit access to the
web UI ports, or redact or disable the web UI entirely, as desired. See the
<a href="#web-ui">instructions for securing the web UI</a> for more details.
</td>
</tr>
</table>
</div>
<div class="sect2">
<h3 id="_apache_sentry"><a class="link" href="#_apache_sentry">Apache Sentry</a></h3>
<div class="paragraph">
<p>Apache Sentry models tabular objects in the following hierarchy:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>Server</strong> - indicated by the Kudu configuration flag <code>--server_name</code>.
Everything stored in a Kudu cluster falls within the given "server".</p>
</li>
<li>
<p><strong>Database</strong> - indicated as a prefix of table names with the format
<code>&lt;database&gt;.&lt;table&gt;</code>.</p>
</li>
<li>
<p><strong>Table</strong> - a single Kudu table.</p>
</li>
<li>
<p><strong>Column</strong> - a column within a Kudu table.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Each level of this hierarchy defines a "scope" on which privileges can be
granted. Privileges granted on a higher scope imply privileges on a lower
scope. For example, if a user has <code>SELECT</code> privilege on a database, that user
implicitly has <code>SELECT</code> privileges on every table belonging to that database.</p>
</div>
<div class="paragraph">
<p>Privileges are also associated with specific actions. Access to Kudu tables may
rely on privileges on the following actions:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>ALTER</code></p>
</li>
<li>
<p><code>CREATE</code></p>
</li>
<li>
<p><code>DELETE</code></p>
</li>
<li>
<p><code>DROP</code></p>
</li>
<li>
<p><code>INSERT</code></p>
</li>
<li>
<p><code>UPDATE</code></p>
</li>
<li>
<p><code>SELECT</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Additionally, there are three special actions recognized by Kudu: <code>ALL</code>,
<code>OWNER</code>, and <code>METADATA</code>. If a user has the <code>ALL</code> or <code>OWNER</code> privileges on a
given table, that user has all of the above privileges on the table.
<code>METADATA</code> privilege is not an actual privilege per se, rather, it is a
conceptual privilege with which Kudu models any privilege. If a user has any
privilege on a given table, that user has <code>METADATA</code> privileges on the table,
i.e. a privilege granted on any action on a table implies that the user has
the <code>METADATA</code> privilege on that table.</p>
</div>
<div class="paragraph">
<p>For more details about Sentry privileges, see the Apache Sentry
<a href="https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Privileges">documentation</a>.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Depending on the value of the <code>sentry.db.explicit.grants.permitted</code>
configuration in Sentry, certain privileges may not be grantable in Sentry. For
example, in Sentry deployments that don&#8217;t support <code>UPDATE</code> privileges, to
perform an operation that requires <code>UPDATE</code> privileges, a user must instead
have <code>ALL</code> privileges.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>When a Kudu master receives a request, it consults Sentry to determine what
privileges a user has. If the user is not authorized to perform the requested
action, the request is rejected. Kudu leverages the authenticated identity of a
user to decide whether to perform or reject a request.</p>
</div>
</div>
<div class="sect2">
<h3 id="_authorization_tokens"><a class="link" href="#_authorization_tokens">Authorization Tokens</a></h3>
<div class="paragraph">
<p>Rather than having every tablet server communicate directly with Sentry,
privileges are propagated and checked via <strong>authorization tokens</strong>. These tokens
encapsulate what privileges a user has on a given table. Tokens are generated
by the master and returned to Kudu clients upon opening a Kudu table. Kudu
clients automatically attach authorization tokens when sending requests to
tablet servers.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Authorization tokens are a means to limiting the number of nodes directly
accessing Sentry to retrieve privileges. As such, since the expected number of
tablet servers in a cluster is much higher than the number of Kudu masters,
they are only used to authorize requests sent to tablet servers. Kudu masters
fetch privileges directly from Sentry or cache. See <a href="#privilege-caching">Caching</a> for
more details of Kudu&#8217;s privilege cache.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Similar to the validity interval for authentication tokens, to limit the
window of potential unwanted access if a token becomes compromised,
authorization tokens are valid for five minutes by default. The acquisition and
renewal of a token is hidden from the user, as Kudu clients automatically
retrieve new tokens when existing tokens expire.</p>
</div>
<div class="paragraph">
<p>When a tablet server that has been configured to enforce fine-grained access
control receives a request, it checks the privileges in the attached token,
rejecting it if the privileges are not sufficient to perform the requested
operation, or if it is invalid (e.g. expired).</p>
</div>
</div>
<div class="sect2">
<h3 id="trusted-users"><a class="link" href="#trusted-users">Trusted Users</a></h3>
<div class="paragraph">
<p>It may be desirable to allow certain users to view and modify any data stored
in Kudu. Such users can be specified via the <code>--trusted_user_acl</code> master
configuration. Trusted users can perform any operation that would otherwise
require fine-grained privileges, without Kudu consulting Sentry.</p>
</div>
<div class="paragraph">
<p>Additionally, some services that interact with Kudu may authorize requests on
behalf of their end users. For example, Apache Impala authorizes queries on
behalf of its users, and sends requests to Kudu as the Impala service user,
commonly "impala". Since Impala authorizes requests on its own, to avoid
extraneous communication between Sentry and Kudu, the Impala service user
should be listed as a trusted user.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
When accessing Kudu through Impala, Impala enforces its own fine-grained
authorization policy. This policy is similar to Kudu&#8217;s and can be found in
Impala&#8217;s
<a href="https://impala.apache.org/docs/build/html/topics/impala_authorization.html#authorization">authorization
documentation</a>.
</td>
</tr>
</table>
</div>
</div>
<div class="sect2">
<h3 id="sentry-configuration"><a class="link" href="#sentry-configuration">Configuring the Integration with Apache Sentry</a></h3>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Sentry is often configured with Kerberos authentication. See
<a href="#configuration">Configuring a Secure Kudu Cluster</a> for how to configure Kudu to authenticate via Kerberos.
</td>
</tr>
</table>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
In order to enable integration with Sentry, a cluster must first be
integrated with the Apache Hive Metastore. See the
<a href="hive_metastore.html#enabling-the-hive-metastore-integration">documentation</a>
for how to configure Kudu to synchronize its internal catalog with the Hive
Metastore.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>The following configurations must be set on the master:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code>--sentry_service_rpc_addresses=&lt;Sentry RPC address&gt;
--server_name=&lt;value of HiveServer2's hive.sentry.server configuration&gt;
--kudu_service_name=kudu
--sentry_service_kerberos_principal=sentry
--sentry_service_security_mode=kerberos
# This example ACL setup allows the 'impala' user to access all data stored in
# Kudu, assuming Impala will authorize requests on its own. The 'hadoopadmin'
# user is also granted access to all Kudu data, which may facilitate testing
# and debugging.
--trusted_user_acl=impala,hadoopadmin</code></pre>
</div>
</div>
<div class="paragraph">
<p>The following configurations must be set on the tablet servers:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code>--tserver_enforce_access_control=true</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="privilege-caching"><a class="link" href="#privilege-caching">Caching</a></h3>
<div class="paragraph">
<p>To avoid overwhelming Sentry with requests to fetch user privileges, the Kudu
master can be configured to cache user privileges. A by-product of this caching
is that when privileges are changed in Sentry, they may not be reflected in
Kudu for a configurable amount of time, defined by the following Kudu master
configurations:</p>
</div>
<div class="paragraph">
<p><code>--sentry_privileges_cache_ttl_factor * --authz_token_validity_interval_secs</code></p>
</div>
<div class="paragraph">
<p>The default value is fifty minutes. If privilege updates need to be reflected
in Kudu sooner than this, the Kudu CLI tool can be used to invalidate the
cached privileges to force Kudu to fetch new ones from Sentry:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">kudu master authz_cache reset &lt;master-addresses&gt;</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_policy_for_kudu_masters"><a class="link" href="#_policy_for_kudu_masters">Policy for Kudu Masters</a></h3>
<div class="paragraph">
<p>The following authorization policy is enforced by Kudu masters.</p>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 1. Authorization Policy for Masters</caption>
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Operation</th>
<th class="tableblock halign-left valign-top">Required Privilege</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>CreateTable</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>CREATE ON DATABASE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>CreateTable</code> with a different owner specified than the requesting user</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ALL ON DATABASE</code> with the Sentry <code>GRANT OPTION</code> (see <a href="https://cwiki.apache.org/confluence/display/SENTRY/Support+Delegated+GRANT+and+REVOKE+in+Hive+and+Impala">here</a>)</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>DeleteTable</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>DROP ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>AlterTable</code> (with no rename)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ALTER ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>AlterTable</code> (with rename)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ALL ON TABLE &lt;old-table&gt;</code> and <code>CREATE ON DATABASE &lt;new-database&gt;</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>IsCreateTableDone</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>METADATA ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>IsAlterTableDone</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>METADATA ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ListTables</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>METADATA ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>GetTableLocations</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>METADATA ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>GetTableSchema</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>METADATA ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>GetTabletLocations</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>METADATA ON TABLE</code></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_policy_for_kudu_tablet_servers"><a class="link" href="#_policy_for_kudu_tablet_servers">Policy for Kudu Tablet Servers</a></h3>
<div class="paragraph">
<p>The following authorization policy is enforced by Kudu tablet servers.</p>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2. Authorization Policy for Tablet Servers</caption>
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Operation</th>
<th class="tableblock halign-left valign-top">Required Privilege</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Scan</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>SELECT ON TABLE</code>, or</p>
<p class="tableblock"><code>METADATA ON TABLE</code> and <code>SELECT ON COLUMN</code> for each projected column and each predicate column</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Scan</code> (no projected columns, equivalent to <code>COUNT(*)</code>)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>SELECT ON TABLE</code>, or</p>
<p class="tableblock"><code>SELECT ON COLUMN</code> for each column in the table</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Scan</code> (with virtual columns)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>SELECT ON TABLE</code>, or</p>
<p class="tableblock"><code>SELECT ON COLUMN</code> for each column in the table</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Scan</code> (in <code>ORDERED</code> mode)</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>&lt;privileges required for a Scan&gt;</code> and <code>SELECT ON COLUMN</code> for each primary key column</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Insert</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>INSERT ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Update</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>UPDATE ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Upsert</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>INSERT ON TABLE</code> and <code>UPDATE ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Delete</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>DELETE ON TABLE</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>SplitKeyRange</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>SELECT ON COLUMN</code> for each primary key column and <code>SELECT ON COLUMN</code> for each projected column</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Checksum</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">User must be configured in <code>--superuser_acl</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><code>ListTablets</code></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">User must be configured in <code>--superuser_acl</code></p></td>
</tr>
</tbody>
</table>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Unlike Impala, Kudu only supports all-or-nothing access to a table&#8217;s
schema, rather than showing only authorized columns.
</td>
</tr>
</table>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_encryption"><a class="link" href="#_encryption">Encryption</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>Kudu allows all communications among servers and between clients and servers
to be encrypted with TLS.</p>
</div>
<div class="paragraph">
<p>Encryption can be configured on Kudu servers using the <code>--rpc_encryption</code> flag,
which can be set to <code>required</code>, <code>optional</code>, or <code>disabled</code>. By default, the flag
is set to <code>optional</code>. When <code>required</code>, Kudu will reject unencrypted connections.
When <code>optional</code>, Kudu will attempt to use encryption. Same as authentication,
when <code>disabled</code> or encryption fails for <code>optional</code>, Kudu will only allow
unencrypted connections from trusted subnets and reject any unencrypted connections
from publicly routable IPs. To secure a cluster, use <code>--rpc_encryption=required</code>.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Kudu will automatically turn off encryption on local loopback connections,
since traffic from these connections is never exposed externally. This allows
locality-aware compute frameworks like Spark and Impala to avoid encryption
overhead, while still ensuring data confidentiality.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="web-ui"><a class="link" href="#web-ui">Web UI Encryption</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>The Kudu web UI can be configured to use secure HTTPS encryption by providing
each server with TLS certificates. See <a href="#configuration">Configuring a Secure Kudu Cluster</a> for more information on
web UI HTTPS configuration.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_web_ui_redaction"><a class="link" href="#_web_ui_redaction">Web UI Redaction</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>To prevent sensitive data from being exposed in the web UI, all row data is
redacted. Table metadata, such as table names, column names, and partitioning
information is not redacted. The web UI can be completely disabled by setting
the <code>--webserver_enabled=false</code> flag on Kudu servers.</p>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
Disabling the web UI will also disable REST endpoints such as
<code>/metrics</code>. Monitoring systems rely on these endpoints to gather metrics data.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="logs"><a class="link" href="#logs">Log Security</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>To prevent sensitive data from being included in Kudu server logs, all row data
is redacted by default. By setting the <code>--redact=log</code> flag, redaction will be
disabled in the web UI but retained for server logs. Alternatively, <code>--redact=none</code>
can be used to disable redaction completely.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuration"><a class="link" href="#configuration">Configuring a Secure Kudu Cluster</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>The following configuration parameters should be set on all servers (master and
tablet server) in order to ensure that a Kudu cluster is secure:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code># Connection Security
#--------------------
--rpc_authentication=required
--rpc_encryption=required
--keytab_file=&lt;path-to-kerberos-keytab&gt;
# Web UI Security
#--------------------
--webserver_certificate_file=&lt;path-to-cert-pem&gt;
--webserver_private_key_file=&lt;path-to-key-pem&gt;
# optional
--webserver_private_key_password_cmd=&lt;password-cmd&gt;
# If you prefer to disable the web UI entirely:
--webserver_enabled=false
# Coarse-grained authorization
#--------------------------------
# This example ACL setup allows the 'impala' user as well as the
# 'nightly_etl_service_account' principal access to all data in the
# Kudu cluster. The 'hadoopadmin' user is allowed to use administrative
# tooling. Note that, by granting access to 'impala', other users
# may access data in Kudu via the Impala service subject to its own
# authorization rules.
--user_acl=impala,nightly_etl_service_account
--superuser_acl=hadoopadmin</code></pre>
</div>
</div>
<div class="paragraph">
<p>See <a href="#sentry-configuration">Configuring the Integration with Apache Sentry</a> to see an example of how to enable fine-grained
authorization via Apache Sentry.</p>
</div>
<div class="paragraph">
<p>Further information about these flags can be found in the configuration
flag reference.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="known-limitations"><a class="link" href="#known-limitations">Known Limitations</a></h2>
<div class="sectionbody">
<div class="paragraph">
<p>Kudu has a few known security limitations:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">Custom Kerberos Principal</dt>
<dd>
<p>Kudu does not support setting a custom service
principal for Kudu processes. The principal must be 'kudu'.</p>
</dd>
<dt class="hdlist1">External PKI</dt>
<dd>
<p>Kudu does not support externally-issued certificates for internal
wire encryption (server to server and client to server).</p>
</dd>
<dt class="hdlist1">On-disk Encryption</dt>
<dd>
<p>Kudu does not have built-in on-disk encryption. However,
Kudu can be used with whole-disk encryption tools such as dm-crypt.</p>
</dd>
</dl>
</div>
</div>
</div>
</div>
<div class="col-md-3">
<div id="toc" data-spy="affix" data-offset-top="70">
<ul>
<li>
<a href="index.html">Introducing Kudu</a>
</li>
<li>
<a href="release_notes.html">Kudu Release Notes</a>
</li>
<li>
<a href="quickstart.html">Quickstart Guide</a>
</li>
<li>
<a href="installation.html">Installation Guide</a>
</li>
<li>
<a href="configuration.html">Configuring Kudu</a>
</li>
<li>
<a href="hive_metastore.html">Using the Hive Metastore with Kudu</a>
</li>
<li>
<a href="kudu_impala_integration.html">Using Impala with Kudu</a>
</li>
<li>
<a href="administration.html">Administering Kudu</a>
</li>
<li>
<a href="troubleshooting.html">Troubleshooting Kudu</a>
</li>
<li>
<a href="developing.html">Developing Applications with Kudu</a>
</li>
<li>
<a href="schema_design.html">Kudu Schema Design</a>
</li>
<li>
<a href="scaling_guide.html">Kudu Scaling Guide</a>
</li>
<li>
<span class="active-toc">Kudu Security</span>
<ul class="sectlevel1">
<li><a href="#_authentication">Authentication</a>
<ul class="sectlevel2">
<li><a href="#_internal_pki">Internal PKI</a></li>
<li><a href="#_authentication_tokens">Authentication Tokens</a></li>
<li><a href="#_client_authentication_to_secure_kudu_clusters">Client Authentication to Secure Kudu Clusters</a></li>
<li><a href="#_scalability">Scalability</a></li>
</ul>
</li>
<li><a href="#_coarse_grained_authorization">Coarse-Grained Authorization</a></li>
<li><a href="#fine_grained_authz">Fine-Grained Authorization</a>
<ul class="sectlevel2">
<li><a href="#_apache_sentry">Apache Sentry</a></li>
<li><a href="#_authorization_tokens">Authorization Tokens</a></li>
<li><a href="#trusted-users">Trusted Users</a></li>
<li><a href="#sentry-configuration">Configuring the Integration with Apache Sentry</a></li>
<li><a href="#privilege-caching">Caching</a></li>
<li><a href="#_policy_for_kudu_masters">Policy for Kudu Masters</a></li>
<li><a href="#_policy_for_kudu_tablet_servers">Policy for Kudu Tablet Servers</a></li>
</ul>
</li>
<li><a href="#_encryption">Encryption</a></li>
<li><a href="#web-ui">Web UI Encryption</a></li>
<li><a href="#_web_ui_redaction">Web UI Redaction</a></li>
<li><a href="#logs">Log Security</a></li>
<li><a href="#configuration">Configuring a Secure Kudu Cluster</a></li>
<li><a href="#known-limitations">Known Limitations</a></li>
</ul>
</li>
<li>
<a href="transaction_semantics.html">Kudu Transaction Semantics</a>
</li>
<li>
<a href="background_tasks.html">Background Maintenance Tasks</a>
</li>
<li>
<a href="configuration_reference.html">Kudu Configuration Reference</a>
</li>
<li>
<a href="command_line_tools_reference.html">Kudu Command Line Tools Reference</a>
</li>
<li>
<a href="known_issues.html">Known Issues and Limitations</a>
</li>
<li>
<a href="contributing.html">Contributing to Kudu</a>
</li>
<li>
<a href="export_control.html">Export Control Notice</a>
</li>
</ul>
</div>
</div>
</div>
</div>
<footer class="footer">
<div class="row">
<div class="col-md-9">
<p class="small">
Copyright &copy; 2019 The Apache Software Foundation. Last updated 2019-07-14 18:33:13 CDT
</p>
<p class="small">
Apache Kudu, Kudu, Apache, the Apache feather logo, and the Apache Kudu
project logo are either registered trademarks or trademarks of The
Apache Software Foundation in the United States and other countries.
</p>
</div>
<div class="col-md-3">
<a class="pull-right" href="https://www.apache.org/events/current-event.html">
<img src="https://www.apache.org/events/current-event-234x60.png"/>
</a>
</div>
</div>
</footer>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<script>
// Try to detect touch-screen devices. Note: Many laptops have touch screens.
$(document).ready(function() {
if ("ontouchstart" in document.documentElement) {
$(document.documentElement).addClass("touch");
} else {
$(document.documentElement).addClass("no-touch");
}
});
</script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"
integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS"
crossorigin="anonymous"></script>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-68448017-1', 'auto');
ga('send', 'pageview');
</script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/anchor-js/3.1.0/anchor.js"></script>
<script>
anchors.options = {
placement: 'right',
visible: 'touch',
};
anchors.add();
</script>
</body>
</html>