When Hadoop was started 10 years ago and first started getting it’s
security bits in place 8 years ago, SE Linux was immature and extremely broken.
(Which, in many ways, is still true. Like a lot of Linux vs. commercial
competitors, it’s about 80% there.) Plus, considering that Hadoop was written
in Java , it never made sense to integrate Hadoop so tightly with those
interfaces.
It’s also worth pointing out that SE Linux also doesn’t help at all at
protecting things inside of HDFS since it is a user-land file system and not
mounted at the VFS layer. The number of contortions required to get support
would be… interesting.
Now that time has progressed and both projects have evolved, someone
might be interested in exploring the possibilities. It’s worth pointing out
that large portions of Hadoop’s security model is pluggable. So if you’d like
to take this work on, feel free.
On Mar 26, 2015, at 7:44 AM, Madhan Sundararajan <madhan.sundarara...@tcs.com>
wrote:
> Allen,
>
> Unlike you, I am no Unix veteran.
>
> However, having used Hadoop briefly I observed this anomaly.
>
> Yes, as you have highlighted, this is not applicable to non-Linux
> platforms.
>
> Hadoop's security layer can be made to re-use SELINUX' policies through
> remote policy server, to ease the application of policies from a
> centralised policy server.
>
> Further, Hadoop can be made to re-use role-based-access-controls provided
> by SELINUX.
>
> In addition, Hadoop daemons can be subjected to the fine-grained access
> policies of SELINUX to use the Linux Server's resources.
>
> Regards
> Madhan Sundararajan Devaki
>
> Tata Consultancy Services Limited
> 415/21-24, Kumaran Nagar,
> Sholinganallur,
> Old Mahabalipuram,
> Chennai - 600 119,Tamil Nadu
> India
> Cell:- +91-9840141129
> Mailto: madhan.sundarara...@tcs.com
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty. IT Services
> Business Solutions
> Consulting
> ____________________________________________
>
>
>
> From: Allen Wittenauer <a...@altiscale.com>
> To: common-dev@hadoop.apache.org
> Date: 03/26/2015 06:51 PM
> Subject: Re: Hadoop Common: Why not re-use the Security model
> offered by SELINUX?
>
>
>
>
> How would you propose we use SELinux features to support
> security, especially in a distributed manner where clients might be under
> different administrative controls? What about the non-Linux platforms
> that Hadoop runs on?
>
>
> On Mar 26, 2015, at 3:46 AM, Madhan Sundararajan
> <madhan.sundarara...@tcs.com> wrote:
>
>> Team,
>>
>> SELINUX was introduced to bring in a robust security management in Linux
>
>> OS.
>>
>> In all distributions of Hadoop (Cloudera/Hortonworks/...) one of the
>> pre-installation checklist items is to disable SELINUX in all the nodes
> of
>> the cluster.
>>
>> Why not re-use the security model offered by SELINUX setting instead of
>> re-inventing from scratch through Sentry/Knox/etc...?
>>
>> Regards
>> Madhan Sundararajan Devaki
>>
>> Tata Consultancy Services Limited
>> 415/21-24, Kumaran Nagar,
>> Sholinganallur,
>> Old Mahabalipuram,
>> Chennai - 600 119,Tamil Nadu
>> India
>> Cell:- +91-9840141129
>> Mailto: madhan.sundarara...@tcs.com
>> Website: http://www.tcs.com
>> ____________________________________________
>> Experience certainty. IT Services
>> Business Solutions
>> Consulting
>> ____________________________________________
>> =====-----=====-----=====
>> Notice: The information contained in this e-mail
>> message and/or attachments to it may contain
>> confidential or privileged information. If you are
>> not the intended recipient, any dissemination, use,
>> review, distribution, printing or copying of the
>> information contained in this e-mail message
>> and/or attachments to it are strictly prohibited. If
>> you have received this communication in error,
>> please notify us by reply e-mail or telephone and
>> immediately and permanently delete the message
>> and any attachments. Thank you
>>
>>
>
>
