In addition to everything Allen has already said, which I entirely agree with, I'll also point out that much of the focus on Hadoop security has been related to authentication, and only somewhat more recently on providing advanced authorization capabilities. I'll readily admit to not knowing much about SE Linux's capabilities, but my impression is that it wouldn't do much to be able to help out with authentication within Hadoop, and hence wouldn't have been a realistic option when Hadoop's security work was started many years ago.
-- Aaron T. Myers Software Engineer, Cloudera On Thu, Mar 26, 2015 at 8:27 AM, Allen Wittenauer <a...@altiscale.com> wrote: > > When Hadoop was started 10 years ago and first started getting > it’s security bits in place 8 years ago, SE Linux was immature and > extremely broken. (Which, in many ways, is still true. Like a lot of > Linux vs. commercial competitors, it’s about 80% there.) Plus, considering > that Hadoop was written in Java , it never made sense to integrate Hadoop > so tightly with those interfaces. > > It’s also worth pointing out that SE Linux also doesn’t help at > all at protecting things inside of HDFS since it is a user-land file system > and not mounted at the VFS layer. The number of contortions required to > get support would be… interesting. > > Now that time has progressed and both projects have evolved, > someone might be interested in exploring the possibilities. It’s worth > pointing out that large portions of Hadoop’s security model is pluggable. > So if you’d like to take this work on, feel free. > > On Mar 26, 2015, at 7:44 AM, Madhan Sundararajan < > madhan.sundarara...@tcs.com> wrote: > > > Allen, > > > > Unlike you, I am no Unix veteran. > > > > However, having used Hadoop briefly I observed this anomaly. > > > > Yes, as you have highlighted, this is not applicable to non-Linux > > platforms. > > > > Hadoop's security layer can be made to re-use SELINUX' policies through > > remote policy server, to ease the application of policies from a > > centralised policy server. > > > > Further, Hadoop can be made to re-use role-based-access-controls provided > > by SELINUX. > > > > In addition, Hadoop daemons can be subjected to the fine-grained access > > policies of SELINUX to use the Linux Server's resources. > > > > Regards > > Madhan Sundararajan Devaki > > > > Tata Consultancy Services Limited > > 415/21-24, Kumaran Nagar, > > Sholinganallur, > > Old Mahabalipuram, > > Chennai - 600 119,Tamil Nadu > > India > > Cell:- +91-9840141129 > > Mailto: madhan.sundarara...@tcs.com > > Website: http://www.tcs.com > > ____________________________________________ > > Experience certainty. IT Services > > Business Solutions > > Consulting > > ____________________________________________ > > > > > > > > From: Allen Wittenauer <a...@altiscale.com> > > To: common-dev@hadoop.apache.org > > Date: 03/26/2015 06:51 PM > > Subject: Re: Hadoop Common: Why not re-use the Security model > > offered by SELINUX? > > > > > > > > > > How would you propose we use SELinux features to support > > security, especially in a distributed manner where clients might be under > > different administrative controls? What about the non-Linux platforms > > that Hadoop runs on? > > > > > > On Mar 26, 2015, at 3:46 AM, Madhan Sundararajan > > <madhan.sundarara...@tcs.com> wrote: > > > >> Team, > >> > >> SELINUX was introduced to bring in a robust security management in Linux > > > >> OS. > >> > >> In all distributions of Hadoop (Cloudera/Hortonworks/...) one of the > >> pre-installation checklist items is to disable SELINUX in all the nodes > > of > >> the cluster. > >> > >> Why not re-use the security model offered by SELINUX setting instead of > >> re-inventing from scratch through Sentry/Knox/etc...? > >> > >> Regards > >> Madhan Sundararajan Devaki > >> > >> Tata Consultancy Services Limited > >> 415/21-24, Kumaran Nagar, > >> Sholinganallur, > >> Old Mahabalipuram, > >> Chennai - 600 119,Tamil Nadu > >> India > >> Cell:- +91-9840141129 > >> Mailto: madhan.sundarara...@tcs.com > >> Website: http://www.tcs.com > >> ____________________________________________ > >> Experience certainty. IT Services > >> Business Solutions > >> Consulting > >> ____________________________________________ > >> =====-----=====-----===== > >> Notice: The information contained in this e-mail > >> message and/or attachments to it may contain > >> confidential or privileged information. If you are > >> not the intended recipient, any dissemination, use, > >> review, distribution, printing or copying of the > >> information contained in this e-mail message > >> and/or attachments to it are strictly prohibited. If > >> you have received this communication in error, > >> please notify us by reply e-mail or telephone and > >> immediately and permanently delete the message > >> and any attachments. Thank you > >> > >> > > > > > >
