Cloud database HBase enterprise-level security analysis

Open source HBase security introduction

image


The security function of open source HBase mainly consists of 3 parts:

1. ACL permission control implemented by Access Controller coprocessor;

2. The security authentication of the RPC layer mainly implements kerberos authentication;
3. HBase's WebUI supports https access.


Introduction to Open Source HBase ACL Access Control

HBsae ACL is a set of permission control mechanism based on coprocessor, which can effectively control the user's data access permission to HBase, and the smallest dimension is controlled to the column level. Supports the assignment of permissions by user and user group. The scope of HBsae ACL: global> namespace> table> famliy> quelifier. The priority order of authentication is: global> namespace> table> family> quelifier. It can be seen that user permissions are authenticated from large to small, so when specifying user permissions, it is necessary to pay attention to whether the user’s limited permissions are restricted or not. In addition, authority management can be performed according to individual user user assignment, or authority management can be performed according to user group, the authentication order is user>group.

Open source HBase ACL use case

image

After assigning permissions to the members of the HBase database management team of a company, the permissions of the relevant personnel can be realized but the security of the access permissions cannot be guaranteed. If there are impersonators from the outside, after obtaining the corresponding API, the identity authentication is not turned on The system will mistakenly believe that it is a member of the team, so there is a security risk. At this time, the system needs to turn on the identity authentication to deny the access of the impersonator, so as to meet the security requirements.

Open source HBase authentication

image


Authentication (Authentication) is a process used to identify a user's identity. Only users who pass the identity authentication may access certain services. Different from identity authentication, ACL authorization only controls the specified users to access certain specified services, but does not perform corresponding identification. Therefore, only the use of authentication (Authentication) and authorization (Authorization) together can achieve a better security effect.

The identity authentication method currently supported by HBase is kerberos authentication, an authentication function implemented at the RPC level, and kerberos is also the only authentication method built into hadoop. HBase/HDFS/Zookeeper generally enable kerberos authentication at the same time.

The current open source HBase security commonly used construction scheme mainly has 3 aspects: 
1. HBase enables kerberos authentication, https WebUI access, enables ACL permission authorization control, enables log auditing, and traffic restriction; 
2. HDFS enables kerberos authentication, enables permission control, and enables Data encryption;
3. Zookeeper enables kerberos authentication and zk ACL permission control.


Introduction to Kerberos

Kerberos is a network authentication protocol. At present, there are many implementation versions of the Kerberos protocol, and its essence uses symmetric encryption technology to realize identity authentication in the network. Generally, third-party services are used to provide identity authentication, that is, independent of related service components. At present, many big data service components are integrated with Kerberos by default, and Kerberos identity startup services can be turned on.

image

When a user needs to access a service protected by Kerberos, the Kerberos authentication process can be divided into two stages: 

1. The Kerberos server program (Authentication Server, AS) authenticates the user's identity;
2. The service authenticates the user's identity.

At present, after the corresponding identity authentication is turned on for open source HBase, although the security has been effectively improved, its cost is huge, the preparation steps for access to the cluster are many and cumbersome, the use is not friendly, the configuration is complicated and cumbersome, and the account and the system need to be connected. Disadvantages such as binding.

Introduction to Cloud Database HBase Security

image

The main support functions of cloud database HBase in terms of security are: network layer security isolation, identity authentication, permission control, log auditing, flow control, and data encryption. Public network users and classic network users need to add to the whitelist first if they want the user's VPC, otherwise they will not be able to access it.

image

云数据库HBase的网络安全隔离方面,用户可以设置防火墙白名单、安全组端口限制,选择HBase安装在VPC专有网络上;在身份认证上,采用Intel和Alibaba合作开发的HAS服务做身份认证,使用更友好;在权限控制上兼容HBase Access Controller coprocessor,支持细粒度权限控制,用户账户不依赖本地linux系统用户,提高了使用的效率;在审计上可以记录用户对资源访问操作,监控/跟踪资源访问的安全风险。因此,与开源HBase相比云数据库HBase在安全性、成本、用户友好方面都有较大的提高。

云HBase安全模块还提供了: 

1)支持多种认证方式实现,如账户密码、RAM、LDAP等; 

2)扩展backend元数据高可用服务; 
3)简化client配置;
4)快捷方便的命令行行管理工具; 
5)可以向客服提供与现存账户认证体系对接的能力。


云HBase安全原理

1.什么是HAS?

HAS (Hadoop Authentication Service),由致力于解决开源大数据服务和生态系统的认证支持。目前开源大数据(Hadoop/Spark)在安全认证上只内置支持了Kerberos方式,HAS提出了一种新的认证方式(Kerberos-based token authentication),通过与现有的认证和授权体系进行对接,使得在Hadoop/Spark在上面支持Kerberos以外的认证方式变成可能,并对最终用户简化和隐藏Kerberos的复杂性。

image

2.HAS系统架构 

HAS基于Apache Kerby 基础上,以较少的开发 成本实现的全新的针对开源⼤大数据认证的方案。Apache Kerby为HAS主要:提供了了全面的kerberos 客户端lib和工具;提供了Kerby KDC:高效、高可用服务;强大的ASN-1支持;TokenPreauth 全新的token认证机制。

image

The HAS protocol process is mainly to extend Kerberos, and its protocol is based on the TokenPreauth mechanism, which is mainly implemented in Apache Kerby. This mechanism allows users to use tokens issued by third parties instead, and use password to authenticate KDC. It has been widely used in the Internet, cloud and mobile Internet, enabling the Kerberos system to be combined with other authentication schemes. And promoted the development of Kerberos on the cloud and big data platform.

Cloud HBase security application scenarios

Security requirements are ubiquitous. For example, in order to prevent employees from malicious retaliation, prevent external users from accessing the stolen data, or even delete all data. It can be said that as long as it is a production environment, there are security requirements, but the protection level of security requirements is different. For example, for common users of public cloud, the general HBase database is the internal network DB, which is only used for their own access and is not shared by third-party personnel. In addition, the stored data may be user log data, so this customer may only need external network layer isolation That's it. If a company's HBase database and a third-party service provider provide storage, it may require further security requirements such as identity, permissions, and auditing.

Compared with open source HBase, Cloud HBase achieves a reduction in operation and maintenance costs and usage costs, simplifies configuration, and does not rely on system accounts to achieve access to public network users and classic network users. The most important thing is security. A greater improvement.


image




Guess you like

Origin blog.51cto.com/15060465/2679779