Skip to content

Latest commit

 

History

History
114 lines (89 loc) · 8.18 KB

mitigations.md

File metadata and controls

114 lines (89 loc) · 8.18 KB

Mitigation Strategies Analysis for apache/hadoop

Mitigation Strategy: Strong Authentication with Kerberos (Hadoop-Specific Configuration)

  • Description:

    1. Configure Hadoop Services: Modify the configuration files (e.g., core-site.xml, hdfs-site.xml, yarn-site.xml, mapred-site.xml) of each Hadoop service to enable Kerberos authentication. This is the Hadoop-specific part. This includes:
      • Setting hadoop.security.authentication to kerberos.
      • Specifying the Kerberos realm (hadoop.security.kerberos.realm).
      • Defining service principals for each service (e.g., dfs.namenode.kerberos.principal, yarn.resourcemanager.kerberos.principal).
      • Specifying the location of keytab files for each service (e.g., dfs.namenode.keytab.file, yarn.resourcemanager.keytab.file).
      • Configuring SPNEGO for web UIs (if used) to enable Kerberos authentication for web access.
    2. Client Configuration (Hadoop Side): Ensure that Hadoop client configurations (typically in core-site.xml) are set up to use Kerberos. This includes setting hadoop.security.authentication to kerberos.
    3. Keytab Management within Hadoop: Hadoop configuration files directly reference keytab files. Secure handling of these files within the Hadoop configuration is crucial.

  • Threats Mitigated:

    • Unauthorized Access (High Severity): Prevents attackers from accessing Hadoop services without valid Kerberos tickets.
    • Impersonation (High Severity): Prevents attackers from impersonating legitimate users or services.
    • Man-in-the-Middle Attacks (Medium Severity): When combined with wire encryption, helps prevent MITM attacks.

  • Impact:

    • Unauthorized Access: Risk reduced significantly (from High to Low).
    • Impersonation: Risk reduced significantly (from High to Low).
    • Man-in-the-Middle Attacks: Risk reduced (from Medium to Low, with wire encryption).

  • Currently Implemented:

    • HDFS: Implemented. Kerberos authentication is enabled for HDFS.
    • YARN: Implemented. Kerberos authentication is enabled for YARN.
    • MapReduce: Implemented. Kerberos authentication is enabled for MapReduce jobs.

  • Missing Implementation:

    • Hive: Not yet implemented. Hive access is currently not secured with Kerberos.
    • HBase: Not yet implemented. HBase access is currently not secured with Kerberos.

Mitigation Strategy: Fine-Grained Authorization with Ranger (Hadoop Service Plugins)

  • Description:

    1. Enable Ranger Plugins: This is the key Hadoop-specific step. Enable the Ranger plugins for each Hadoop service you want to protect (HDFS, YARN, Hive, HBase, etc.). These plugins are part of the Hadoop ecosystem and are configured within Hadoop's configuration files. The plugins:
      • Intercept access requests to the Hadoop service.
      • Consult the Ranger server for authorization decisions based on defined policies.
      • Enforce the Ranger policies, allowing or denying access.
    2. Hadoop Configuration: Configure the Hadoop services (in their respective configuration files, e.g., hdfs-site.xml, yarn-site.xml) to use the Ranger plugins. This typically involves specifying the Ranger server address and other plugin-specific settings.

  • Threats Mitigated:

    • Unauthorized Data Access (High Severity): Prevents unauthorized access beyond basic HDFS permissions.
    • Unauthorized Data Modification (High Severity): Prevents unauthorized modification or deletion.
    • Privilege Escalation (Medium Severity): Limits privilege escalation within Hadoop.
    • Insider Threats (High Severity): Helps mitigate insider threats.

  • Impact:

    • Unauthorized Data Access: Risk reduced significantly (from High to Low).
    • Unauthorized Data Modification: Risk reduced significantly (from High to Low).
    • Privilege Escalation: Risk reduced (from Medium to Low).
    • Insider Threats: Risk reduced (from High to Medium).

  • Currently Implemented:

    • HDFS: Implemented. Ranger policies control access to HDFS resources.
    • YARN: Implemented. Ranger policies control access to YARN queues and applications.

  • Missing Implementation:

    • Hive: Not yet implemented. Ranger plugins are not yet enabled for Hive.
    • HBase: Not yet implemented. Ranger plugins are not yet enabled for HBase.

Mitigation Strategy: Data Encryption at Rest (HDFS Transparent Encryption - Hadoop Native)

  • Description:

    1. Configure Hadoop KMS (if using): If using the Hadoop Key Management Server (KMS), configure it within Hadoop (typically in kms-site.xml). This includes setting the key provider, key store location, and encryption algorithms.
    2. HDFS Crypto Commands: Use the hdfs crypto command-line utility (part of HDFS) to:
      • Create encryption zones: hdfs crypto -createZone -keyName <key_name> -path <path>.
      • List encryption zones: hdfs crypto -listZones.
      • Manage encryption keys (if using Hadoop KMS).
    3. Hadoop Client Configuration: Ensure Hadoop clients are configured to interact with the KMS (if using Hadoop KMS or a supported third-party KMS). This is often handled automatically if the KMS is properly configured within Hadoop.

  • Threats Mitigated:

    • Data Breach from Physical Theft (High Severity): Protects data on stolen disks.
    • Unauthorized Access to Raw Data (High Severity): Prevents access to raw data on disk.
    • Compliance Violations (Medium to High Severity): Helps meet compliance requirements.

  • Impact:

    • Data Breach from Physical Theft: Risk reduced significantly (from High to Low).
    • Unauthorized Access to Raw Data: Risk reduced significantly (from High to Low).
    • Compliance Violations: Risk reduced (from Medium/High to Low).

  • Currently Implemented:

    • HDFS: Partially Implemented. Encryption zones exist for some data.

  • Missing Implementation:

    • Comprehensive Coverage: Not all HDFS data is in encryption zones.

Mitigation Strategy: Data Encryption in Transit (Wire Encryption - Hadoop Configuration)

  • Description:

    1. Hadoop RPC Configuration: Configure Hadoop's Remote Procedure Call (RPC) mechanism to use encryption. This is done within Hadoop's configuration files (primarily core-site.xml):
      • Set hadoop.rpc.protection to privacy. This enables encryption for RPC communication. This setting works in conjunction with Kerberos.
      • Ensure hadoop.security.authentication is set to kerberos (required for hadoop.rpc.protection to work).
    2. Service-Specific Configuration: Some Hadoop services may have additional configuration options related to wire encryption (e.g., enabling SSL for web UIs in hdfs-site.xml or yarn-site.xml).

  • Threats Mitigated:

    • Eavesdropping (Medium Severity): Prevents eavesdropping on Hadoop communication.
    • Man-in-the-Middle Attacks (Medium Severity): Prevents MITM attacks.
    • Data Tampering in Transit (Medium Severity): Ensures data integrity during transit.

  • Impact:

    • Eavesdropping: Risk reduced significantly (from Medium to Low).
    • Man-in-the-Middle Attacks: Risk reduced significantly (from Medium to Low).
    • Data Tampering in Transit: Risk reduced significantly (from Medium to Low).

  • Currently Implemented:

    • HDFS: Implemented. Wire encryption is enabled for HDFS communication.
    • YARN: Implemented. Wire encryption is enabled for YARN communication.

  • Missing Implementation:

    • Hive: Not yet implemented. Wire encryption is not yet enabled for Hive.
    • HBase: Not yet implemented. Wire encryption is not yet enabled for HBase.