Security Hardening¶
MRS is a platform for massive data management and analysis and has high security. MRS protects user data and service running from the following aspects:
Network isolation
The entire system is deployed in a VPC on the public cloud to provide an isolated network environment and ensure service and management security of the cluster. By combining the subnet division, route control, and security group functions of VPC, MRS provides a secure and reliable isolated network environment.
Resource isolation
MRS supports resource deployment and isolation of physical resources in dedicated zones. You can flexibly combine computing and storage resources, such as dedicated computing resources + shared storage resources, shared computing resources + dedicated storage resources, and dedicated computing resources + dedicated storage resources.
Host security
MRS can be integrated with public cloud security services, including Vulnerability Scan Service (VSS), Host Security Service (HSS), Web Application Firewall (WAF), Cloud Bastion Host (CBH), and Web Tamper Protection (WTP). The following measures are provided to improve security of the OS and ports:
Security hardening of OS kernels
OS patch update
OS permission control
OS port management
OS protocol and port attack defense
Application security
The following measures are used to ensure normal running of big data services:
Identification and authentication
Web application security
Access control
Audit security
Password security
Data security
The following measures are provided to ensure the confidentiality, integrity, and availability of massive amounts of user data:
Disaster recovery: MRS supports data backup to OBS and cross-region high reliability.
Backup: MRS supports backup of DBService, NameNode, and LDAP metadata and backup of HDFS and HBase service data.
Data integrity
Data is verified to ensure its integrity during storage and transmission.
CRC32C is used by default to verify the correctness of user data stored in HDFS.
DataNodes of HDFS store the verified data. If the data transmitted from a client is abnormal (incomplete), DataNodes report the abnormality to the client, and the client rewrites the data.
The client checks data integrity when reading data from a DataNode. If the data is incomplete, the client will read data from another DataNode.
Data confidentiality
Based on Apache Hadoop, the distributed file system of MRS supports encrypted storage of files to prevent sensitive data from being stored in plaintext, improving data security. Applications need only to encrypt specified sensitive data. Services are not affected during the encryption process. Based on file system data encryption, Hive provides table-level encryption and HBase provides column family-level encryption. Sensitive data can be encrypted and stored after you specify an encryption algorithm during table creation.
Encrypted storage and access control of data are used to ensure user data security.
HBase stores service data to the HDFS after compression. Users can configure the AES and SMS4 encryption algorithm to encrypt data.
All the components allow access permissions to be set for local data directories. Unauthorized users are not allowed to access data.
All cluster user information is stored in ciphertext.
Security authentication
Uses a unified user- and role-based authentication system as well as an account- and role-based access control (RBAC) model to centrally control user permissions and batch manage user authorization.
Employs Lightweight Directory Access Protocol (LDAP) as an account management system and performs the Kerberos authentication on accounts.
Provides the single sign-on (SSO) function that centrally manages and authenticates MRS system and component users.
Audits users who have logged in to Manager.