An Approach for Multi-Tenancy Through Apache Knox
âąTransferir como PPTX, PDFâą
2 gostaramâą1,795 visualizaçÔes
Abstract: As organizations start to roll out or migrate data driven applications to Apache Hadoop, there are times when they have conflicting needs to leverage their full co-mingled data sets in Hadoop while providing isolation of sections of such co-mingled data to a specific customer. Serving multiple customers in this manner is a typical multi-tenant usecase and one that can be challenging in Apache Hadoop. This presentation walks through a number of patterns that can be leveraged for providing isolation of tenants based on the composability of Apache Knox for: * Authentication/Federation Providers * KnoxSSO * Identity Assertion * Tenant specific topologies With these patterns, Knox can provide an infrastructure for robust tenant isolation and access control for application UIs and REST APIs for your data landscape, when suitably coupled with a cluster that has carefully considered infrastructure including: * Kerberos * Tenant specific user accounts, OUs and Groups within LDAP * Authorization Policy that is aware of the tenant specific groups, Summary: We will walk through some of the patterns that have been used to enable such a multi-tenant environment as well as the specific considerations for topology, access control and user accounts involved with creating such an environment.
Recomendados
Mais conteĂșdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (18)
Semelhante a An Approach for Multi-Tenancy Through Apache Knox
Semelhante a An Approach for Multi-Tenancy Through Apache Knox (20)
Mais de DataWorks Summit/Hadoop Summit
Mais de DataWorks Summit/Hadoop Summit (20)
Ăltimo
Ăltimo (20)
An Approach for Multi-Tenancy Through Apache Knox
- 1. An Approach for Multi- tenant Applications with Apache Knox Larry McCay Architect and Manager for Security Infra - Hortonworks Sumit Gupta Technical Lead for Knox - Hortonworks April 5th 2017 â DataWorks Summit Munich
- 2. 2 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Disclaimer ï This document may contain product features and technology directions that are under development, may be under development in the future or may ultimately never be developed. ï Product capabilities are based on information that is publicly available within the Apache Software Foundation websites (âApacheâ). Progress of the project capabilities can be tracked from inception to release through Apache, however, technical feasibility, market demand, user feedback and the overarching Apache Software Foundation community development process can all effect timing and final delivery. ï This documentâs description of these features and technology directions does not represent a contractual commitment, promise or obligation from Hortonworks to deliver these features in any generally available product. ï Product features and technology directions are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. ï Since this document may contain an outline of general product development plans, customers should not rely upon it when making purchasing decisions.
- 3. 3 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Agenda ï Apache Knox ï Overview ï Topologies ï Identity Assertion and Authorization ï Multi-tenant Applications ï What are they? ï What are the concerns? ï Loanscore SaaS Application ï Overview,Requirements,Design ï Loanscore via Knox, Design ï Demo ï Q&A
- 4. 4 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Apache Knox
- 5. 5 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Apache Knox History and Community Growth Mar 2013 Entered Incubator Oct 2013 0.1.0 - 0.3.0 Incubator Releases Feb 2014 Graduates to Apache TLP Apr 2014 0.4.0 TLP Release Nov 2014 0.5.0 May 2015 0.6.0 Apr/Aug 2016 0.9.0/0.9.1 Feb 2016 0.8.0 Dec 2015 0.7.0 Nov 2016 0.10.0 Dec 2016 0.11.0 Mar 2017 0.12.0 TBD 1.0.0 Target Release Date âą Committers: 17 âą Contributors from: âą Hortonworks, IBM, CGI, Uber, Oracle, Blue Talon Apache 0.12.0/HDP 2.6 âą Client SDK/DSL Improvements âą Apache Zeppelin Proxying âą YARN RM UI HA Support âą Knox Token Service âą Solr API and UI Apache 0.11.0 âą LDAP Improvements âą Hadoop Group Lookup Support âą Phoenix Server Support (Avatica) âą Management UI âą Metrics @apache_knox
- 6. 6 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Apache Knox Overview Proxying Services Primary goals of the Apache Knox project is to provide access to Apache Hadoop via proxying of HTTP resources. Authentication Services Authentication for REST API access as well as WebSSO flow for UIs. LDAP/AD, Header based PreAuth, Kerberos, SAML, OAuth are all available options. Client DSL/SDK Services Client development can be done with scripting through DSL or using the Knox Shell classes directly as SDK. WebSSO Authentication And Federation providers Groovy based DSL Client DSL/SDK Services HTTP Proxying Services UIs REST APIs Web Sockets Hive Ambari HBase WebHCatWebHDFS Hadoop UIs Authentication ServicesProxying Services KnoxShell SDK Token Sessions REST API Classes KnoxSSO/Token YARN Ranger Zeppelin Oozie Phoenix Gremlin SQL/DB SAML OAuth LDAP/AD SPNEGO Header Based YARN RM WebHCat WebHDFS Hive YARN RM HBase
- 7. 7 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Knox Topologies ï Which services to proxy â For instance: Hive, WebHDFS, WebHCat, HBase, etc ï Unique URLs per topology â For instance: https://localhost:8443/gateway/TOPOLOGY/webhdfs/v1 ï Separate Hadoop clusters â For example: dev.xml and prod.xml ï Different access requirements for the same cluster (through providers) â token.xml and basic.xml ï Tenant specific access to the Knox services â acme1.xml and acme2.xml
- 8. 8 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Identity Assertion and Authorization ï Establish the effective identity ï Can alter the effective identity through: ï Principal mapping ï Regular expressions ï Concatenation of prefixes, suffixes ï Establishes security context for service level authorization checks through: ï The principal and group mapping or transforms described above ï Group lookup ï Service Level Authorization for the effective user ï Simple ACL based authorization provider ï Ranger Knox plugin
- 9. 9 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Multi-tenant Applications
- 10. 10 © Hortonworks Inc. 2011 â 2017. All Rights Reserved What is a Multi-tenant Application? â Deployment â Application â Data Shared Infrastructure â Users have accounts within an Organizationâs Account â Each organization is a tenant Account Context
- 11. 11 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Multi-tenancy Concerns â Tenants cannot view, modify or delete each otherâs data â Tenant admins may only affect tenant specific settings â Application admins cannot access tenant data Data Protection â Users authenticate using their typical or chosen usernames â Security context must include tenant membership (username âbobâ is too ambiguous) â Only Authenticated and Authorized users may access the system â Authentication Provider Flexibility âą Application managed providers âą Tenant specific provider integrations Authentication
- 12. 12 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Loanscore SaaS Application
- 13. 13 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Loanscore SaaS Application Continually improve risk assessment with a central risk model, analytics and machine learning with tenant specific thresholds â machine learning capabilities â models for scoring risk â small businesses and individuals can be scored â configurable datasources (e.g. yelp) ï Application Provides â Users are employees of the lending institution (e.g. an originator) â Tenant specific authentication integrations â Tenants have their own configuration/settings â Tenants get their own sub-domain and branding ï Tenants are Lending Institutions
- 14. 14 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Loanscore SaaS Application Loan Scoring Business Logic and Branding Tenant Specific Authentication (Login form, LDAP, SAML, etc) User Disambiguation for access to Hadoop (bob -> bob_goodloans) Hadoop Access (Kerberos + doas) SAML IDP Corp ADLDAP Loanscore SaaS Authentication Application must account for authentication configuration per tenant. This is for different LDAP search bases within a shared LDAP or tenant specific LDAP servers or IdP integrations. Business Logic of the App The business logic and branding of the application for each tenant. User Disambiguation The effective security context for backend interactions must contain the tenant affiliation for authorization policy to be enforced properly. Hadoop Access Patterns REST API calls to Hadoop services generally require kerberos+doas for secure clusters.
- 15. 15 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Loanscore SaaS Application v2.0 Loan Scoring Business Logic and Branding Tenant Specific Authentication (Login form, LDAP, SAML, etc) User Disambiguation for access to Hadoop (bob -> bob_goodloans) Hadoop Access (Kerberos + doas) SAML IDP Corp ADLDAP Loanscore SaaS v2.0 Authentication Application must account for authentication configuration per tenant. This is for different LDAP search bases within a shared LDAP or tenant specific LDAP servers or IdP integrations. Business Logic of the App The business logic and branding of the application for each tenant. User Disambiguation The effective security context for backend interactions must contain the tenant affiliation for authorization policy to be enforced properly. Hadoop Access Patterns REST API calls to Hadoop services generally require kerberos+doas for secure clusters.
- 16. 16 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Loanscore SaaS with Knox Services Business Logic, Branding, Knox Client SDK Loanscore SaaS SAML IDP Corp ADLDAP Tenant Specific Authentication User Disambiguation (identity assertion) KnoxSSO Proxying Knox Authentication and Proxying Services kerberos+doas or simple auth Proxying Services By proxying the app through Apache Knox, the gateway is able to require authentication prior to the user accessing the actual application. Hadoop API access is also proxied through Knox and the dispatch within the gateway handles the kerberos+doas and user disambiguating requirements. Authentication Services The authentication or federation provider within the proxying topology for the tenant may contain the actual authentication configuration or may redirect to KnoxSSO for a WebSSO flow. Client SDK The backend of the application may consume Hadoop REST APIs via the KnoxShell client classes.
- 17. 17 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Loanscore SaaS with Knox Services Loanscore ApplicationSAML IDP Corp ADLDAP goodloans- sso.xml goodloans.xml (user disambiguation) KnoxSSO Proxying https://goodloans.loanscore.comhttps://unwise.loanscore.com doas=bob_goodloans username: bob password: *** 1. Goodloans originator bob navigates to the goodloanâs loanscore app URL 2. Since he has yet to authenticate he is redirected to the KnoxSSO topology for goodloans 3. He is authenticated against the goodloanâs configured identity provider. He provides his username and password (bob:***) 4. Upon successful auth he is redirected back the loanscore application and granted access 5. The user principal propagated to the loanscore app has been disambiguated by adding the tenant name to the end of the username (bob_goodloans) in the identity assertion provider 6. Loanscore app adds a file to a tenant specific directory within HDFS using KnoxShell SDK classes
- 18. 18 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Demo
- 19. 19 © Hortonworks Inc. 2011 â 2017. All Rights Reserved Q&A