Datameer SecurityAuthenticationDatameer provides LDAP / Active Directory (AD) authentication as one option for identifying and managing users. Administrators can configure Datameer to use their existing LDAP or Active Directory system as the system of record for centralized management of user identity, organizational units, and credentials. Users can authenticate into Datameer using familiar credentials, which are checked against LDAP/AD on every login. Users are identified as a member of group(s) just like in LDAP/AD; if the remote system no longer sanctions the user, access to Datameer is denied. This simplifies Datameer administration and allows end-users to use common credentials when accessing Datameer. All authentication history is captured and stored in dedicated logs to facilitate security audits.

AuthorizationDatameer provides role-based access with delegation, reserving certain actions for administrators only. Artifacts remain under the control of the author until shared at the group level. This applies to data stores, import jobs, data links, uploaded files, workbooks, dashboards and export jobs.

To coexist with existing processes and data on Hadoop, Datameer maintains a “private folder” of data in HDFS. Access to raw and imported data and analyses results can be restricted by user.

Datameer supports connectivity to LDAPS (often called LDAP over SSL). By default, LDAP communications between applications are not encrypted. When an LDAP simple bind is used, the credentials (username and password) are passed over the network in clear text.1

Datameer supports operating in Hadoop environments secured by Kerberos. Leveraging Kerberos, Datameer provides mutual authentication—both the user and the server verify each other’s identity. Datameer can also leverage Hadoop’s secure impersonation capability, meaning all jobs are run as the Datameer end user. System level logs generated by Hadoop provide traceability of any action taken or data accessed back to the authenticated end user, meeting the strictest audit requirements2

About Datameer

Datameer provides the first data

analytics platform on Apache

Hadoop that helps business

users integrate, analyze and

visualize all of their data,

regardless of type, size, or

source. Founded by Hadoop

veterans in 2009, Datameer

provides unparalleled access to

data with minimal IT resources.

Datameer scales from your

laptop to thousands of nodes.

Datameer’s transparent secure impersonation means that all data permissions can be enforced and in sync throughout all tiers of the system architecture, from HDFS to the web application. Users will automatically be denied access to any data to which they’re not entitled, (even if that data predates the use of Datameer), and any new data generated will carry end user permissions down to the filesystem level.

*Note: Hadoop’s HDFS limits permissions of files/folders to a single group; thus, in secure impersonation mode, granting access to more than one groups is disabled.

In summary, Datameer builds on Hadoop authentication and authorization, offering further flexibility and control, and seamlessly integrates with existing identity management tools.

1 For more information on Secure LDAP, see datameer.com/documentation/current/Configuring+Secure+LDAP+%28LDAPS%292 For more information on SSL, see datameer.com/documentation/current/Enabling+SSL

Datameer supports the use of HTTPS (HTTP over SSL) which secures traffic between the end user’s browser and the Datameer application server. This requires a simple configuration change to Datameer and for end users to use the correct URL.2

All end user credentials, data store passwords and keys (SSH, EC2, etc.) maintained by Datameer are masked in the UI and encrypted in the Datameer metadata store. The only exception to this is when LDAP/Active Directory authentication is used, in which case the end user credentials are maintained externally.

Datameer is designed to be a direct client of the cluster and operate in the secure area of your network containing the Hadoop master and slaves. As with any Hadoop client, traffic between the client and the cluster is generally not encrypted. This needs to be taken into consideration when designing network topology. It’s also important to note that Hadoop clients communicate directly with Hadoop data nodes, so securing the data nodes and exposing only the NameNode and JobTracker hosts is not an option.

Datameer software is scanned and certified by Veracode (www.veracode.com) to test for security vulnerabilities.

Technical Specifications

SERVER HARDWARE:

x86-based commodity

hardware

OPERATING SYSTEMS:

Linux and Solaris

PLUG-IN APIS:

Custom file formats,

user-defined analytic functions

and visualizations

HADOOP SUPPORT:

All compatible 0.20 Hadoop

Distributions including

Cloudera, EMC, Hortonworks,

IBM BigInsights and MapR

SUPPORTED BROWSERS:

Internet Explorer 7.0+

Firefox 3.5+

Safari 4.0+

Chrome

Encryption

Tested for Security

©2012 Datameer, Inc. All rights reserved. Datameer is a trademark of Datameer, Inc. Hadoop and the Hadoop elephant logo are trademarks of the Apache Software Foundation. Other names may be trademarks of their respective owners.

Datameer, Inc. 2040 Pioneer CourtSan Mateo, CA 94403T 650 286 9100F 650 286 9103 Follow Us www.datameer.com@datameer linkedin.com/company/datameer