Embed Size (px)
Citation preview
Towards ABAC in Hadoop Ecosystem
Prof. Ravi SandhuExecutive Director and Endowed Chair
Institute for Cyber Security, University of Texas at San [email protected], www.profsandhu.com
Ford EEIT & GDIA Big Data Access Control Symposium
Dearborn, MichiganMay 2, 2017
Institute for Cyber Security
© Ravi Sandhu World-Leading Research with Real-World Impact! 1
PEI Models: 3 Layers
© Ravi Sandhu World-Leading Research with Real-World Impact! 2
Security and system goals(objective policy)
Actual Code
Policy Models
Enforcement Models
Implementation Models
Necessarily Informal
Formal/ quasi-formal
System block diagrams,
protocol flows
Pseudo-code
PEI Models: 3 Layers
© Ravi Sandhu World-Leading Research with Real-World Impact! 3
Security and system goals(objective policy)
Actual Code
Policy Models
Enforcement Models
Implementation Models
Necessarily Informal
Formal/ quasi-formal
System block diagrams,
protocol flows
Pseudo-code
© Ravi Sandhu World-Leading Research with Real-World Impact! 4
Multi-Layer Authorization
Services
Data and ObjectsCluster Resources and Applications
© Ravi Sandhu World-Leading Research with Real-World Impact! 5
Hadoop Ecosystem Enforcement Model
Apache Ranger, Apache SentryApache Knox
Apache Hive, HDFS, Apache Storm, Apache Kafka, YARN
PEI Models: 3 Layers
© Ravi Sandhu World-Leading Research with Real-World Impact! 6
Security and system goals(objective policy)
Actual Code
Policy Models
Enforcement Models
Implementation Models
Necessarily Informal
Formal/ quasi-formal
System block diagrams,
protocol flows
Pseudo-code
AC Model: Hadoop View
© Ravi Sandhu World-Leading Research with Real-World Impact! 7
): NameNode, YARN ResourceManager
: access / communicate: Files and Directories in HDFS
) : read, write, execute
AC Model: Ranger View
© Ravi Sandhu World-Leading Research with Real-World Impact! 8
) : Hive, HDFS, Kafka, HBase: Files and Directories in HDFS; Tables, columns in Hive
) : read, write, execute, select, create: PII, top-secret
© Ravi Sandhu World-Leading Research with Real-World Impact! 9
AC Model: Sentry View
AC Model: Consolidated View
© Ravi Sandhu World-Leading Research with Real-World Impact! 10
© Ravi Sandhu World-Leading Research with Real-World Impact! 11
Proposed OT-RBAC ModelObject-Tagged RBAC
© Ravi Sandhu World-Leading Research with Real-World Impact! 12
Adding Attributes to OT-RBAC
PEI Models: 3 Layers
© Ravi Sandhu World-Leading Research with Real-World Impact! 13
Security and system goals(objective policy)
Actual Code
Policy Models
Enforcement Models
Implementation Models
Necessarily Informal
Formal/ quasi-formal
System block diagrams,
protocol flows
Pseudo-code
© Ravi Sandhu World-Leading Research with Real-World Impact! 14
Publications
