Security
Also available as:
PDF
loading table of contents...

What's New in This Release

New features and changes for Apache Ranger and Apache Knox have been introduced in Hortonworks Data Platform, version 2.6.x, along with documentation updates. New features are described in the following sections.

  • Hortonworks Data Platform 2.6.3

    • Authentication

      • Apache Atlas Admin UI Support through Knox: ​Setting up Hadoop Service URLs, ​Example Service Definitions, and ​Supported Hadoop Services.

        You can now configure the Atlas Admin UI to go through the Knox Gateway (proxy) by creating a service definition with:

        <service>
            <role>ATLAS</role>
            <url>http://atlas-host:8443</url>
        </service>
      • Apache Zeppelin UI Support through Knox: ​Setting up Hadoop Service URLs, ​Example Service Definitions, and ​Supported Hadoop Services.

        You can now configure the Zeppelin UI to go through the Knox Gateway (proxy) by creating a service definition with:

        <service>
            <role>ZEPPELINUI</role>
            <url>http://zeppelin-host:9995</url>
        </service>
        
        <service>
            <role>ZEPPELINWS</role>
            <url>http://zeppelin-host:9995/ws</url>
        </service>
      • ​Setting up SSOCookieProvider Federation Provider

        The SSOCookieProvider enables the federation of the authentication event that occurred through KnoxSSO. KnoxSSO is a typical service provider-initiated webSSO mechanism that sets a cookie to be presented by browsers to participating applications and cryptographically verified.

        Knox Gateway needs a pluggable mechanism for consuming these cookies and federating the KnoxSSO authentication event as an asserted identity in its interaction with the Hadoop cluster for REST API invocations. This provider is useful when an application that is integrated with KnoxSSO for authentication also consumes REST APIs through the Knox Gateway.

    • Authorization

      • Automatically Assign ADMIN/KEYADMIN Role for External Users

        You can use usersync to mark specific external users, or users in a specific external group, with ADMIN or KEYADMIN role within Ranger. This is useful in cases where internal users are not allowed to login to Ranger.

      • Setting up the Knox Token Service for Ranger APIs

        Once logged into Knox SSO, the UI service uses a cookie named hadoop-jwt. The Knox Token Service enables clients to acquire this same JWT token to use for accessing REST APIs. By acquiring the token and setting it as a bearer token on a request, a client is able to access REST APIs that are protected with the JWT Federation Provider.

      • Using Tag Attributes and Values in Ranger Tag-based Policy Conditions

        Tag-based policies enable you to control access to resources across multiple Hadoop components without creating separate services and policies in each component. You can also use Ranger TagSync to synchronize the Ranger tag store with an external metadata service such as Apache Atlas.

      • Support for nested LDAP/AD Group Sync: ​Configuring Ranger User Sync for LDAP/AD

        Enables nested group memberships in Ranger so that the policies configured for parent groups are applied for all the members in the subgroups.

      • Under Hive Policy>Allow Conditions>Permissions, new Service Admin option to provide authorization for Hive query kill API: ​Create a Hive Policy

        The Hive Service Name is used only in conjunction with Permissions=Service Admin. It enables a user who has Service Admin permission in Ranger to run the kill query API: kill query <queryID>.

    • Miscellaneous

      • Bug fixes

  • Hortonworks Data Platform 2.6.2

    • Authorization

      • Dynamic tag-based column masking of Hive Columns using Ranger policies

        Where Ranger resource-based masking policy for Hive anonymizes data from a Hive column identified by the database, table, and column, tag-based masking policy anonymizes Hive column data based on tags and tag attribute values associated with Hive column (usually specified as metadata classification in Atlas).

    • Miscellaneous

      • Bug fixes

  • Hortonworks Data Platform 2.6.1

    • Miscellaneous

      • Bug fixes

  • Hortonworks Data Platform 2.6.0

    • Authentication

      • New Identity Assertion Provider: HadoopGroupProvider

        The Hadoop Group Lookup identity assertion provider looks up the user’s ‘group membership’ for authenticated users using Hadoop’s group mapping service (GroupMappingServiceProvider).

        This allows existing investments in the Hadoop to be leveraged within Knox and used within the access control policy enforcement at the perimeter.

      • Support for PAM Authentication

        PAM authentication is configured by adding a "ShiroProvider" authentication provider to the cluster's topology file with PAM parameters.

        There are a large number of pluggable authentication modules available for authenticating access to Hadoop through the Knox Gateway. ShiroProvider, in addition to LDAP support, also includes support for PAM-based authentication for unix-based systems.

      • Added support for WebSockets

        WebSocket is a communication protocol that allows full duplex communication over single TCP connection. Knox provides out-of-the-box support for WebSocket protocol, but currently, only text-based messages are supported.

    • Authorization

      • Export and import tag-based and resource-based policies

        Export and import policies from Ranger Admin UI from one cluster to another when launching new clusters or moving policies from test to production clusters. Export/import a specific subset of policies (such as those that pertain to specific resources or user/groups) or clone the entire repository or multiple repositories via Ranger Admin UI.

      • Incremental Usersync

        When enabled, Ranger Usersync saves the latest timestamp of all the objects that are synced previously and uses that timestamp to perform the next sync. Usersync uses a polling mechanism to perform incremental sync by using LDAP attributes uSNChanged (for AD) or modifytimestamp (for LDAP). Recommended for large deployments.

      • Support for {USER} variable in Ranger policies

        The variable {USER} can be used to autofill the accessing user.

    • Auditing

      • New Plugin Status page under Audits

        This tab shows policies in effect for each plugin. Includes the relevant host info and when the plugin downloaded and started enforcing the policies.

    • Miscellaneous

      • Bug fixes