Create an HDFS Host Group and GuardPoint in CipherTrust Manager
After configuring the NameNodes, the next steps in activating CTE on HDFS is for the security administrator. To create a client group:
-
Open the Transparent Encryption application.
-
Click Clients > Client Groups.
-
Click Create Client Group. The Create Client Group dialog box displays.
-
Enter a unique Name for the client group.
-
Select the Cluster Type: HDFS
-
NON CLUSTER: Creates a non-clustered client group.
-
HDFS: Creates a clustered client group. An HDFS client group is required to apply GuardPoints on CTE clients in an HDFS cluster.
-
-
(Optional, displayed if a profile already exists) From the Client Profile drop-down list, select the desired client profile. The default profile is DefaultClientProfile.
-
(Optional) Provide Description to identify the client group. The maximum length can be 256 characters.
-
Click Create. The client group is created.
-
Add the NameNode obtained from the HDFS Admin to the HDFS Client Group.
Thales highly recommends using Auto Guard for HDFS. You can use manual guards, but this might result in data corruption if some nodes in a running cluster are guarded, while others are not.
Notes for HDFS Cluster Policies
The following screenshot depicts a valid HDFS policy. You can build a similar policy for your system:
The policy uses the following rules:
-
For the user set hdfs-dev-user, the action is all_ops, the effect is Audit, Apply Key, Permit
-
For other users the action is READ, the effect is Permit
-
For the resource set hdfs-data-1, the key is hdfs-key-1
-
For the resource set hdfs-data-2, the key is hdfs-key-2
Additional Settings for HDFS (Linux Clients)
Depending on the Hadoop security authentication mode, additional settings are needed for CTE clients in an HDFS cluster. Add the following settings as appropriate.
/usr/jdk64/jdk1.8.0_40/bin/java
is the Java executable used to launch the HDFS services. Change the Java jdk path to reflect your end-user environment.
-
Sample setup when
hadoop.security.authentication
mode is simple.|authenticator+arg=+class=org.apache.hadoop.hdfs.server.namenode.NameNode|/usr/jdk64/jdk1.8.0_40/bin/java |authenticator+arg=+class=org.apache.hadoop.hdfs.server.datanode.DataNode|/usr/jdk64/jdk1.8.0_40/bin/java
-
Sample setup when
hadoop.security.authentication
mode is Kerberos.|authenticator+arg=+class=org.apache.hadoop.hdfs.server.namenode.NameNode|/usr/jdk64/jdk1.8.0_40/bin/java |authenticator+arg=+class=org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter|/usr/lib/bigtop-utils/jsvc