Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Hi all,

I've been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the "external world" or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one "interface" between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService - the blue box) with the right certificate could "talk" to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, .)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 

RE: Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Ok thanks, I’ll reach you by mail.

 

Fabio Pitzolu



 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com] 
Sent: martedì 22 gennaio 2013 18:49
To: user@hadoop.apache.org
Subject: Re: Using certificates to secure Hadoop

 

yes second option is not hadoop aware but in general for web services. 

 

I really don't think that particular thing has been open sourced I may try
to explain that stuff offline 

 

for hadoop related security either you rely on network security or kerberos.
You may also try securing hadoop with active directory 

https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Act
ive+Directory

 

for webservices related security you can reach me, we can discuss that if
you need it 

 

On Tue, Jan 22, 2013 at 11:07 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi Nitin, thank you for the answer.

Your second option will be the most feasible, and I think that this not
hadoop-aware, but it’s a general Tomcat configuration, am I right?

Could you please link me some doc about this configuration?

 

Thanks a lot!

 

 

Fabio Pitzolu

 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com
<ma...@gmail.com> ] 
Sent: martedì 22 gennaio 2013 17:56
To: user@hadoop.apache.org <ma...@hadoop.apache.org> 
Subject: Re: Using certificates to secure Hadoop

 

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT 

this will be like building your private cloud infra with different internet
gateways 

 

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only) 

 

On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi all,

I’ve been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the “external world” or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one “interface” between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService – the blue box) with the right certificate could “talk” to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, …)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 





 

-- 
Nitin Pawar





 

-- 
Nitin Pawar

RE: Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Ok thanks, I’ll reach you by mail.

 

Fabio Pitzolu



 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com] 
Sent: martedì 22 gennaio 2013 18:49
To: user@hadoop.apache.org
Subject: Re: Using certificates to secure Hadoop

 

yes second option is not hadoop aware but in general for web services. 

 

I really don't think that particular thing has been open sourced I may try
to explain that stuff offline 

 

for hadoop related security either you rely on network security or kerberos.
You may also try securing hadoop with active directory 

https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Act
ive+Directory

 

for webservices related security you can reach me, we can discuss that if
you need it 

 

On Tue, Jan 22, 2013 at 11:07 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi Nitin, thank you for the answer.

Your second option will be the most feasible, and I think that this not
hadoop-aware, but it’s a general Tomcat configuration, am I right?

Could you please link me some doc about this configuration?

 

Thanks a lot!

 

 

Fabio Pitzolu

 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com
<ma...@gmail.com> ] 
Sent: martedì 22 gennaio 2013 17:56
To: user@hadoop.apache.org <ma...@hadoop.apache.org> 
Subject: Re: Using certificates to secure Hadoop

 

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT 

this will be like building your private cloud infra with different internet
gateways 

 

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only) 

 

On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi all,

I’ve been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the “external world” or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one “interface” between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService – the blue box) with the right certificate could “talk” to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, …)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 





 

-- 
Nitin Pawar





 

-- 
Nitin Pawar

RE: Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Ok thanks, I’ll reach you by mail.

 

Fabio Pitzolu



 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com] 
Sent: martedì 22 gennaio 2013 18:49
To: user@hadoop.apache.org
Subject: Re: Using certificates to secure Hadoop

 

yes second option is not hadoop aware but in general for web services. 

 

I really don't think that particular thing has been open sourced I may try
to explain that stuff offline 

 

for hadoop related security either you rely on network security or kerberos.
You may also try securing hadoop with active directory 

https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Act
ive+Directory

 

for webservices related security you can reach me, we can discuss that if
you need it 

 

On Tue, Jan 22, 2013 at 11:07 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi Nitin, thank you for the answer.

Your second option will be the most feasible, and I think that this not
hadoop-aware, but it’s a general Tomcat configuration, am I right?

Could you please link me some doc about this configuration?

 

Thanks a lot!

 

 

Fabio Pitzolu

 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com
<ma...@gmail.com> ] 
Sent: martedì 22 gennaio 2013 17:56
To: user@hadoop.apache.org <ma...@hadoop.apache.org> 
Subject: Re: Using certificates to secure Hadoop

 

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT 

this will be like building your private cloud infra with different internet
gateways 

 

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only) 

 

On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi all,

I’ve been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the “external world” or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one “interface” between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService – the blue box) with the right certificate could “talk” to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, …)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 





 

-- 
Nitin Pawar





 

-- 
Nitin Pawar

RE: Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Ok thanks, I’ll reach you by mail.

 

Fabio Pitzolu



 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com] 
Sent: martedì 22 gennaio 2013 18:49
To: user@hadoop.apache.org
Subject: Re: Using certificates to secure Hadoop

 

yes second option is not hadoop aware but in general for web services. 

 

I really don't think that particular thing has been open sourced I may try
to explain that stuff offline 

 

for hadoop related security either you rely on network security or kerberos.
You may also try securing hadoop with active directory 

https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Act
ive+Directory

 

for webservices related security you can reach me, we can discuss that if
you need it 

 

On Tue, Jan 22, 2013 at 11:07 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi Nitin, thank you for the answer.

Your second option will be the most feasible, and I think that this not
hadoop-aware, but it’s a general Tomcat configuration, am I right?

Could you please link me some doc about this configuration?

 

Thanks a lot!

 

 

Fabio Pitzolu

 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com
<ma...@gmail.com> ] 
Sent: martedì 22 gennaio 2013 17:56
To: user@hadoop.apache.org <ma...@hadoop.apache.org> 
Subject: Re: Using certificates to secure Hadoop

 

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT 

this will be like building your private cloud infra with different internet
gateways 

 

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only) 

 

On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi all,

I’ve been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the “external world” or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one “interface” between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService – the blue box) with the right certificate could “talk” to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, …)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 





 

-- 
Nitin Pawar





 

-- 
Nitin Pawar

Re: Using certificates to secure Hadoop

[Nitin Pawar <ni...@gmail.com>]

yes second option is not hadoop aware but in general for web services.

I really don't think that particular thing has been open sourced I may try
to explain that stuff offline

for hadoop related security either you rely on network security or
kerberos. You may also try securing hadoop with active directory
https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory

for webservices related security you can reach me, we can discuss that if
you need it


On Tue, Jan 22, 2013 at 11:07 PM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi Nitin, thank you for the answer.****
>
> Your second option will be the most feasible, and I think that this not
> hadoop-aware, but it’s a general Tomcat configuration, am I right?****
>
> Could you please link me some doc about this configuration?****
>
> ** **
>
> Thanks a lot!****
>
> ** **
>
> ** **
>
> *Fabio Pitzolu*
>
> ****
>
> ** **
>
> *From:* Nitin Pawar [mailto:nitinpawar432@gmail.com]
> *Sent:* martedì 22 gennaio 2013 17:56
> *To:* user@hadoop.apache.org
> *Subject:* Re: Using certificates to secure Hadoop****
>
> ** **
>
> on network level easy way would be you host your entire infrastructure
> into a private network with just one internet facing gateway via which your
> client can access your webservice. And in case you need to access internet
> for hadoop/oozie then you can setup a NAT ****
>
> this will be like building your private cloud infra with different
> internet gateways ****
>
> ** **
>
> other way would be you build your own certificate based authentication
> library. (we used to have this @ yahoo where we used to restrict access to
> server having certificate only) ****
>
> ** **
>
> On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fa...@gr-ci.com>
> wrote:****
>
> Hi all,****
>
> I’ve been asked to check whether is possible to use certificates to secure
> the connection between Hadoop and Oozie and the “external world” or not.**
> **
>
> Case is this:****
>
> We have to develop a webservice to run Oozie workflows and access HDFS, so
> that there will be just one “interface” between the cluster and a user web
> application.****
>
> Current security scenario does not allow to use Kerberos to authenticate
> the users, so we were thinking about using certificates, distributed
> through the Tomcat stack (as show on the following diagram).****
>
> The idea is that only a client (in this case the client would be the Java
> WebService – the blue box) with the right certificate could “talk” to the
> Hadoop / Oozie machines.****
>
>  ****
>
> ****
>
>  ****
>
> Is it possible to achieve this scenario?****
>
> If so, is there a whitepaper on the Internet that shows how to do this?***
> *
>
> If not possible, what do you think would be the best security solution not
> using Kerberos (example, firewall sec., IP security, …)? ****
>
>  ****
>
> Thank you very much, have a nice day!****
>
>  ****
>
> Fabio Pitzolu****
>
>  ****
>
>
>
> ****
>
> ** **
>
> --
> Nitin Pawar****
>



-- 
Nitin Pawar

Re: Using certificates to secure Hadoop

[Nitin Pawar <ni...@gmail.com>]

yes second option is not hadoop aware but in general for web services.

I really don't think that particular thing has been open sourced I may try
to explain that stuff offline

for hadoop related security either you rely on network security or
kerberos. You may also try securing hadoop with active directory
https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory

for webservices related security you can reach me, we can discuss that if
you need it


On Tue, Jan 22, 2013 at 11:07 PM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi Nitin, thank you for the answer.****
>
> Your second option will be the most feasible, and I think that this not
> hadoop-aware, but it’s a general Tomcat configuration, am I right?****
>
> Could you please link me some doc about this configuration?****
>
> ** **
>
> Thanks a lot!****
>
> ** **
>
> ** **
>
> *Fabio Pitzolu*
>
> ****
>
> ** **
>
> *From:* Nitin Pawar [mailto:nitinpawar432@gmail.com]
> *Sent:* martedì 22 gennaio 2013 17:56
> *To:* user@hadoop.apache.org
> *Subject:* Re: Using certificates to secure Hadoop****
>
> ** **
>
> on network level easy way would be you host your entire infrastructure
> into a private network with just one internet facing gateway via which your
> client can access your webservice. And in case you need to access internet
> for hadoop/oozie then you can setup a NAT ****
>
> this will be like building your private cloud infra with different
> internet gateways ****
>
> ** **
>
> other way would be you build your own certificate based authentication
> library. (we used to have this @ yahoo where we used to restrict access to
> server having certificate only) ****
>
> ** **
>
> On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fa...@gr-ci.com>
> wrote:****
>
> Hi all,****
>
> I’ve been asked to check whether is possible to use certificates to secure
> the connection between Hadoop and Oozie and the “external world” or not.**
> **
>
> Case is this:****
>
> We have to develop a webservice to run Oozie workflows and access HDFS, so
> that there will be just one “interface” between the cluster and a user web
> application.****
>
> Current security scenario does not allow to use Kerberos to authenticate
> the users, so we were thinking about using certificates, distributed
> through the Tomcat stack (as show on the following diagram).****
>
> The idea is that only a client (in this case the client would be the Java
> WebService – the blue box) with the right certificate could “talk” to the
> Hadoop / Oozie machines.****
>
>  ****
>
> ****
>
>  ****
>
> Is it possible to achieve this scenario?****
>
> If so, is there a whitepaper on the Internet that shows how to do this?***
> *
>
> If not possible, what do you think would be the best security solution not
> using Kerberos (example, firewall sec., IP security, …)? ****
>
>  ****
>
> Thank you very much, have a nice day!****
>
>  ****
>
> Fabio Pitzolu****
>
>  ****
>
>
>
> ****
>
> ** **
>
> --
> Nitin Pawar****
>



-- 
Nitin Pawar

Re: Using certificates to secure Hadoop

[Nitin Pawar <ni...@gmail.com>]

yes second option is not hadoop aware but in general for web services.

I really don't think that particular thing has been open sourced I may try
to explain that stuff offline

for hadoop related security either you rely on network security or
kerberos. You may also try securing hadoop with active directory
https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory

for webservices related security you can reach me, we can discuss that if
you need it


On Tue, Jan 22, 2013 at 11:07 PM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi Nitin, thank you for the answer.****
>
> Your second option will be the most feasible, and I think that this not
> hadoop-aware, but it’s a general Tomcat configuration, am I right?****
>
> Could you please link me some doc about this configuration?****
>
> ** **
>
> Thanks a lot!****
>
> ** **
>
> ** **
>
> *Fabio Pitzolu*
>
> ****
>
> ** **
>
> *From:* Nitin Pawar [mailto:nitinpawar432@gmail.com]
> *Sent:* martedì 22 gennaio 2013 17:56
> *To:* user@hadoop.apache.org
> *Subject:* Re: Using certificates to secure Hadoop****
>
> ** **
>
> on network level easy way would be you host your entire infrastructure
> into a private network with just one internet facing gateway via which your
> client can access your webservice. And in case you need to access internet
> for hadoop/oozie then you can setup a NAT ****
>
> this will be like building your private cloud infra with different
> internet gateways ****
>
> ** **
>
> other way would be you build your own certificate based authentication
> library. (we used to have this @ yahoo where we used to restrict access to
> server having certificate only) ****
>
> ** **
>
> On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fa...@gr-ci.com>
> wrote:****
>
> Hi all,****
>
> I’ve been asked to check whether is possible to use certificates to secure
> the connection between Hadoop and Oozie and the “external world” or not.**
> **
>
> Case is this:****
>
> We have to develop a webservice to run Oozie workflows and access HDFS, so
> that there will be just one “interface” between the cluster and a user web
> application.****
>
> Current security scenario does not allow to use Kerberos to authenticate
> the users, so we were thinking about using certificates, distributed
> through the Tomcat stack (as show on the following diagram).****
>
> The idea is that only a client (in this case the client would be the Java
> WebService – the blue box) with the right certificate could “talk” to the
> Hadoop / Oozie machines.****
>
>  ****
>
> ****
>
>  ****
>
> Is it possible to achieve this scenario?****
>
> If so, is there a whitepaper on the Internet that shows how to do this?***
> *
>
> If not possible, what do you think would be the best security solution not
> using Kerberos (example, firewall sec., IP security, …)? ****
>
>  ****
>
> Thank you very much, have a nice day!****
>
>  ****
>
> Fabio Pitzolu****
>
>  ****
>
>
>
> ****
>
> ** **
>
> --
> Nitin Pawar****
>



-- 
Nitin Pawar

Re: Using certificates to secure Hadoop

[Nitin Pawar <ni...@gmail.com>]

yes second option is not hadoop aware but in general for web services.

I really don't think that particular thing has been open sourced I may try
to explain that stuff offline

for hadoop related security either you rely on network security or
kerberos. You may also try securing hadoop with active directory
https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory

for webservices related security you can reach me, we can discuss that if
you need it


On Tue, Jan 22, 2013 at 11:07 PM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi Nitin, thank you for the answer.****
>
> Your second option will be the most feasible, and I think that this not
> hadoop-aware, but it’s a general Tomcat configuration, am I right?****
>
> Could you please link me some doc about this configuration?****
>
> ** **
>
> Thanks a lot!****
>
> ** **
>
> ** **
>
> *Fabio Pitzolu*
>
> ****
>
> ** **
>
> *From:* Nitin Pawar [mailto:nitinpawar432@gmail.com]
> *Sent:* martedì 22 gennaio 2013 17:56
> *To:* user@hadoop.apache.org
> *Subject:* Re: Using certificates to secure Hadoop****
>
> ** **
>
> on network level easy way would be you host your entire infrastructure
> into a private network with just one internet facing gateway via which your
> client can access your webservice. And in case you need to access internet
> for hadoop/oozie then you can setup a NAT ****
>
> this will be like building your private cloud infra with different
> internet gateways ****
>
> ** **
>
> other way would be you build your own certificate based authentication
> library. (we used to have this @ yahoo where we used to restrict access to
> server having certificate only) ****
>
> ** **
>
> On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fa...@gr-ci.com>
> wrote:****
>
> Hi all,****
>
> I’ve been asked to check whether is possible to use certificates to secure
> the connection between Hadoop and Oozie and the “external world” or not.**
> **
>
> Case is this:****
>
> We have to develop a webservice to run Oozie workflows and access HDFS, so
> that there will be just one “interface” between the cluster and a user web
> application.****
>
> Current security scenario does not allow to use Kerberos to authenticate
> the users, so we were thinking about using certificates, distributed
> through the Tomcat stack (as show on the following diagram).****
>
> The idea is that only a client (in this case the client would be the Java
> WebService – the blue box) with the right certificate could “talk” to the
> Hadoop / Oozie machines.****
>
>  ****
>
> ****
>
>  ****
>
> Is it possible to achieve this scenario?****
>
> If so, is there a whitepaper on the Internet that shows how to do this?***
> *
>
> If not possible, what do you think would be the best security solution not
> using Kerberos (example, firewall sec., IP security, …)? ****
>
>  ****
>
> Thank you very much, have a nice day!****
>
>  ****
>
> Fabio Pitzolu****
>
>  ****
>
>
>
> ****
>
> ** **
>
> --
> Nitin Pawar****
>



-- 
Nitin Pawar

RE: Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Hi Nitin, thank you for the answer.

Your second option will be the most feasible, and I think that this not
hadoop-aware, but it’s a general Tomcat configuration, am I right?

Could you please link me some doc about this configuration?

 

Thanks a lot!

 

 

Fabio Pitzolu



 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com] 
Sent: martedì 22 gennaio 2013 17:56
To: user@hadoop.apache.org
Subject: Re: Using certificates to secure Hadoop

 

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT 

this will be like building your private cloud infra with different internet
gateways 

 

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only) 

 

On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi all,

I’ve been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the “external world” or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one “interface” between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService – the blue box) with the right certificate could “talk” to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, …)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 





 

-- 
Nitin Pawar

RE: Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Hi Nitin, thank you for the answer.

Your second option will be the most feasible, and I think that this not
hadoop-aware, but it’s a general Tomcat configuration, am I right?

Could you please link me some doc about this configuration?

 

Thanks a lot!

 

 

Fabio Pitzolu



 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com] 
Sent: martedì 22 gennaio 2013 17:56
To: user@hadoop.apache.org
Subject: Re: Using certificates to secure Hadoop

 

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT 

this will be like building your private cloud infra with different internet
gateways 

 

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only) 

 

On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi all,

I’ve been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the “external world” or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one “interface” between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService – the blue box) with the right certificate could “talk” to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, …)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 





 

-- 
Nitin Pawar

RE: Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Hi Nitin, thank you for the answer.

Your second option will be the most feasible, and I think that this not
hadoop-aware, but it’s a general Tomcat configuration, am I right?

Could you please link me some doc about this configuration?

 

Thanks a lot!

 

 

Fabio Pitzolu



 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com] 
Sent: martedì 22 gennaio 2013 17:56
To: user@hadoop.apache.org
Subject: Re: Using certificates to secure Hadoop

 

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT 

this will be like building your private cloud infra with different internet
gateways 

 

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only) 

 

On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi all,

I’ve been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the “external world” or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one “interface” between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService – the blue box) with the right certificate could “talk” to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, …)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 





 

-- 
Nitin Pawar

RE: Using certificates to secure Hadoop

[Fabio Pitzolu <fa...@gr-ci.com>]

Hi Nitin, thank you for the answer.

Your second option will be the most feasible, and I think that this not
hadoop-aware, but it’s a general Tomcat configuration, am I right?

Could you please link me some doc about this configuration?

 

Thanks a lot!

 

 

Fabio Pitzolu



 

From: Nitin Pawar [mailto:nitinpawar432@gmail.com] 
Sent: martedì 22 gennaio 2013 17:56
To: user@hadoop.apache.org
Subject: Re: Using certificates to secure Hadoop

 

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT 

this will be like building your private cloud infra with different internet
gateways 

 

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only) 

 

On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fabio.pitzolu@gr-ci.com
<ma...@gr-ci.com> > wrote:

Hi all,

I’ve been asked to check whether is possible to use certificates to secure
the connection between Hadoop and Oozie and the “external world” or not.

Case is this:

We have to develop a webservice to run Oozie workflows and access HDFS, so
that there will be just one “interface” between the cluster and a user web
application.

Current security scenario does not allow to use Kerberos to authenticate the
users, so we were thinking about using certificates, distributed through the
Tomcat stack (as show on the following diagram).

The idea is that only a client (in this case the client would be the Java
WebService – the blue box) with the right certificate could “talk” to the
Hadoop / Oozie machines.

 



 

Is it possible to achieve this scenario?

If so, is there a whitepaper on the Internet that shows how to do this?

If not possible, what do you think would be the best security solution not
using Kerberos (example, firewall sec., IP security, …)? 

 

Thank you very much, have a nice day!

 

Fabio Pitzolu

 





 

-- 
Nitin Pawar

Re: Using certificates to secure Hadoop

[Nitin Pawar <ni...@gmail.com>]

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT
this will be like building your private cloud infra with different internet
gateways

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only)


On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi all,****
>
> I’ve been asked to check whether is possible to use certificates to secure
> the connection between Hadoop and Oozie and the “external world” or not.**
> **
>
> Case is this:****
>
> We have to develop a webservice to run Oozie workflows and access HDFS, so
> that there will be just one “interface” between the cluster and a user web
> application.****
>
> Current security scenario does not allow to use Kerberos to authenticate
> the users, so we were thinking about using certificates, distributed
> through the Tomcat stack (as show on the following diagram).****
>
> The idea is that only a client (in this case the client would be the Java
> WebService – the blue box) with the right certificate could “talk” to the
> Hadoop / Oozie machines.****
>
> ** **
>
> ****
>
> ** **
>
> Is it possible to achieve this scenario?****
>
> If so, is there a whitepaper on the Internet that shows how to do this?***
> *
>
> If not possible, what do you think would be the best security solution not
> using Kerberos (example, firewall sec., IP security, …)? ****
>
> ** **
>
> Thank you very much, have a nice day!****
>
> ** **
>
> Fabio Pitzolu****
>
> ** **
>



-- 
Nitin Pawar

Re: Using certificates to secure Hadoop

[Nitin Pawar <ni...@gmail.com>]

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT
this will be like building your private cloud infra with different internet
gateways

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only)


On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi all,****
>
> I’ve been asked to check whether is possible to use certificates to secure
> the connection between Hadoop and Oozie and the “external world” or not.**
> **
>
> Case is this:****
>
> We have to develop a webservice to run Oozie workflows and access HDFS, so
> that there will be just one “interface” between the cluster and a user web
> application.****
>
> Current security scenario does not allow to use Kerberos to authenticate
> the users, so we were thinking about using certificates, distributed
> through the Tomcat stack (as show on the following diagram).****
>
> The idea is that only a client (in this case the client would be the Java
> WebService – the blue box) with the right certificate could “talk” to the
> Hadoop / Oozie machines.****
>
> ** **
>
> ****
>
> ** **
>
> Is it possible to achieve this scenario?****
>
> If so, is there a whitepaper on the Internet that shows how to do this?***
> *
>
> If not possible, what do you think would be the best security solution not
> using Kerberos (example, firewall sec., IP security, …)? ****
>
> ** **
>
> Thank you very much, have a nice day!****
>
> ** **
>
> Fabio Pitzolu****
>
> ** **
>



-- 
Nitin Pawar

Re: Using certificates to secure Hadoop

[Nitin Pawar <ni...@gmail.com>]

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT
this will be like building your private cloud infra with different internet
gateways

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only)


On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi all,****
>
> I’ve been asked to check whether is possible to use certificates to secure
> the connection between Hadoop and Oozie and the “external world” or not.**
> **
>
> Case is this:****
>
> We have to develop a webservice to run Oozie workflows and access HDFS, so
> that there will be just one “interface” between the cluster and a user web
> application.****
>
> Current security scenario does not allow to use Kerberos to authenticate
> the users, so we were thinking about using certificates, distributed
> through the Tomcat stack (as show on the following diagram).****
>
> The idea is that only a client (in this case the client would be the Java
> WebService – the blue box) with the right certificate could “talk” to the
> Hadoop / Oozie machines.****
>
> ** **
>
> ****
>
> ** **
>
> Is it possible to achieve this scenario?****
>
> If so, is there a whitepaper on the Internet that shows how to do this?***
> *
>
> If not possible, what do you think would be the best security solution not
> using Kerberos (example, firewall sec., IP security, …)? ****
>
> ** **
>
> Thank you very much, have a nice day!****
>
> ** **
>
> Fabio Pitzolu****
>
> ** **
>



-- 
Nitin Pawar

Re: Using certificates to secure Hadoop

[Nitin Pawar <ni...@gmail.com>]

on network level easy way would be you host your entire infrastructure into
a private network with just one internet facing gateway via which your
client can access your webservice. And in case you need to access internet
for hadoop/oozie then you can setup a NAT
this will be like building your private cloud infra with different internet
gateways

other way would be you build your own certificate based authentication
library. (we used to have this @ yahoo where we used to restrict access to
server having certificate only)


On Tue, Jan 22, 2013 at 8:50 PM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi all,****
>
> I’ve been asked to check whether is possible to use certificates to secure
> the connection between Hadoop and Oozie and the “external world” or not.**
> **
>
> Case is this:****
>
> We have to develop a webservice to run Oozie workflows and access HDFS, so
> that there will be just one “interface” between the cluster and a user web
> application.****
>
> Current security scenario does not allow to use Kerberos to authenticate
> the users, so we were thinking about using certificates, distributed
> through the Tomcat stack (as show on the following diagram).****
>
> The idea is that only a client (in this case the client would be the Java
> WebService – the blue box) with the right certificate could “talk” to the
> Hadoop / Oozie machines.****
>
> ** **
>
> ****
>
> ** **
>
> Is it possible to achieve this scenario?****
>
> If so, is there a whitepaper on the Internet that shows how to do this?***
> *
>
> If not possible, what do you think would be the best security solution not
> using Kerberos (example, firewall sec., IP security, …)? ****
>
> ** **
>
> Thank you very much, have a nice day!****
>
> ** **
>
> Fabio Pitzolu****
>
> ** **
>



-- 
Nitin Pawar