Storage Mapr Security Interview QA
1. What is the core component of user authentication in mapr ?
Ans: Authentication restricts access to a specified set of users. Robust authentication prevents third parties from representing themselves as legitimate users. The core component of user authentication in MapR is the ticket. A ticket is an object that contains specific information about a user, an expiration time, and a key. Tickets uniquely identify a user and are encrypted to protect their contents. Tickets are used to establish sessions between a user and the cluster.
2. What are the two methods of authenticating a user and generating a ticket ?
Ans:
MapR supports two methods of authenticating a user and generating a
ticket: a username/password pair and Kerberos. Both of these methods
are mediated by the maprlogin utility.
When you authenticate with a username/password pair, the system
verifies credentials using Pluggable Authentication Modules (PAM).
You can configure the cluster to use any registry that has a PAM
module.
3. What is the role of a mapr ticket ?
Ans: A MapR ticket determines the user's identity and the system uses the ticket as the basis for authorization decisions. A MapR cluster with security features enabled does not rely on the client-side operating system identity.
4. What is the role of ACLs in Mapr ?
Ans: MapR supports Access Control Lists (ACLs) in a number of areas, including for regulating user privileges to the job queue and cluster. MapR also uses ACLs to control administrative access to volumes (administrative access is distinct from data access).
5. What is Access Control Expressions ?
Ans: MapR also provides a more powerful authorization model known as Access Control Expressions. ACEs allow you to control access using powerful boolean logic expressions. ACEs can be used to control data access to MapR tables, files, directories, and volumes. The MapR file system also supports standard POSIX filesystem permission levels.
6. What is the use of encryption in Mapr cluster ?
Ans: Encryption restricts an external party's ability to read data. Data transmission between nodes in a secure MapR cluster is encrypted, preventing an attacker with access to that communication from gaining information about the transmission's contents.
7. What are the technologies to protect network traffic ?
Ans: MapR uses several technologies to protect network traffic:
The Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol secures several channels of HTTP traffic.
In compliance with the NIST standard, the Advanced Encryption Standard in Galois/Counter Mode (AES/GCM) secures several communication channels between cluster components.
Kerberos encryption secures several communication paths elsewhere in the cluster.
8. What is Impersonation ?
Ans:Impersonation, also known as identity assertion, is one user (the mapr super user) accessing data and submitting jobs on behalf of another user. Impersonation in MapR allows centralized control of access to resources in the MapR-FS, MapR-DB, and HBase systems.
9. How to implement impersonation ?
Ans: Implementing impersonation provides authoritative, end-to-end security for your MapR installation, independent of remote authentication and security mechanisms that control user access to application features.
10. What is the use of Auditing ?
Ans: Auditing creates audit records of maprcli commands, REST API calls, and other actions performed on a cluster through the MapR Control System (MCS).
11. What is the role of auditing records ?
Ans: Auditing records many different types of operations on directories, files, and MapR-DB tables in log files in various locations in your MapR cluster. You can then process the information in these log files with Apache Drill or other tools.
12. What Mapr provides ?
Ans: By default, MapR provides basic authorization functionality and some authentication:
Filesystem permissions: MapR-FS is a POSIX-like file system. You can set user permissions as you would on any other Linux system.
Cluster, volume, and job queue Access Control Lists (ACLs): You can specify the actions that a given user can perform on each of these cluster elements.
Access Control Expressions for natively stored MapR-DB tables. ACEs control which areas of the tables users or groups can access.
Username/password login authentication to the MapR Control System (MCS) through Pluggable Access Modules (PAM). You can use any registry that has a PAM module.
13. What is maprlogin utility ?
Ans:
The maprlogin utility
supports user authentication with either username and password or
Kerberos to generate a unique session token called a ticket.
14. What is ACL ?
Ans: An Access Control List (ACL) is a list of users or groups. Each user or group in the list is paired with a defined set of permissions that limit the actions that the user or group can perform on the object secured by the ACL.
15. What is a Job queue ACL ?
Ans: A job queue ACL controls who can submit jobs to a queue, kill jobs, or modify their priority.
16. What is a volume-level ACL ?
Ans: A volume-level ACL controls which users and groups have access to that volume, and what actions they may perform, such as mirroring the volume, altering the volume properties, dumping or backing up the volume, or deleting the volume.
17. What is an ACE ?
Ans: An Access Control Expression (ACE) is a combination of user, group, and role definitions. A role is a property of a user or group that defines a set of behaviors that the user or group performs regularly.
18. How Mapr secure the core work of the cluster and the hadoop components installed on the cluster ?
Ans: MapR uses a mix of approaches to secure the core work of the cluster and the Hadoop components installed on the cluster. For example, nodes in a MapR cluster use different protocols depending on their tasks:
The FileServer, JobTracker, TaskTracker, NodeManager, and ResourceManager use MapR tickets to secure their remote procedure calls (RPCs) with the native MapR security layer. Clients can use the
maprloginutility to obtain MapR tickets. Web UI elements of these components use password security by default, but can also be configured to use SPNEGO.Hive Metastore, Hue, Flume, and Oozie use MapR tickets by default, but can also be configured to use Kerberos.
HBase require Kerberos for secure communications.
The MCS Web UI is secured with passwords. The MCS Web UI does not support SPNEGO for users, but supports both password and SPNEGO security for REST calls.
19. What are the web servers uses HTTPS ?
Ans: The following web servers use HTTPS:
MCS
JobTracker
TaskTracker
NodeManager
ResourceManager
HistoryServer
CLDB
Hbase
20. What are the following ways in which users authenticate themselves to the cluster with a maprticket ?
Ans:
The /opt/mapr/bin/maprlogin command
line tool enables users to log into a secure MapR cluster. Users
authenticate themselves to the cluster with a maprticket that
can be generated in the following ways:
Run
maprlogin passwordto authenticate with username and password.Run
maprlogin generateticketto request a service ticket for use by an external application or user account (based on the current user's ticket).
21.
What is PAM in the UNIX authentication stack ?
Ans:
The MapR Converged Data Platform supports Pluggable
Authentication Modules (PAM) in
the UNIX authentication stack. MapR provides a PAM Authenticator
module that generates MapR tickets in conjunction with
the maprlogin utility.
22. What is a ticket ?
Ans: A ticket is an object that contains specific information about a user and a key. A ticket authenticates a user to the cluster. Tickets are encrypted to protect their contents. MapR supports three types of tickets that can be used for authentication:
MapR user tickets
MapR service tickets
Kerberos tickets
23. How Oozie clients communicate with the Oozie server ?
Ans: Oozie clients can communicate with the Oozie server over HTTPS secured by SPNEGO with Kerberos authentication. Java clients can authenticate with MapR tickets.
For more QA please click on below link
Comments
Post a Comment