Although network encryption has been provided in the Apache Hadoop platform
for some time (since Hadoop 2.02-alpha/CDH 4.1), at-rest encryption, the
encryption of data stored on persistent storage such as disk, is not. To
meet that requirement in the platform, Cloudera and Intel are working with
the rest of the Hadoop community under the umbrella of Project Rhino — an
effort to bring a comprehensive security framework for data protection to
Hadoop, which also now includes Apache Sentry (incubating) — to implement
at-rest encryption for HDFS (HDFS-6134 and HADOOP-10150).
Looks like I got this wrong: Apache Sentry will become part of Project Rhino.
Original title and link: Project Rhino goal: at-rest encryption for Apache Hadoop
One result of Intel’s investment in Cloudera is putting together the teams to work on the same projects:
As the goals of Project Rhino and Sentry to develop more robust
authorization mechanisms in Apache Hadoop are in complete alignment, the
efforts of the engineers and security experts from both companies have
merged, and their work now contributes to both projects. The specific goal
is “unified authorization”, which goes beyond setting up authorization
policies for multiple Hadoop components in a single administrative tool; it
means setting an access policy once (typically tied to a “group” defined in
an external user directory) and having it enforced across all of the
different tools that this group of people uses to access data in Hadoop –
for example access through Hive, Impala, search, as well as access from
tools that execute MapReduce, Pig, and beyond.
A great first step.
You know what would be even better? A single security framework for Hadoop instead of two.
Original title and link: Hadoop security: unifying Project Rhino and Sentry