HDFS transparency security

Configuration and binary permissions
All configuration files for HDFS transparency are located in the /usr/lpp/mmfs/hadoop/etc/hadoop folder after installation. Configuration files can be read and modified only by the root user.
HDFS transparency daemon UID/GID and Hadoop super groups
HDFS transparency has two types of daemons: NameNode and DataNode. Both of these daemons can only be started by the root user because certain file operations, such as setPermission and setOwner, in the Hadoop distributed file system API need root privileges.
The simple security mode
When Kerberos is not enabled, Hadoop runs under the simple security mode. In this mode, RPCs are not encrypted and authenticated, and all users can submit maps and reduce jobs to the Hadoop cluster. A Hadoop cluster running in the simple security mode is vulnerable to attack via the network from outside the clusters and from users logged on to the nodes in the cluster.
The Kerberos mode
User authentication and authorization is weak in the simple mode. The data transfers and RPCs from the clients to the NameNode and DataNode are not encrypted. The Kerberos mode introduced in the Hadoop ecosystem provides a secure Hadoop environment.
Shortcircuit and security
In HDFS, shortcircuit can be enabled when a client and DataNode are on the same node. By enabling shortcircuit, an application that needs to read a file can obtain the file descriptor from the DataNode and read the data block directly. Shortcircuit reads provide a significant boost in the read I/O performance. The Hadoop client can only read data from the file descriptor because the DataNode opens the file in the read-only mode.
Hadoop data isolation
This topic describes Hadoop data isolation.
Hadoop data access audit
This section describes the Hadoop data access audit.

Parent topic: HDFS transparency