Security features

Db2® Big SQL includes a powerful SQL processing engine, works in a platform with a data warehouse based on Apache Hive, and can perform authorization and auditing by using the Apache Ranger framework.

Db2 Big SQL security is built around the pillars of security of the underlying platform:
  • Administration
  • Authentication and perimeter security
  • Authorization
  • Auditing
  • Data protection
Db2 Big SQL extends the support in some of these areas to enhance security for accessing managed data. Because multiple security options are available, you can choose aspects, such as authentication, and select the security model to use based on the deployment requirements of your enterprise.

The Db2 Big SQL server includes an extremely-powerful SQL processing engine that uses database authorizations for fine-grained authorization while working with components of the Hadoop platform. Db2 Big SQL works cohesively in a platform with a data warehouse based on Apache Hive. Db2 Big SQL security can use the Apache Ranger framework for authorization and auditing.

Learn more: Security and governance

Administration

You administer Db2 Big SQL by using the Db2 Big SQL configuration utility and the Db2 Big SQL cluster administration utility. Use these tools to complete the following security administration tasks:
  • Configuring authentication, including Kerberos enablement
  • Enabling Db2 Big SQL integration with Apache Ranger
Learn more: Db2 Big SQL configuration utility and Db2 Big SQL cluster administration utility

Authentication

You can access the Db2 Big SQL console by using the Apache Knox gateway. The Db2 Big SQL server supports over-the-wire encryption for database client applications by using the IBM® Data Server Driver for JDBC and SQLJ (type 4 connections) that connects through SSL. You can also use the IBM-provided Kerberos security plug-in library (IBMkrb5) for remote JDBC/ODBC connections to Db2 Big SQL for Kerberos authentication for these clients.

Db2 Big SQL supports transparent LDAP authentication using Pluggable Authentication Modules (PAM). You can perform user authentication and group lookups through the operating system, which performs the authentication through an LDAP server. The LDAP server provides central management of user authentication and group membership.

Default Db2 Big SQL plug-ins
You can use the plug-ins (dynamically loaded libraries) provided by default in Db2 Big SQL for group retrieval, user ID and password management, and Kerberos authentication.
LDAP security plug-in modules
LDAP-based authentication and group lookup use LDAP security plug-in modules and can be kept separate from the operating system authentication method.

Learn more: Authentication

Kerberos

Db2 Big SQL supports Kerberos authentication. You can use Kerberos for the Db2 Big SQL service, for components deployed on the Hadoop platform, and optionally for client connections.

Learn more: Enabling Kerberos Authentication for CDP

Authorization

After a user is authenticated, user access is controlled by authorization and privileges on the data or resources of the database. Security in Db2 Big SQL can be based on either:
Database authorizations
Authorizations enforced by the database engine
Hadoop security
Authorizations enforced by the Apache Hadoop stack, such as HDFS privileges and permissions or Apache Ranger policies

Depending on the security model in use, all actions are performed as the Db2 Big SQL service user on behalf of the connected user or as the end-user if impersonation is enabled. Users must be granted permissions, either directly or through group membership, for all operations. Explicit access controls are achieved through GRANT and REVOKE operations. Db2 Big SQL provides a Ranger plug-in that offers the option of defining resource-based policies for accessing Db2 Big SQL objects. With impersonation, the authorization is delegated to the file system layer.

Db2 Big SQL supports some advanced features such as:
  • Robust role-based access control (RBAC)
  • Row-based dynamic filtering
  • Column-based dynamic masking
Learn more: Authorization

Audit

To protect against and discover unknown or unacceptable behaviors, you can monitor data access with the Db2 Big SQL audit facility. The audit facility generates and allows you to maintain an audit trail for a series of predefined database events. The records generated from this facility are kept in an audit log file. This capability is always available regardless of auditing provided by other components in the Hadoop stack.

You can leverage the Apache Ranger audit framework when the Db2 Big SQL plug-in is enabled to audit to Apache Solr as well as the distributed file system.

Learn more: Enabling and disabling Ranger security support for Db2 Big SQL and Security and governance

Data protection

You can encrypt communication between Db2 Big SQL clients and the Db2 Big SQL service. Database client applications using the IBM® Data Server Driver for JDBC and SQLJ (type-4 connections) can connect to the Db2 Big SQL server using SSL for over-the-wire encryption.

Learn more: Enabling SSL (Secure Socket Layer) encryption (data in motion)