Page tree

 

Contents:


Depending on your Hadoop security environment, the following sections describe implications for the platform and provide links to appropriate documentation.

End-User Authentication

Depending on use of Single Sign On, Trifacta users access the application using the following credentials.

Security FeaturesImplications
Single Sign On (SSO)

Users access application using the LDAP/AD principal associated with their account.

For more information, see Configure SSO for AD-LDAP.

All other security scenarios

Users access application using their Trifacta userId.

End-User Authorization

The following security scenarios apply to accessing Hadoop-based data storage.

Security Scenarios for HDFS Access

Depending on the following security features implemented in your Hadoop environment, your interactions with HDFS may have different implications.

Security FeaturesImplications
No Kerberos authentication
  • All Trifacta users use the [hadoop.user (default=trifacta)] Hadoop user to access HDFS.
  • No security is applied.
  • Kerberos authentication
  • No secure impersonation
  • All Trifacta users authenticate and then use delegation token for all requests to HDFS.
    • If you receive an error when attempting to contact HDFS, your delegation token may have failed due to configuration error. Please contact your Trifacta administrator.
  • All Trifacta users use the [hadoop.user] Hadoop user to access HDFS.
  • Kerberos authentication
  • Secure impersonation
  • All Trifacta users authenticate with the [hadoop.user] user keytab. The [hadoop.user] user retrieves a delegation token on behalf of the user's Hadoop principal.
    • If you receive an error when attempting to contact HDFS, your delegation token may have failed due to a configuration error. Please contact your Trifacta administrator.
  • Trifacta users securely impersonate using their assigned Hadoop principal on HDFS.

For more technical information:

Security Scenarios for Hive Access

Depending on the following security features implemented in your Hadoop environment, your interactions with Hive may have different implications.

Security FeaturesImplications
No additional security features
  • All Trifacta users use the [hadoop.user] Hadoop user to access Hive.
  • No security is applied.
  • Kerberos authentication
  • No secure impersonation
  • Trifacta users authenticate with the [hadoop.user] user keytab for all requests to Hive.
    • If you receive an error when attempting to contact Hive, authentication likely failed due to a configuration error. Please contact your Trifacta administrator.
  • Kerberos authentication
  • Secure impersonation
  • Trifacta users authenticate with the [hadoop.user] user keytab and then send proxying requests on behalf of the user's Hadoop principal.
    • If you receive an error when attempting to contact Hive, authentication likely failed due to a configuration error. Please contact your Trifacta administrator.
  • Hive is responsible for respecting proxy permissions, with the hive user itself proxying as [hadoop.user] proxying as the user's Hadoop principal.
  • Kerberos authentication
  • Secure authentication
  • Sentry role-based access (Cloudera only)
  • Ranger role-based access (Hortonworks only)
  • Trifacta users authenticate with the [hadoop.user] user keytab and then send proxying requests on behalf of the user's Hadoop principal.
    • If you receive an error when attempting to contact Hive, authentication likely failed due to a configuration error. Please contact your Trifacta administrator.
  • Hive executes access to the physical data file on HDFS as the Unix or LDAP user hive, which should be part of the group [hadoop.group (default=trifactausers)].
  • Sentry role-based access (Cloudera only)
  • Hive authorizes access with a Sentry lookaside. The [hadoop.user] user as well as the user's Hadoop principal should be configured with appropriate privileges and roles in Sentry.
  • Kerberos authentication
  • No secure authentication
  • Sentry role-based access (Cloudera only)
  • Ranger role-based access (Hortonworks only)
  • Trifacta users authenticate with the [hadoop.user] user keytab.
    • If you receive an error when attempting to contact Hive, authentication likely failed due to a configuration error. Please contact your Trifacta administrator.
  • Hive executes access to the physical data file on HDFS as the Unix or LDAP user   hive , which should be part of the group [hadoop.group (default=trifactausers)].

For more technical information:

This page has no comments.