apache sentry high availability
play

Apache Sentry - High Availability Hao Hao - hao.hao@cloudera.com - PowerPoint PPT Presentation

Dec 16, 2022 •235 likes •593 views

Apache Sentry - High Availability Hao Hao - hao.hao@cloudera.com Seville, Spain, Nov 14 - 16 2016 About me Software engineers at Cloudera Apache Sentry PMC and Committer Presentation Agenda Apache Sentry Overview

  1. Apache Sentry - High Availability Hao Hao - hao.hao@cloudera.com Seville, Spain, Nov 14 - 16 2016

  2. About me ● Software engineers at Cloudera ● Apache Sentry PMC and Committer

  3. Presentation Agenda ● Apache Sentry Overview ● Introduction ● Architecture ● Apache Sentry High Availability ● Motivation: deploying flexible and robust security ● Challenges to ensure fault tolerance, high availability ● High level design ● Other Features and Future Work

  4. Sentry Overview ● Authorization Service ● Sentry provides the ability to enforce role-based access control (RBAC) to data and/or metadata for authenticated users in a fine-grained manner. ● Enterprise grade big data security. ● Provides unified policy management. ● Pluggable and highly modular. ● Works out of the box with Apache Hive, Hive metastore/HCataglog, Apache Solr, Apache Kafka, Apache Sqoop and Apache Impala.

  5. Sentry Architecture Solr Sqoop Hive Hook Hook Hook ● Server Client Model ● Thrift client APIs ● Get privileges ● Grant/Revoke role Sentry Client Plugin ● Grant/Revoke privileges ● List roles Thrift APIs Sentry Server Sentry Policy Store

  6. Sentry Architecture Hive Solr Sqoop Access Binding Layer Authorization Provider Sqoop DB Policy Solr Policy Policy Engine Engine Engine Provider Backend Policy Metadata Store Local Sentry File/HDFS Database

  7. Sentry Architecture Hive Solr Sqoop ● Binding Layer : takes the Access Binding Layer authorization requests in the native format of requestors and converts that into an authz Authorization Provider request based on the Sqoop DB Policy Solr Policy authorization data model that Policy Engine Engine can be handled by Sentry Engine authorization provider. Provider Backend Policy Metadata Store Local Sentry File/HDFS Database

  8. Sentry Architecture Hive Solr Sqoop ● Authorization provider : an Access Binding Layer abstraction for making the authorization decision for the authz request from binding Authorization Provider layer. Currently, supplies a Sqoop DB Policy Solr Policy RBAC authorization model Policy Engine Engine implementation. Engine Provider Backend Policy Metadata Store Local Sentry File/HDFS Database

  9. Sentry Architecture Hive Solr Sqoop ● Policy Engine : gets the Access Binding Layer requested privileges from the binding layer and the required privileges from the Authorization Provider provider layer. It looks at the Sqoop DB Policy Solr Policy requested and required Policy Engine Engine privileges and makes the Engine decision whether the action Provider Backend should be allowed. Policy Metadata Store Local Sentry File/HDFS Database

  10. Sentry Architecture Hive Solr Sqoop Policy Backend : making the ● Access Binding Layer authorization metadata available for the policy engine. It allows the metadata to be Authorization Provider pulled out of the underlying Sqoop DB Policy Solr Policy repository independent of the Policy Engine Engine way that metadata is stored. Engine Provider Backend Policy Metadata Store Local Sentry File/HDFS Database

  11. Sentry Architecture Hive Solr Sqoop Sentry policy store and ● Access Binding Layer Sentry Service : persist the role to privilege and group to role mappings in an RDBMS and Authorization Provider provide programmatic APIs to Sqoop DB Policy Solr Policy create, query, update and Policy Engine Engine delete it. This enables various Engine Sentry clients to retrieve and Provider Backend modify the privileges concurrently and securely. Policy Metadata Store Local Sentry File/HDFS Database

  12. HDFS Sync Feature ● Single source of truth ● User “Alice” has INSERT privileges on db1.tb1 ● ACLs for “Alice” => WRITE_EXECUTE on /user/warehouse/db1.db/tb1 ● Multiple compute frameworks can rely on same policies

  13. Sentry Architecture Solr Sqoop Hive Hook Hook Hook Sentry Client Plugin Thrift APIs Sentry Server Sentry Store

  14. Sentry Server State ● Sentry sever is stateless ● Sentry permissions are kept in Sentry policy DB: ● Roles to privilege mappings ● Groups to roles mappings

  15. Sentry Architecture with HDFS Sync Solr Sqoop Hive NameNode Hook Hook Hook Cache Hook Sentry Client Plugin Thrift APIs Hive Sentry Server Hook Cache Metastore Sentry Store

  16. Sentry Server State with HDFS Sync ● Sentry server become stateful ● In-memory cache: ● Replication/snapshot of Apache Hive metastore (HMS) data: ● <Hive Obj, HDFS path> ● HMS delta change: ● (Id, Object, requests to add or remove path)

  17. High Availability Requirement ● Deploy Apache Sentry without introducing any single points of failure ● Apache Sentry needs to work with Apache Hive metastore high availability solution ● Be able to use enable Apache Sentry in conjunction with Apache HDFS high availability as well

  18. High Availability Assumption ● Backend database supports HA and is configured to use it. ● Apache Sentry clients are permitted to cache permission data for some reasonable amount of time and use outdated permissions during this time.

  19. High Availability Goal ● Availability ● Sentry service must be available when one of the sentry servers stops working. It should also be possible to restart a Sentry daemon while the cluster is active.

  20. High Availability Goal ● Consistency: support a reasonable timeline consistency model. ● Any write operation should bring the database from one valid state to another. For example, a request to create a table followed by a request to change table permissions, followed by table scan, all within a single session, should work as expected. ● Read requests should return a consistent view of the permissions. For clients accessing the Server across multiple sessions, the goal is to provide eventual consistency.

  21. High Availability Challenges ● Ad-hoc synchronization between Apache Hive Metastore and Apache Sentry ● pitfalls related to different daemons receiving events in different orders. ● Sentry server is stateful ● pitfalls related to synchronizing in memory state between multiple active daemons

  22. High Availability Design ● Make use of notification log API introduced by Hive HA: for clients to receive changes to the Hive metastore. ● Hive notification log uses HMS database as the source of information and the notification log provides a global stream of modifications made by all Hive MetaStore (HMS) clients. ● Notifications log are identified by a unique epoch number. All notifications are stored in a SQL table.

  23. High Availability Design ● Converting Sentry to a stateless service where all the actual state is stored in the backend HA database . ● The removal of in-memory state allows for active/active High Availability configuration with preserved consistency. ● Store all state in sentry store: ● Snapshot of Sentry permissions ● Snapshot of HMS data ● Update log for HMS delta change ● Update log for Sentry permission delta change

  24. High Availability Design Hive HA SQL Active HMS Active HMS Notification Log Active Sentry Active Sentry LEADER FOLLOWER Read/Write Read/Write Sentry HA SQL

  25. High Availability Design Hive HA ● Synchronizing with HMS update SQL s . Dedicate a single node to the processing of HMS notification log. It also provide a way to associate Active HMS Active HMS Sentry permission state with specific HMS notification ID Notification Log change by referring Hive object name. Active Sentry Active Sentry LEADER FOLLOWER Read/Write Read/Write Sentry HA SQL

  26. High Availability Design Hive HA ● Leader election is performed SQL using ZooKeeper. ● The first daemon to claim the node Active HMS Active HMS becomes the leader. This is currently implemented using Notification Log Curator framework . Active Sentry Active Sentry LEADER FOLLOWER Read/Write Read/Write Sentry HA SQL

  27. High Availability Design ● Interaction with Hive Metastore. ● Initially during the transition to the new model, need to synchronize HMS point-in-time snapshot with the Sentry state. ● Assumption: Need stop any write activity on the cluster ● Read current HMS notification ID_initial ● Read HMS metadata state ● Read current notification ID_new ● If ID_initial != ID_new then discard the current state and retry.

  28. High Availability Design ● Notification logs are processed asynchronously ● Write barrier ● an RPC call for use by HMS Sentry plugin. The call wait_until(ID_n) should block until Sentry processes ID_n. This call should be used whenever HMS updates state.

  29. Sentry Releases ● Successfully graduated from the Incubator in March of 2016 and now is a Top-Level Apache project ● Sentry 1.5.1 released.

  30. Sentry Releases ● Sentry 1.6.0 released on Feb 24, 2016 ● Add capability to export/import to dump or load Sentry metadata ● Integrate Sqoop with Sentry by using generic authorization model ● About to release 1.7.0 ● Integrate Hive v2 into Sentry ● Integrate Kafka with Sentry by using generic authorization model ● Integrate Solr with Sentry by using generic authorization model

  31. Other Features ● Sentry generic authorization model ● Motivation: easy integration with Apache data engines, even third-party data applications ● Successfully integrated with Apache Solr, Kafka and Sqoop2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer,

Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer,

1 Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer, Cloudera April 07, 2014 2 Outline Introduction Hadoop security primer Authentication Authorization Data Protection Governance

492 views • 30 slides
for High Availability Martin Thompson - @mjpt777 What Is High Availability ?

for High Availability Martin Thompson - @mjpt777 What Is High Availability ?

Event Sourced Architectures for High Availability Martin Thompson - @mjpt777 What Is High Availability ? Availability refers to ability of the user community to access a system not about Uptime! By High availability we

814 views • 19 slides
Chapter 4: Implementing High Availability and Redundancy in a Campus Network CCNP-RS SWITCH

Chapter 4: Implementing High Availability and Redundancy in a Campus Network CCNP-RS SWITCH

Chapter 4: Implementing High Availability and Redundancy in a Campus Network CCNP-RS SWITCH Ali Aydemir Chapter 4 Objectives Understand high availability. Implement high availability. Describe high availability monitoring

1.54k views • 118 slides
High Availability and Automatic Failover in PostgreSQL Using Open Source Solutions Avinash

High Availability and Automatic Failover in PostgreSQL Using Open Source Solutions Avinash

High Availability and Automatic Failover in PostgreSQL Using Open Source Solutions Avinash Vallarapu Percona What is High Availability ? High Availability in our routine database life is: An always-on mechanism Avoid data loss

377 views • 21 slides
Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability

Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability

Drupal High Availability High Performance Samstag, 3. November 12 Drupal High Availability High Performance How to sleep without the server-crash-fear Samstag, 3. November 12 High Availability Samstag, 3. November 12 High Availability

1.01k views • 79 slides
High Availability High Performance How to sleep without the server-crash-fear Michael Schmid

High Availability High Performance How to sleep without the server-crash-fear Michael Schmid

High Availability High Performance How to sleep without the server-crash-fear Michael Schmid michael@amazeelabs.com @schnitzel High Availability no Single Point of Failure Redundancy High Performance Response times

558 views • 44 slides
High Availability using virtualization Federico Calzolari Scuola Normale Superiore - INFN Pisa

High Availability using virtualization Federico Calzolari Scuola Normale Superiore - INFN Pisa

High Availability using virtualization Federico Calzolari Scuola Normale Superiore - INFN Pisa Aims and Requirements Aims zero cost High availability service 3RC - High Availability Project Requirements full exploitation of virtual

404 views • 29 slides
High Performance Apache SpamAssassin Michael Parker ApacheCon October 2006

High Performance Apache SpamAssassin Michael Parker ApacheCon October 2006

High Performance Apache SpamAssassin Michael Parker ApacheCon October 2006 http://people.apache.org/~parker/presentations/ Introduction What is High Performance? Running Faster Performing Better Easier Maintenance What is High

325 views • 8 slides
Virtualization and High Availability Mika Karlstedt AMICT'08 May 2008 Faculty of Science

Virtualization and High Availability Mika Karlstedt AMICT'08 May 2008 Faculty of Science

Virtualization and High Availability Mika Karlstedt AMICT'08 May 2008 Faculty of Science Content Virtualization High Availability High Availability combined with Virtualization My Research question Virtualization Software

686 views • 19 slides
Microsoft Azure and SUSE High Availability TUT1134 When Availability Matters Mark Gonnelly

Microsoft Azure and SUSE High Availability TUT1134 When Availability Matters Mark Gonnelly

Microsoft Azure and SUSE High Availability TUT1134 When Availability Matters Mark Gonnelly Stephen Mogg Senior Consultant Technical Strategist for SAP and Public Cloud About This Session What to Expect: - HA concepts - SUSE Cluster

1k views • 39 slides
Storage agnostic end to end storage information for long distance high availability Vijay Kumar

Storage agnostic end to end storage information for long distance high availability Vijay Kumar

Storage agnostic end to end storage information for long distance high availability Vijay Kumar Shankarappa Rupesh Thota IBM India Contents 1) High availability/Recovery solutions 2) Long distance availability challenges 3) Proposal

727 views • 14 slides
High Availability with the openais project Prepared by: Steven Dake 7/12/05 Agenda Service

High Availability with the openais project Prepared by: Steven Dake 7/12/05 Agenda Service

High Availability with the openais project Prepared by: Steven Dake 7/12/05 Agenda Service Availability Forum Reliability and Availability Application Interface Specification Service Availability Forum Mission The Service

256 views • 24 slides
MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability

MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability

MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability Clustering &amp; disasters Geographical Redundancy power failures network failures Clustering Technologies hardware failures software failures

593 views • 47 slides
Artifactory High Availability By Rajesh Kumar From version 3.1, Artifactory supports a High

Artifactory High Availability By Rajesh Kumar From version 3.1, Artifactory supports a High

Artifactory High Availability By Rajesh Kumar From version 3.1, Artifactory supports a High Availability network configuration with a cluster of 2 or more, active/active, read/write Artifactory servers on the same Local Area Network (LAN).

446 views • 11 slides
Contents Introduction Basic Model High Availability, Scalable Storage, Availability

Contents Introduction Basic Model High Availability, Scalable Storage, Availability

Contents Introduction Basic Model High Availability, Scalable Storage, Availability and Redundancy Dynamic Peer Networks: Pick Two Discussion High Availability, Scalable Storage, Nov. 24, 2003 Dynamic Peer Networks: Pick

545 views • 5 slides
High Availability with a minimal Cluster 29. October 2009 Thorsten Frauf Availability

High Availability with a minimal Cluster 29. October 2009 Thorsten Frauf Availability

High Availability with a minimal Cluster 29. October 2009 Thorsten Frauf Availability Engineering Sun Microsystems GmbH Open HA Cluster Agenda Motivation Open HA Cluster 2009.06 Minimal HA Configuration Weak Membership COMSTAR / iSCSI

890 views • 40 slides
TVM for Ads Ranking @ Facebook Hao Lu, Ansha Yu, Yinghai Lu, Andrew Tulloch Ads Ranking at

TVM for Ads Ranking @ Facebook Hao Lu, Ansha Yu, Yinghai Lu, Andrew Tulloch Ads Ranking at

TVM for Ads Ranking @ Facebook Hao Lu, Ansha Yu, Yinghai Lu, Andrew Tulloch Ads Ranking at Facebook . . . ad 1 ad 2 ad 3 ad n model 2 model 2 model 1 model 3 . . . model k batch 1 batch 2 predictions X 2 Ads Ranking at Facebook:

530 views • 6 slides
Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms

Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms

Deep 3D Representation Learning for Visual Computing Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms Conclusion 2 Outline Overview of 3D deep learning Background 3D deep learning tasks 3D deep

1.66k views • 122 slides
Overview of Linear Prediction Introduction Terms and definitions Important for more

Overview of Linear Prediction Introduction Terms and definitions Important for more

Overview of Linear Prediction Introduction Terms and definitions Important for more applications than just prediction Nonstationary case Prominent role in spectral estimation, Kalman filtering, fast algorithms, etc. Stationary

292 views • 10 slides
Reminder Teds talk Ted Selker what is a human computer input sensor? 2.15

Reminder Teds talk Ted Selker what is a human computer input sensor? 2.15

Reminder Teds talk Ted Selker what is a human computer input sensor? 2.15 pm, BU101 ttingenstrasse 67 1 LMU Mnchen Medieninformatik Andreas Butz, Julie Wagner ! Mensch-Maschine-Interaktion II WS2014/15

579 views • 30 slides
CENG3420 Lab 2-2: LC-3b Simulator Hao Geng Department of Computer Science and Engineering The

CENG3420 Lab 2-2: LC-3b Simulator Hao Geng Department of Computer Science and Engineering The

CENG3420 Lab 2-2: LC-3b Simulator Hao Geng Department of Computer Science and Engineering The Chinese University of Hong Kong hgeng@cse.cuhk.edu.hk Spring 2019 1 / 22 Overview Basis LC-3b Example: Count From 10 To 1 Tasks 2 / 22

449 views • 25 slides
CNRS

CNRS

CNRS Universit de Parissud XI

770 views • 29 slides
Scholarship Program Basic Elements A big part of what we do as a Fraternity is mentoring and

Scholarship Program Basic Elements A big part of what we do as a Fraternity is mentoring and

Scholarship Program Basic Elements A big part of what we do as a Fraternity is mentoring and offering support to college students. We now award Six $1000 scholarships (up from Four in 2018) each year, to 6 of the 10 schools listed below, each

686 views • 30 slides
Estimation equations for multivariate linear models with Kronecker structured covariance matrices

Estimation equations for multivariate linear models with Kronecker structured covariance matrices

Estimation equations for multivariate linear models with Kronecker structured covariance matrices nska- Alvarez a , Chengcheng Hao b , Szczepa Yuli Liang c , Dietrich von Rosen d , e a Department of Mathematical and Statistical Methods,

580 views • 19 slides

More recommend