MRS Security Best Practices
Security is a responsibility shared between you and Huawei Cloud. Huawei Cloud ensures the security of cloud services for a secure cloud. As a tenant, you should utilize the security capabilities provided by cloud services to protect data and use the cloud securely. For details, see Shared Responsibilities.
MapReduce Service (MRS) provides big data clusters that tenants can fully control and are fully compatible with open-source APIs. It offers a high-performance, low-cost, flexible, and easy-to-use full-stack big data platform based on Huawei Cloud's deep expertise in cloud computing, storage, and big data. Tenant clusters are deployed in independent VPCs to achieve network isolation. The clusters support Kerberos authentication, fine-grained permission management, encryption in transit, encryption at rest, and multi-dimensional data backup.
This section provides actionable guidance for enhancing the overall security of your service data when using MRS.
MRS provides security best practices from the following aspects. You can treat them as helpful considerations when performing security configurations based on your service requirements.
- Configure Proper User Permissions
- Enable Kerberos Authentication (Cluster Security Mode)
- Deploy Management, Control, and Data Roles Separately to Enhance Cluster Reliability
- Properly Configure Cluster Security Groups to Minimize the Attack Surface
- Enable Data Encryption in Transit for Components
- Enable Data Backup and Restoration
Configure Proper User Permissions
Users use the MRS management console to interact with MRS clusters, including checking MRS cluster status and performing cluster management operations. When using MRS for the first time, you need to authorize the service. We recommended that you grant only the minimum set of privileges required by your service scenarios. For details, see Configuring MRS Cloud Service Authorization.
MRS uses IAM for permission management and supports fine-grained authorization. You can manage permissions based on service scenarios and apply least-privilege permissions. For details, see Creating an IAM User and Granting MRS Permissions.
Enable Kerberos Authentication (Cluster Security Mode)
The Hadoop community version has two authentication modes: Kerberos authentication (security mode) and simple authentication (normal mode). When creating a cluster, you can choose whether to enable Kerberos authentication. Once the cluster is created, the authentication mode cannot be modified.
MRS clusters in security mode use Kerberos for security authentication. Kerberos supports mutual authentication between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated authentication and improves security.
KrbServer in clusters is used to provide Kerberos authentication. For more information, see Kerberos Authentication for MRS Clusters.
Deploy Management, Control, and Data Roles Separately to Enhance Cluster Reliability
MRS supports the custom cluster deployment mode that provides the following functions:
- Separated deployment of the management and control roles: The management role and control role are deployed on different Master nodes.
- Co-deployment of the management and control roles: The management and control roles are deployed on the same Master node.
- Components are deployed separately to avoid resource contention.
We recommend that you deploy management, control, and data roles separately to improve cluster reliability. For more information, see MRS Cluster Deployment Overview.
Properly Configure Cluster Security Groups to Minimize the Attack Surface
MRS clusters are deployed in a VPC, and security groups need to be configured for the VPC. Proper security group configurations prevent cluster resources from being accessed by malicious users from external systems and reduce the attack surface. For more information, see Accessing MRS Manager.
Enable Data Encryption in Transit for Components
Data encryption in transit is enabled by default for most components in MRS clusters that are in security mode. However, for some components, such as Hadoop, Kafka, and ZooKeeper, it is not enabled by default due to performance concerns. You can enable data encryption in transit for these components based on your service requirements. For details, see MRS Cluster Security Hardening.
Enable Data Backup and Restoration
MRS can back up and restore system and user data in clusters by components.
The system can back up FusionInsight Manager data, component metadata, and service data. You can enable data backup and restoration based on service requirements. For details, see Backing Up and Restoring MRS Cluster Data.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
