More Web Proxy on the site http://driver.im/

research-article

An Attribute-Based Access Control Model for Secure Big Data Processing in Hadoop Ecosystem

Authors:

Ravi SandhuAuthors Info & Claims

ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control

Pages 13 - 24

https://doi.org/10.1145/3180457.3180463

Published: 14 March 2018 Publication History

Abstract

Apache Hadoop is a predominant software framework for distributed compute and storage with capability to handle huge amounts of data, usually referred to as Big Data. This data collected from different enterprises and government agencies often includes private and sensitive information, which needs to be secured from unauthorized access. This paper proposes extensions to the current authorization capabilities offered by Hadoop core and other ecosystem projects, specifically Apache Ranger and Apache Sentry. We present a fine-grained attribute-based access control model, referred as HeABAC, catering to the security and privacy needs of multi-tenant Hadoop ecosystem. The paper reviews the current multi-layered access control model used primarily in Hadoop core (2.x), Apache Ranger (version 0.6) and Sentry (version 1.7.0), as well as a previously proposed RBAC extension (OT-RBAC). It then presents a formal attribute-based access control model for Hadoop ecosystem, including the novel concept of cross Hadoop services trust. It further highlights different trust scenarios, presents an implementation approach for HeABAC using Apache Ranger and, discusses the administration requirements of HeABAC operational model. Some comprehensive, real-world use cases are also discussed to reflect the application and enforcement of the proposed HeABAC model in Hadoop ecosystem.

References

[1]

Mohammad A Al-Kahtani and Ravi Sandhu. 2002. A model for attribute-based user-role assignment. Proc. of ACSAC. IEEE, 353--362.

Digital Library

[2]

Smriti Bhatt, Farhan Patwa, and Ravi Sandhu. 2017. ABAC with Group Attributes and Attribute Hierarchies Utilizing the Policy Machine Proc. of ABAC Workshop. ACM, 17--28.

Digital Library

[3]

Pietro Colombo and Elena Ferrari. 2015. Complementing mongodb with advanced access control features: Concepts and research challenges Proc. of SEBD 2015.

[4]

Pietro Colombo and Elena Ferrari. 2015. Privacy aware access control for Big Data: a research roadmap. Big Data Research, Vol. 2, 4 (2015), 145--154.

Digital Library

[5]

Jason Crampton and George Loizou. 2003. Administrative scope: A foundation for role-based administrative models. ACM Transactions on Information and System Security (TISSEC), Vol. 6, 2 (2003), 201--231.

Digital Library

[6]

Devaraj Das, Owen O'Malley, Sanjay Radia, and Kan Zhang. 2011. Adding security to Apache Hadoop. Hortonworks, IBM (2011).

[7]

Philip Derbeko, Shlomi Dolev, Ehud Gudes, and Shantanu Sharma. 2016. Security and privacy aspects in MapReduce on clouds: A survey. Computer Science Review Vol. 20 (2016), 1--28.

Digital Library

[8]

David F Ferraiolo, Ravi Sandhu, Serban Gavrila, D Richard Kuhn, and Ramaswamy Chandramouli. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), Vol. 4, 3 (2001), 224--274.

Digital Library

[9]

Maanak Gupta, Farhan Patwa, James Benson, and Ravi Sandhu. 2017. Multi-Layer Authorization Framework for a Representative Hadoop Ecosystem Deployment Proc. of the 22nd ACM on Symposium on Access Control Models and Technologies (SACMAT). ACM, New York, NY, USA, 183--190.

Digital Library

[10]

Maanak Gupta, Farhan Patwa, and Ravi Sandhu. 2017. Object-Tagged RBAC Model for the Hadoop Ecosystem. Proc. of Data and Applications Security and Privacy XXXI: DBSec 2017, Philadelphia, PA, USA, July 19--21, 2017. Springer, 63--81.

[11]

Maanak Gupta, Farhan Patwa, and Ravi Sandhu. 2017 b. POSTER: Access Control Model for the Hadoop Ecosystem Proc. of the 22Nd ACM on Symposium on Access Control Models and Technologies (SACMAT). ACM, New York, NY, USA, 125--127.

Digital Library

[12]

Maanak Gupta and Ravi Sandhu. 2016. The $mathrmGURA_G$ Administrative Model for User and Group Attribute Assignment Proc. of NSS. Springer, 318--332.

[13]

Robert Hryniewicz. 2016 a. Best Practices in HDFS Autorization with Apache Ranger. https://hortonworks.com/blog/best-practices-in-hdfs-authorization-with-apache-ranger/. (2016).

[14]

Robert Hryniewicz. 2016 b. Best Practices in Hive Autorization with Apache Ranger. https://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger -in-hdp-2--2/. (2016).

[15]

Vincent C Hu, David Ferraiolo, Rick Kuhn, Arthur R Friedman, Alan J Lang, Margaret M Cogdell, Adam Schnitzer, Kenneth Sandlin, Robert Miller, Karen Scarfone, et almbox. 2014 a. Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication Vol. 800, 162 (2014).

[16]

Vincent C Hu, Tim Grance, David F Ferraiolo, and D Rick Kuhn. 2014 b. An access control scheme for big data processing. Proc. of CollaborateCom. IEEE, 1--7.

[17]

Vincent C Hu, D Richard Kuhn, and David F Ferraiolo. 2015. Attribute-based access control. IEEE Computer 2 (2015), 85--88.

Digital Library

[18]

Xin Jin, Ram Krishnan, and Ravi Sandhu. 2012 a. A role-based administration model for attributes. Proc. of the First International Workshop on Secure and Resilient Architectures and Systems. ACM, 7--12.

Digital Library

[19]

Xin Jin, Ram Krishnan, and Ravi Sandhu. 2012 b. A unified attribute-based access control model covering DAC, MAC and RBAC Proc. of IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 41--55.

Digital Library

[20]

Xin Jin, Ravi Sandhu, and Ram Krishnan. 2012 c. RABAC: role-centric attribute-based access control Proc. of MMM-ACNS. Springer, 84--96.

Digital Library

[21]

D Richard Kuhn, Edward J Coyne, and Timothy R Weil. 2010. Adding attributes to role-based access control. Computer, Vol. 43, 6 (2010), 79--81.

Digital Library

[22]

Rongxing Lu, Hui Zhu, Ximeng Liu, Joseph K Liu, and Jun Shao. 2014. Toward efficient and privacy-preserving computing in big data era. IEEE Network, Vol. 28, 4 (2014), 46--50.

[23]

David Nunez, Isaac Agudo, and Javier Lopez. 2014. Delegated Access for Hadoop Clusters in the Cloud. Proc. of CloudCom. IEEE, 374--379.

Digital Library

[24]

Owen O'Malley, Kan Zhang, Sanjay Radia, Ram Marti, and Christopher Harrell. 2009. Hadoop security design. Yahoo, Inc., Tech. Rep (2009).

[25]

Navid Pustchi, Ram Krishnan, and Ravi Sandhu. 2015. Authorization federation in IaaS multi cloud. In Proc. of the 3rd International Workshop on Security in Cloud Computing. ACM, 63--71.

Digital Library

[26]

Ravi Sandhu, Venkata Bhamidipati, and Qamar Munawer. 1999. The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security (TISSEC), Vol. 2, 1 (1999), 105--135.

Digital Library

[27]

Ravi S Sandhu, Edward J Coyne, Hal L Feinstein, and Charles E Youman. 1996. Role-based access control models. IEEE Computer, Vol. 29, 2 (1996), 38--47.

Digital Library

[28]

Johannes S"anger, Christian Richthammer, Sabri Hassan, and Günther Pernul. 2014. Trust and big data: A roadmap for research. In Proc. of DEXA. IEEE, 278--282.

Digital Library

[29]

NIST Big Data Public Working Group, Security and Privacy Subgroup. 2017. DRAFT: NIST Big Data Interoperability Framework: Volume 4, Security and Privacy. NIST Special Publication Vol. 1500, 4 (2017).

[30]

Daniel Servos and Sylvia L Osborn. 2014. HGABAC: Towards a formal model of hierarchical attribute-based access control Proc. of International Symposium on Foundations and Practice of Security. Springer, 187--204.

[31]

Priya P Sharma and Chandrakant P Navdeti. 2014. Securing big data Hadoop: a review of security issues, threats and solution. IJCSIT Vol. 5 (2014).

[32]

Jordi Soria-Comas and Josep Domingo-Ferrer. 2016. Big data privacy: challenges to privacy principles and models. Data Science and Engineering Vol. 1, 1 (2016), 21--28.

[33]

Ben Spivey and Joey Echeverria. 2015. Hadoop Security. Protecting your Platform. " O'Reilly Media, Inc.".

Digital Library

[34]

Bo Tang and Ravi Sandhu. 2013. Cross-tenant trust models in cloud computing. In Proc. of 14th International Conference on Information Reuse and Integration (IRI). IEEE, 129--136.

[35]

Bo Tang and Ravi Sandhu. 2014. Extending openstack access control with domain trust Proc. of International Conference on Network and System Security. Springer, 54--69.

[36]

Bo Tang, Ravi Sandhu, and Qi Li. 2015. Multi-tenancy authorization models for collaborative cloud services. Concurrency and Computation: Practice and Experience, Vol. 27, 11 (2015), 2851--2868.

Digital Library

[37]

Omer Tene and Jules Polonetsky. 2012. Privacy in the age of big data: a time for big decisions. Stanford Law Review Online Vol. 64 (2012), 63.

[38]

Huseyin Ulusoy, Pietro Colombo, Elena Ferrari, Murat Kantarcioglu, and Erman Pattuk. 2015. GuardMR: Fine-grained security policy enforcement for MapReduce systems Proc. of ASIACCS. ACM, 285--296.

Digital Library

[39]

Huseyin Ulusoy, Murat Kantarcioglu, Erman Pattuk, and Kevin Hamlen. 2014. Vigiles: Fine-grained access control for mapreduce systems Proc. of Big Data Congress. IEEE, 40--47.

Digital Library

[40]

Lingyu Wang, Duminda Wijesekera, and Sushil Jajodia. 2004. A logic-based framework for attribute based access control Proc. of Workshop on Formal methods in security engineering. ACM, 45--55.

Digital Library

[41]

Tom White. 2012. Hadoop: The Definitive Guide. O'Reilly Media, Inc.

Digital Library

[42]

Eric Yuan and Jin Tong. 2005. Attributed based access control (ABAC) for web services Proc. of International Conference on Web Services. IEEE.

Digital Library

[43]

Wenrong Zeng, Yuhao Yang, and Bo Luo. 2013. Access control for Big Data using data content. In Proc. of International Conference on Big Data. IEEE, 45--47.

[44]

Jiaqi Zhao, Lizhe Wang, Jie Tao, Jinjun Chen, Weiye Sun, Rajiv Ranjan, Joanna Kołodziej, Achim Streit, and Dimitrios Georgakopoulos. 2014. A security framework in G-Hadoop for big data computing across distributed cloud data centres. JCSS, Vol. 80, 5 (2014), 994--1007.

Cited By

Wang NWang XLiu AWang WDing YWu XDu X(2024)An image partition security-sharing mechanism based on blockchain and chaotic encryptionPLOS ONE10.1371/journal.pone.030768619:7(e0307686)Online publication date: 29-Jul-2024
https://doi.org/10.1371/journal.pone.0307686
Wang WXue TLi SWang ZZhang BWen Y(2024)Interpretable Risk-aware Access Control for Spark: Blocking Attack Purpose Behind Actions2024 IEEE 42nd International Conference on Computer Design (ICCD)10.1109/ICCD63220.2024.00028(122-129)Online publication date: 18-Nov-2024
https://doi.org/10.1109/ICCD63220.2024.00028
Shaon FRahaman SKantarcioglu M(2023)The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics PlatformsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627132(241-255)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627132
Show More Cited By

Index Terms

An Attribute-Based Access Control Model for Secure Big Data Processing in Hadoop Ecosystem
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
    2. Security requirements
  2. Security services
    1. Access control
    2. Authorization

Recommendations

POSTER: Access Control Model for the Hadoop Ecosystem
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Apache Hadoop is an important framework for fault-tolerant and distributed storage and processing of Big Data. Hadoop core platform along with other open-source tools such as Apache Hive, Storm, HBase offer an ecosystem to enable users to fully harness ...
Multi-Layer Authorization Framework for a Representative Hadoop Ecosystem Deployment
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Apache Hadoop is a predominant software framework to store and process vast amount of data, produced in varied formats. Data stored in Hadoop multi-tenant data lake often includes sensitive data such as social security numbers, intelligence sources and ...
The implementation of data storage and analytics platform for big data lake of electricity usage with spark
Abstract
Electricity data could generate a large number of records from smart meter day by day. The traditional architecture might not properly handle the increasingly dynamic data that need flexibility. For effective storing and analytics, efficient ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control

March 2018

75 pages

ISBN:9781450356336

DOI:10.1145/3180457

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Ram Krishnan
University of Texas at San Antonio, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY '18

Sponsor:

SIGSAC

CODASPY '18: Eighth ACM Conference on Data and Application Security and Privacy

March 21, 2018

AZ, Tempe, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
609
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang NWang XLiu AWang WDing YWu XDu X(2024)An image partition security-sharing mechanism based on blockchain and chaotic encryptionPLOS ONE10.1371/journal.pone.030768619:7(e0307686)Online publication date: 29-Jul-2024
https://doi.org/10.1371/journal.pone.0307686
Wang WXue TLi SWang ZZhang BWen Y(2024)Interpretable Risk-aware Access Control for Spark: Blocking Attack Purpose Behind Actions2024 IEEE 42nd International Conference on Computer Design (ICCD)10.1109/ICCD63220.2024.00028(122-129)Online publication date: 18-Nov-2024
https://doi.org/10.1109/ICCD63220.2024.00028
Shaon FRahaman SKantarcioglu M(2023)The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics PlatformsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627132(241-255)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627132
Gupta ESural SVaidya JAtluri V(2023)Enabling Attribute-Based Access Control in NoSQL DatabasesIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2022.319357711:1(208-223)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TETC.2022.3193577
Xue TWen YLuo BLi GLi YZhang BZheng YHu YMeng D(2023)SparkAC: Fine-Grained Access Control in Spark for Secure Data Sharing and AnalyticsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314954420:2(1104-1123)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3149544
Gupta MSandhu RMawla TBenson J(2023)Reachability Analysis for Attributes in ABAC With Group HierarchyIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314535820:1(841-858)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2022.3145358
Pandey SMaurya S(2023)Big Data Security management through Task Role Based Access Control Mechanism2023 2nd International Conference for Innovation in Technology (INOCON)10.1109/INOCON57975.2023.10101117(1-6)Online publication date: 3-Mar-2023
https://doi.org/10.1109/INOCON57975.2023.10101117
Schlegel M(2023)Trusted Implementation and Enforcement of Application Security PoliciesE-Business and Telecommunications10.1007/978-3-031-36840-0_16(362-388)Online publication date: 22-Jul-2023
https://doi.org/10.1007/978-3-031-36840-0_16
Jemihin ZTan SChung G(2022)Attribute-Based Encryption in Securing Big Data from Post-Quantum Perspective: A SurveyCryptography10.3390/cryptography60300406:3(40)Online publication date: 5-Aug-2022
https://doi.org/10.3390/cryptography6030040
Malamas VPalaiologos GKotzanikolaou PBurmester MGlynos D(2022)Janus: Hierarchical Multi-Blockchain-Based Access Control (HMBAC) for Multi-Authority and Multi-Domain EnvironmentsApplied Sciences10.3390/app1301056613:1(566)Online publication date: 31-Dec-2022
https://doi.org/10.3390/app13010566
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten