Building Secure Cloudera Clusters
Duration
4 Days
Level
Intermediate Level
Design and Tailor this course
Official Course
The Cloudera Data Platform is intended to meet the most demanding technical audit standards. The significant improvements in CDP architecture and components makes CDP “Secure by Design.” This four-day hands-on
course is presented as a project plan for CDP administrators to build fully secured CDP clusters.
Students begin by implementing Perimeter Security by installing host level security and Kerberos. Next students protect Data by implementing Transport Layer Security using Auto-TLS and data encryption using Key Management System and Key Trustee Server (KMS/KTS). In the third stage students control access for users and to data using Apache Ranger and Apache Atlas. The fourth stage teaches students Visibility practices for auditing systems, users, and data usage. The course ends by introducing CDP practices for Risk Management in a fully secured Cloudera Data Platform. This course is 60% exercise and 40% lecture.
Topics Covered
● Architecture for secure CDP Clusters
● Implementation of directory services (LDAP and KDC)
● Deployment of Auto-TLS and Kerberos
● Theory and installation of
-
- Apache Ranger
- Apache Atlas
- Ranger Key Management Service
- Apache Knox Gateway
● Building Ranger Resource Policies
● Creating Atlas Classifications
● Building Ranger Tag Policies
This immersion course is intended for Linux Administrators who are taking up roles as CDP Administrators. Students must have proficiency in Linux CLI and Linux text editors. Knowledge of Directory Services, Transport Layer Security, Kerberos, and SQL select statements is helpful. Prior experience with Cloudera products is expected, experience with CDH or HDP is sufficient. Students must have access to the Internet to reach the classroom environments, which are located on Amazon Web Services.
● CDP Security Models
● CDP Security Pillars
● CDP Security Levels
● The Importance of Project Planning
● Outline of Project Plan
● Roles and Responsibilities of a CDP
Administrator
● Comparing Directory Services
● Lightweight Directory Access Protocol
● FreeIPA or Active Directory
● Identity Management Architecture
● The purpose of PAM
● Cloudera Manager, CDP, and PAM
● Architecture for Network Security
● Building an Isolated Network
- CDP Requirements for Hosts
- Recommendations for deployment hosts
● Theory for Security Protocols (TLS and SASL)
● Tools: openssl and keytool
● Architecture for Enterprise Certificate
Authorities
● Deploying TLS using Auto-TLS
● Deploying SASL
● Architecture for Kerberos
● Kerberos CLI
● Deploying Kerberos
● Managing CDP services within Kerberos
● Architecture for Apache Ranger
● Deploying Ranger
● Deploying Infra Solr
● Deploying Atlas
- Data at Rest
- Theory for KMS/KTS
- Deploying KMS/KTS
- Encrypting Data at Rest
● Architecture for Knox Gateway
● Installing Knox Gateway
● Deploying Knox Gateway SSO
● Accessing services through Knox Gateway
● Ranger Policies for Atlas
● Searching Atlas
● Classifying Data with Tags
● Creating Ranger Tag Policies
● Creating Ranger Masking Policies
● Auditing access on hosts
● Auditing users with Ranger
● Auditing lineage with Atlas
● Validating Security Level 2
● Checklist for commissioning CDP
● Regulatory Compliance
● Roadmap to Security Level 3
Participants should have:
-
Basic knowledge of Hadoop ecosystem and Cloudera components
-
Familiarity with system administration concepts (Linux commands, networking basics, etc.)
-
Prior experience with CDP, Cloudera Manager, or similar data platforms is recommended
-
Understanding of authentication and security concepts (Kerberos, TLS, LDAP) is helpful but not mandatory
