Posts Tagged ‘RBAC’

How to secure a Hadoop data lake with EMC Isilon

Kirsten Gantenbein

Kirsten Gantenbein

Principal Content Strategist at EMC Isilon Storage Division
Kirsten Gantenbein
Kirsten Gantenbein

Apache™ Hadoop®, open-source software for analyzing huge amounts of data, is a powerful tool for companies that want to analyze information for valuable insights.

Hadoop redefines how data is stored and processed. A key advantage of Hadoop is that it enables analytics on any type of data. Some organizations are beginning to build data lakes—essentially large repositories for unstructured data—on the Hadoop Distributed File System (HDFS) so they can easily store data collected from a variety of sources, and then run compute jobs on data in its original file format. There’s no need to load data into the HDFS for analysis, saving data scientists time and money. They can then survey their Hadoop data lake and discover big data intelligence to drive their business.

However, the Hadoop data lake also presents challenges for organizations that want to protect sensitive information stored in these data repositories. For example, organizations might need to follow internal enterprise security policies or external compliance regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley Act (SOX). A Hadoop data lake is difficult to secure because HDFS was neither designed nor intended to be an enterprise-class file system. It is a complex, distributed file system of many client computers with a dual purpose: data storage and computational analysis. HDFS has many nodes, each of which presents a point of access to the entire system. Layers of security can be added to a Hadoop data lake, but managing each layer adds to complexity and overhead.

Best of both worlds

The EMC® Isilon® scale-out data lake offers the best of both worlds for organizations using Hadoop: enterprise-level security and easy implementation of Hadoop for data analytics.securing a hadoop data lake

The new white paper, Security and Compliance for Scale-Out Hadoop Data Lakes, describes how Hadoop data is stored on Isilon scale-out network-attached storage (NAS), and how the OneFS® operating system helps to secure that data.

An Isilon cluster separates data from compute clients in which the Isilon cluster becomes the HDFS file system. All data is stored on an Isilon cluster and secured by using access control lists, access zones, self-encrypting drives, and other security features. OneFS implements the server-side operations of HDFS as a native protocol. Therefore, Hadoop clients access data on the cluster through HDFS and standard protocols such as SMB and NFS.

For more information about how Hadoop is implemented on an Isilon cluster, see EMC Isilon Scale-Out NAS for In-Place Hadoop Data Analytics.

Isilon security capabilities

OneFS can facilitate your efforts to comply with regulations such as HIPAA, SOC, SEC 17a-4, the Federal Information Security Management Act (FISMA), and the Payment Card Industry Data Security Standard (PCI DSS). The table below summarizes some of the challenges of securing a Hadoop data lake, and how the capabilities of an Isilon cluster can help to address these issues. For full descriptions of these capabilities, see Security and Compliance for Scale-Out Hadoop Data Lakes.

 Hadoop data lakes: security challenges and Isilon capabilities

Security challenges Isilon capabilities Description
A Hadoop data lake can contain sensitive data—intellectual property, confidential customer information, and company records. Any client connected to the data lake can access or alter this sensitive data.
  • Compliance mode and write-once, read-many (WORM) storage
  • Auditing
The SEC 17a-4 regulation requires that data is protected from malicious, accidental, or premature alteration. Isilon SmartLock™ is a OneFS feature that locks down directories through WORM storage. Use compliance mode only for scenarios where you need to comply with SEC 17a-4 regulations. In addition, auditing can help detect fraud, unauthorized access attempts, or other threats to security.
ACL policies help to ensure compliance. However, clients may be connecting to the Hadoop cluster by using different protocols, such as NFS or HTTP.
  • Authentication and cross-protocol permissions
OneFS authenticates users and groups connecting to the cluster through different protocols by using POSIX mode bits, NTFS, and ACL policies. By managing ACL policies in OneFS, you can address compliance requirements for environments that mix NFS, SMB, and HDFS.
Applying restricted access to directories and files in HDFS requires adding layers to your file system.
  • Role-based access control for system administration (RBAC)
  • Identity management
  • User mapping
  • Access zones
The PCI DSS Requirement 7.1.2 specifies that access must be restricted to privileged user IDs. RBAC, a OneFS feature, lets you manage administrative access by role, and assign privileges to a role. You can associate one user with one ID through identity management and user mapping, and then assign that ID to a role. In OneFS, access zones are a virtual security context in which OneFS connects to directory services, authenticates users, and controls access to a segment of the file system.
FISMA and HIPAA and other compliance regulations might require protection for data at rest. Encryption of data at rest Isilon self-encrypting drives are FIPS 140-2 Level 3 validated. The drives automatically apply AES-256 encryption to all data stored in the drives without requiring additional equipment. You can enable a WORM state on directories for data at rest.

To learn how to implement Hadoop on your Isilon cluster, see 7 best practices for setting up Hadoop on an EMC Isilon cluster.

Start a conversation about Isilon content

Have a question or feedback about Isilon content? Visit the online EMC Isilon Community to start a discussion. If you have questions or feedback about this blog, contact To provide documentation feedback or request new content, contact



Get your hands on EMC Isilon OneFS 7.1 at EMC World 2014

Kirsten Gantenbein

Kirsten Gantenbein

Principal Content Strategist at EMC Isilon Storage Division
Kirsten Gantenbein
Kirsten Gantenbein


EMC World 2014 is around the corner. If you plan to be in Las Vegas, Nevada on May 5-8 for this event, you have the opportunity to try out the EMC® Isilon® OneFS operating system in person.

There will be three labs hosted by EMC Isilon that are available throughout the conference, where you can test drive new features and functionality in OneFS using real data.

  • Isilon Cluster Setup, Configuration, and Management (HOL 29)
    An introductory lab that demonstrates how to create a storage cluster, join the cluster to an Active Directory domain, navigate the OneFS web administration interface, and create and manage directories or shares.
  • Isilon OneFS 7.1 Enhancements (HOL 30)
    An intermediate lab that explores the enterprise-ready enhancements built into OneFS 7.1.
  • Deploying Hadoop with EMC Isilon and VMware (HOL 28)
    An advanced lab that walks you through the process of deploying and using your first Hadoop cluster. Learn how to use VMware Big Data Extensions to deploy a small Hadoop cluster with an EMC Isilon NAS storage cluster.

Anyone can sign up for the labs and attend at any time. All labs are self-paced and Isilon representatives will be available to answer any questions you might have. For lab hours and information about how to register, visit the EMC World vPass website.

Take a test drive with OneFS 7.1

This blog has covered several of the enhancements and features included in OneFS 7.1. If you’re curious about OneFS 7.1 and want to take it for a test drive, visit the OneFS 7.1 Enhancements (HOL 30) lab. Here’s a closer look at the following features will be covered in this lab session:

  • Role based access control
  • EMC Isilon SmartDedupe™
  • EMC Isilon SyncIQ™
  • Audting

Role Based Access Control

Role based access control (RBAC) in OneFS 7.1 enables you to control configuration-level access of your Isilon cluster through roles and privileges. OneFS 7.1 comes with built-in administrator roles: SecurityAdmin, SystemAdmin, AuditAdmin, and VMwareAdmin. You can also create custom roles with assigned privileges and add users and groups to those roles.

In this lab, you will learn how to:

  • View built-in roles
  • Create a custom role
  • Add privileges to a role
  • Add a user to a role

If you are unable to attend EMC World, but would like an RBAC demonstration, watch the following video, “Technical Demo: Role Based Access Control.”

EMC Isilon SmartDedupe™

When you want to save space on your EMC Isilon cluster, use EMC Isilon SmartDedupe™ to remove, or deduplicate, redundant data. SmartDedupe deduplicates data by scanning an Isilon cluster for identical data blocks. When it finds redundant data blocks, it moves one data block to a shadow store. It then deletes the duplicate block from the original file and replaces it with a pointer to the shadow store. For more information, watch the video, “Enterprise Features of EMC Isilon OneFS 7.1: SmartDedupe.”

dedupe assessment report

Figure 1: A DedupeAssessment report. Space that can be recovered after deduplication is circled in red.

The deduplication process is performed through jobs that are managed in the same way you manage other cluster maintenance jobs. It is recommended that you run deduplication jobs when clients are not modifying data on the cluster. This maximizes the amount of space you can save. It is also recommended that you run a deduplication job every ten days.

To begin the deduplication process, first determine how much space you can save on specified directories by running a DedupeAssessment job and viewing a DedupeAssessment report (Figure 1). You can then run a Dedupe job on those directories to then remove redundant data and place it in the shadow store.

In the OneFS 7.1 Enhancements (HOL 30) lab, you will learn how to:

  1. Start a DedupeAssessment job
  2. View active jobs
  3. View the deduplication assessment report
  4. Activate the SmartDedupe license
  5. Start a Dedupe job
  6. View the deduplication report

EMC Isilon SyncIQ™

For data protection and disaster recovery, EMC Isilon SyncIQ™ replicates data from one Isilon cluster to another. In the event of disaster scenario where your original cluster goes down, you can retrieve replicated data stored on your backup cluster.


Figure 2: A new option (circled in red) for SyncIQ policies, which is available in OneFS 7.1

To replicate data using SyncIQ, first create a SyncIQ policy in OneFS. The policy specifies the source directory and backup/target cluster, and when to run the replication job. In OneFS 7.1, there is a new policy option available that enables OneFS to replicate data whenever the source directory is modified (Figure 2). This enhancement ensures that data is replicated as soon as a change occurs, independent of the replication job schedule.

In the OneFS 7.1 Enhancements (HOL 30) lab, you will learn how to:

  1. Activate a SyncIQ license
  2. Configure a SyncIQ policy
  3. Verify that the SyncIQ policy successfully synchronized between a source and target cluster


OneFS 7.1 can audit system configuration and SMB protocol access events on your Isilon cluster. To start collecting auditing information, simply enable configuration change auditing or SMB protocol access auditing in either the OneFS web administration interface or the OneFS command-line interface (Figure 3). System configuration changes and changes performed on files and folders through the SMB protocol are recorded in an auditing log. Protocol auditing logs can be exported to Varonis DatAdvantage® or other third-party vendors that support the EMC Common Event Enabler (CEE) framework. For more information, watch the video, “Enterprise Features of EMC Isilon OneFS 7.1: Auditing”.

Figure 3: How to enable auditing (circled in red) in OneFS 7.1 web administration interface.

Figure 3: How to enable auditing (circled in red) in OneFS 7.1 web administration interface.

In the OneFS 7.1 Enhancements (HOL 30) lab, you will learn how to:

  1. Enable auditing
  2. Make an access zone into an audited zone
  3. Add an audit event, which will modify the audited zone to audit different events
  4. Generate an event
  5. View and locate audit logs
  6. View event forwarding
  7. View the AuditAdmin role
  8. Open DatAdvantage and view user statistics and event details

For more information

For more details about these features, refer to OneFS 7.1 release notes, OneFS 7.1 Web Administration Guide, and the OneFS 7.1 CLI Administration Guide.

For more information about Isilon sessions and labs at EMC World, visit the EMC World 2014 vPass website to browse the EMC World Session Catalog for more information.

Role-based access control in EMC Isilon OneFS 7.1: An overview

Kirsten Gantenbein

Kirsten Gantenbein

Principal Content Strategist at EMC Isilon Storage Division
Kirsten Gantenbein
Kirsten Gantenbein

In EMC® Isilon® OneFS® 7.0 and 7.1, you can use role-based access control (RBAC) for administration tasks in place of a root or administrator account. A role is a collection of OneFS privileges that are limited to an area of administration. For example, you can create custom roles for security, auditing, storage, or backup tasks. Privileges are assigned to roles. As a user logs in to the cluster through the Platform API, the OneFS command-line interface, or the OneFS web administration interface, they’re granted privileges based on their role membership.

For information on how to create and manage roles through the OneFS command-line interface, see the OneFS 7.1 CLI Administration Guide – page 252 (requires login to the EMC Online Support site).

For an overview about RBAC in OneFS 7.1, watch the following video, “Enterprise Features in OneFS 7.1: Role Based Access Control.”

If you have questions or feedback, send an email to To provide documentation feedback or request new content, send an email to

Video Transcript

Hello, I’m Andrey Tychkin with EMC Isilon.

In this video, we’ll talk about Role Based Access Control or RBAC, a feature of OneFS 7.1.

Role Based Access Control allows us to delegate specific administration tasks to users of the OneFS cluster.

Let’s take an example.

Let’s say I’m a NAS administrator and I want my Windows team to manage SMB administration on the cluster separate from, say, my UNIX team.

I’ll start by creating a role and giving it a meaningful name, such as SMB-ADMIN.

Once the role is created, I can add some privileges to it.

Privileges are sets of allowable actions.

They can be read-only for monitoring, or they can be read-write for actual configuration changes.

For SMB administration, I’ll need an SMB setting privilege and a WEB UI log in privilege.

We can also choose from one of the four predefined roles in OneFS which already have privileges assigned to them.

They are SecurityAdmin for RBAC administration, SystemAdmin for general system administration tasks, VMwareAdmin for managing backups of virtual machines, and AuditAdmin for Auditing.

Once we have our roles and privileges set up, all we need to do is add some members to it.

Members can be any users from authentication providers such as AD, LDAP, or NIS.

In our case, it’s our friend Mike from AD who, once he’s added to this role, he’s able to administer SMB on this cluster.

Role based access control is managed from the CLI by using the isi auth roles command.

Detailed information on RBAC is available in the OneFS Administration Guide.

If you have questions or want to implement OneFS 7.1 features in your environment, please contact your account team.

Thank you for watching.