您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure HDInsight 中的企业安全性概述Overview of enterprise security in Azure HDInsight

Azure HDInsight 提供许多方法来解决企业安全性需求。Azure HDInsight offers a number of methods to address your enterprise security needs. 这些解决方案中的大多数默认情况下未激活。Most of these solutions are not activated by default. 这种灵活性允许你选择对你来说最重要的安全功能,避免在不需要的功能上花钱。This flexibility allows you to choose the security features that are most important to you, and helps you to avoid paying for features that you don't want. 这也意味着,你有责任确保为设置和环境启用正确的解决方案。This also means that it is your responsibility to make sure that the correct solutions are enabled for your setup and environment.

本文审视安全解决方案的方式是将安全解决方案划分为四大传统的安全支柱:外围安全性、身份验证、授权和加密。This article looks at security solutions by dividing security solutions along the lines of four traditional security pillars: perimeter security, authentication, authorization, and encryption.

本文还介绍 Azure HDInsight 企业安全性套餐 (ESP) ,该套餐为 HDInsight 群集提供基于 Active Directory 的身份验证、多用户支持和基于角色的访问控制。This article also introduces the Azure HDInsight Enterprise Security Package (ESP), which provides Active Directory-based authentication, multi-user support, and role-based access control for HDInsight clusters.

企业安全性支柱Enterprise security pillars

审视企业安全性的一种方式是根据控制类型将安全解决方案分成四个主要组。One way of looking at enterprise security divides security solutions into four main groups based on the type of control. 这些组也称为安全支柱,包括:外围安全性、身份验证、授权和加密。These groups are also called security pillars and are the following: perimeter security, authentication, authorization, and encryption.

外围安全性Perimeter security

HDInsight 中的外围安全性通过虚拟网络实现。Perimeter security in HDInsight is achieved through virtual networks. 企业管理员可在虚拟网络 (VNET) 中创建群集,并使用网络安全组 (NSG) 限制对虚拟网络的访问。An enterprise admin can create a cluster inside a virtual network(VNET) and use network security groups(NSG) to restrict access to the virtual network. 只有入站 NSG 规则中允许的 IP 地址才能与 HDInsight 群集通信。Only the allowed IP addresses in the inbound NSG rules will be able to communicate with the HDInsight cluster. 此配置可实现外围安全性。This configuration provides perimeter security.

部署在 VNET 中的所有群集也会有一个专用终结点,该终结点解析为 VNET 中的专用 IP,可以对群集网关进行专用 HTTP 访问。All clusters deployed in a VNET will also have a private endpoint that resolves to a private IP inside the VNET for private HTTP access to the cluster gateways.

身份验证Authentication

HDInsight 的企业安全性套餐提供基于 Active Directory 的身份验证、多用户支持和基于角色的访问控制。The Enterprise Security Package from HDInsight provides Active Directory-based authentication, multi-user support, and role-based access control. Active Directory 集成通过使用 Azure Active Directory 域服务实现。The Active Directory integration is achieved through the use of Azure Active Directory Domain Services. 有了这些功能,就可以创建已加入托管 Active Directory 域的 HDInsight 群集。With these capabilities, you can create an HDInsight cluster that's joined to a managed Active Directory domain. 接下来可配置企业员工的列表,这些员工可进行身份验证并登录到群集。You can then configure a list of employees from the enterprise who can authenticate and sign in to the cluster.

借助这种设置,企业员工可以使用其域凭据登录到群集节点。With this setup, enterprise employees can sign in to the cluster nodes by using their domain credentials. 他们还可以使用自己的域凭据在其他已批准的终结点(例如 Apache Ambari 视图、ODBC、JDBC、PowerShell 和 REST API)上进行身份验证,以便与群集交互。They can also use their domain credentials to authenticate with other approved endpoints like Apache Ambari Views, ODBC, JDBC, PowerShell, and REST APIs to interact with the cluster.

授权Authorization

大多数企业遵循的最佳实践是,确保并非每位员工都有权访问所有企业资源。A best practice that most enterprises follow is making sure that not every employee has access to all enterprise resources. 同理,管理员可以针对群集资源定义基于角色的访问控制策略。Likewise, the admin can define role-based access control policies for the cluster resources. 此功能只在 ESP 群集中提供。This is only available in the ESP clusters.

Hadoop 管理员可以配置基于角色的访问控制 (RBAC) 来确保 Apache HiveHBaseKafka 的安全性,只需使用 Apache Ranger 中的这些插件即可。The hadoop admin can configure role-based access control (RBAC) to secure Apache Hive, HBase and Kafka using those plugins in Apache Ranger. 可以通过配置 RBAC 策略将权限与组织中的角色相关联。Configuring RBAC policies allows you to associate permissions with a role in the organization. 此层抽象可以更轻松地确保用户仅仅有履行工作责任所需的权限。This layer of abstraction makes it easier to ensure that people have only the permissions needed to perform their work responsibilities. 也可通过 Ranger 审核员工的数据访问权限以及对访问控制策略所做的任何更改。Ranger also allows you to audit the data access of employees and any changes done to access control policies.

例如,管理员可以配置 Apache Ranger,为 Hive 设置访问控制策略。For example, the admin can configure Apache Ranger to set access control policies for Hive. 此功能可确保行级和列级筛选(数据掩码),用于筛选未授权用户的敏感数据。This functionality ensures row-level and column-level filtering (data masking) and filters the sensitive data from unauthorized users.

审核Auditing

若要跟踪对资源的未经授权或非故意的访问,则必须审核对群集资源和数据的所有访问。Auditing of all access to the cluster resources, and the data, is necessary to track unauthorized or unintentional access of the resources. 这与阻止未经授权的用户访问 HDInsight 群集资源和保护数据具有同等重要性。It's as important as protecting the HDInsight cluster resources from unauthorized users and securing the data.

管理员可以查看和报告对 HDInsight 群集资源与数据的所有访问。The admin can view and report all access to the HDInsight cluster resources and data. 管理员还可以查看和报告对在 Apache Ranger 支持的终结点中创建的访问控制策略进行的所有更改。The admin can also view and report all changes to the access control policies created in Apache Ranger supported endpoints.

若要访问 Apache Ranger 和 Ambari 审核日志以及 SSH 访问日志,请启用 Azure Monitor 并查看提供审核记录的表。To access Apache Ranger and Ambari audit logs as well as ssh access logs, enable Azure Monitor and view the tables that provide auditing records.

加密Encryption

保护数据对于满足组织安全性和合规性要求具有重要意义。Protecting data is important for meeting organizational security and compliance requirements. 除了限制未经授权的员工访问数据外,还应对数据加密。Along with restricting access to data from unauthorized employees, you should encrypt it.

HDInsight 群集的两种数据存储(Azure Blob 存储和 Azure Data Lake Storage Gen1/Gen2)都支持在服务器端以透明方式进行静态数据加密Both data stores for HDInsight clusters, Azure Blob storage and Azure Data Lake Storage Gen1/Gen2, support transparent server-side encryption of data at rest. HDInsight 安全群集将与这种服务器端静态数据加密功能无缝协作。Secure HDInsight clusters will seamlessly work with this capability of server-side encryption of data at rest.

合规性Compliance

Azure 符合性产品/服务基于各种类型的保证,包括独立的第三方审核企业生成的正式认证、证明、验证、授权和评估,以及 Microsoft 生成的合同修正、自我评估和客户指南文档。Azure compliance offerings are based on various types of assurances, including formal certifications, attestations, validations, authorizations, and assessments produced by independent third-party auditing firms, as well as contractual amendments, self-assessments, and customer guidance documents produced by Microsoft. 有关 HDInsight 合规性符合性信息,请参阅 Microsoft 信任中心Microsoft Azure 合规性概述For HDInsight compliance information, see the Microsoft Trust Center and the Overview of Microsoft Azure compliance.

共担责任模型Shared responsibility model

下图汇总了主要的系统安全领域,以及在每个领域提供的安全解决方案。The following image summarizes the major system security areas and the security solutions that are available to you in each. 此外还突出显示了哪些安全领域是作为客户的你的责任,哪些领域是作为服务提供商的 HDInsight 的责任。It also highlights which security areas are your responsibility as a customer and which areas are the responsibility of HDInsight as the service provider.

HDInsight 共享责任图

下表提供了每类安全解决方案的资源的链接。The following table provides links to resources for each type of security solution.

安全领域Security area 可用解决方案Solutions available 责任方Responsible party
数据访问安全性Data Access Security 为 Azure Data Lake Storage Gen1 和 Gen2 配置访问控制列表 (ACL)Configure access control lists ACLs for Azure Data Lake Storage Gen1 and Gen2 客户Customer
在存储帐户中启用“需要安全传输”属性。Enable the "Secure transfer required" property on storage accounts. 客户Customer
配置 Azure 存储防火墙和虚拟网络Configure Azure Storage firewalls and virtual networks 客户Customer
为 Cosmos DB 和 Azure SQL DB 配置 Azure 虚拟网络服务终结点Configure Azure virtual network service endpoints for Cosmos DB and Azure SQL DB 客户Customer
确保为传输中的数据启用 TLS 加密Ensure TLS encryption is enabled for data in transit. 客户Customer
配置客户管理的密钥以进行 Azure 存储加密Configure customer-managed keys for Azure Storage encryption 客户Customer
应用程序和中间件安全性Application and middleware security 集成 AAD-DS 并配置身份验证Integrate with AAD-DS and Configure Authentication 客户Customer
配置 Apache Ranger 授权策略Configure Apache Ranger Authorization policies 客户Customer
使用 Azure Monitor 日志Use Azure Monitor logs 客户Customer
操作系统安全性Operating system security 使用最新且安全的基础映像创建群集Create clusters with most recent secure base image 客户Customer
确保定期进行 OS 修补Ensure OS Patching on regular intervals 客户Customer
网络安全Network security 配置虚拟网络Configure a virtual network
配置网络安全组 (NSG) 入站规则Configure Inbound network security group (NSG) rules 客户Customer
使用防火墙配置出站流量限制Configure Outbound traffic restriction with Firewall 客户Customer
虚拟化的基础结构Virtualized infrastructure 空值N/A HDInsight(云提供商)HDInsight (Cloud provider)
物理基础结构安全性Physical infrastructure security 空值N/A HDInsight(云提供商)HDInsight (cloud provider)

后续步骤Next steps