Azure HDInsight 中的企业安全性概述Overview of enterprise security in Azure HDInsight

Azure HDInsight 提供许多方法来解决企业安全性需求。Azure HDInsight offers a number of methods to address your enterprise security needs. 默认情况下,其中大多数解决方案均未激活。Most of these solutions aren't activated by default. 这种灵活性允许你选择对你来说最重要的安全功能,避免在不需要的功能上花钱。This flexibility allows you to choose the security features that are most important to you and helps you to avoid paying for features that you don't want. 这种灵活性也意味着,你有责任确保为你的设置和环境提供正确的解决方案。This flexibility also means it's your responsibility to make sure correct solutions are enabled for your setup and environment.

本文通过将安全解决方案划分为以下四个传统的安全支柱来审视安全解决方案:外围安全性、身份验证、授权和加密。This article looks at security solutions by dividing security solutions into four traditional security pillars: perimeter security, authentication, authorization, and encryption.

本文还介绍 Azure HDInsight 企业安全性套餐 (ESP) ,该套餐为 HDInsight 群集提供基于 Active Directory 的身份验证、多用户支持和基于角色的访问控制。This article also introduces the Azure HDInsight Enterprise Security Package (ESP), which provides Active Directory-based authentication, multi-user support, and role-based access control for HDInsight clusters.

企业安全性支柱Enterprise security pillars

审视企业安全性的一种方式是根据控制类型将安全解决方案分成四个主要组。One way of looking at enterprise security divides security solutions into four main groups based on the type of control. 这些组也称为安全支柱,分为以下类型:外围安全性、身份验证、授权和加密。These groups are also called security pillars and are the following types: perimeter security, authentication, authorization, and encryption.

外围安全性Perimeter security

HDInsight 中的外围安全性通过虚拟网络实现。Perimeter security in HDInsight is achieved through virtual networks. 企业管理员可在虚拟网络 (VNET) 内创建群集,并使用网络安全组 (NSG) 限制对虚拟网络的访问。An enterprise admin can create a cluster inside a virtual network (VNET) and use network security groups (NSG) to restrict access to the virtual network. 只有入站 NSG 规则中允许的 IP 地址才能与 HDInsight 群集通信。Only the allowed IP addresses in the inbound NSG rules can communicate with the HDInsight cluster. 此配置可实现外围安全性。This configuration provides perimeter security.

部署在 VNET 中的所有群集也会有一个专用终结点。All clusters deployed in a VNET will also have a private endpoint. 该终结点解析为 VNET 中的专用 IP,以便对群集网关进行专用 HTTP 访问。The endpoint resolves to a private IP inside the VNET for private HTTP access to the cluster gateways.

身份验证Authentication

HDInsight 的企业安全性套餐提供基于 Active Directory 的身份验证、多用户支持和基于角色的访问控制。Enterprise Security Package from HDInsight provides Active Directory-based authentication, multi-user support, and role-based access control. Active Directory 集成通过使用 Azure Active Directory 域服务实现。The Active Directory integration is achieved through the use of Azure Active Directory Domain Services. 利用这些功能,可以创建一个加入 Active Directory 域的 HDInsight 群集。With these capabilities, you can create an HDInsight cluster joined to an Active Directory domain. 接下来配置企业员工的列表,这些员工可以向群集进行身份验证。Then configure a list of employees from the enterprise who can authenticate to the cluster.

借助这种设置,企业员工可以使用其域凭据登录到群集节点。With this setup, enterprise employees can sign in to the cluster nodes by using their domain credentials. 他们还可以使用其域凭据在其他已批准的终结点They can also use their domain credentials to authenticate with other approved endpoints. (例如 Apache Ambari 视图、ODBC、JDBC、PowerShell 和 REST API)上进行身份验证,以便与群集进行交互。Like Apache Ambari Views, ODBC, JDBC, PowerShell, and REST APIs to interact with the cluster.

授权Authorization

大多数企业遵循的最佳做法是,确保并非每位员工都能全权访问所有企业资源。A best practice most enterprises follow is making sure that not every employee has full access to all enterprise resources. 同理,管理员可以针对群集资源定义基于角色的访问控制策略。Likewise, the admin can define role-based access control policies for the cluster resources. 此操作只在 ESP 群集中可用。This action is only available in the ESP clusters.

Hadoop 管理员可以配置基于角色的访问控制 (RBAC)。The Hadoop admin can configure role-based access control (RBAC). 这些配置使用 Apache Ranger 插件来保护 Apache HiveHBaseKafkaThe configurations secure Apache Hive, HBase, and Kafka with Apache Ranger plugins. 可以通过配置 RBAC 策略将权限与组织中的角色相关联。Configuring RBAC policies allows you to associate permissions with a role in the organization. 此层抽象可以更轻松地确保用户仅仅有履行工作责任所需的权限。This layer of abstraction makes it easier to ensure people have only the permissions needed to do their work responsibilities. 也可通过 Ranger 审核员工的数据访问权限以及对访问控制策略所做的任何更改。Ranger also allows you to audit the data access of employees and any changes done to access control policies.

例如,管理员可以配置 Apache Ranger,为 Hive 设置访问控制策略。For example, the admin can configure Apache Ranger to set access control policies for Hive. 此功能可确保实现行级和列级筛选(数据掩码),This functionality ensures row-level and column-level filtering (data masking). 可以筛选出敏感数据,防止其被未经授权的用户使用。And filters the sensitive data from unauthorized users.

审核Auditing

若要跟踪对资源的未经授权访问或不经意访问,必须审核群集资源访问权限。Auditing cluster resource access is necessary to track unauthorized or unintentional access of the resources. 这与防止对群集资源进行未经授权的访问同等重要。It's as important as protecting the cluster resources from unauthorized access.

管理员可以查看和报告对 HDInsight 群集资源与数据的所有访问。The admin can view and report all access to the HDInsight cluster resources and data. 管理员可以查看并报告对访问控制策略的更改。The admin can view and report changes to the access control policies.

加密Encryption

保护数据对于满足组织安全性和合规性要求具有重要意义。Protecting data is important for meeting organizational security and compliance requirements. 除了限制未经授权的员工访问数据外,还应对数据加密。Along with restricting access to data from unauthorized employees, you should encrypt it.

Azure 存储和 Data Lake Storage Gen1/Gen2 支持在服务器端以透明方式对静态数据进行加密Azure storage and Data Lake Storage Gen1/Gen2, support transparent server-side encryption of data at rest. HDInsight 安全群集将与服务器端静态数据加密无缝协作。Secure HDInsight clusters will seamlessly work with server-side encryption of data at rest.

合规性Compliance

Azure 合规性产品/服务基于各种类型的保证,包括独立的第三方审计公司生成的正式认证、Azure compliance offerings are based on various types of assurances, including formal certifications. 证明、验证、授权Also, attestations, validations, and authorizations. 和评估,Assessments produced by independent third-party auditing firms. 以及 Microsoft 生成的合同修正、自我评估和客户指南文档。Contractual amendments, self-assessments, and customer guidance documents produced by Microsoft. 有关 HDInsight 合规性符合性信息,请参阅 Microsoft 信任中心Microsoft Azure 合规性概述For HDInsight compliance information, see the Microsoft Trust Center and the Overview of Microsoft Azure compliance.

共担责任模型Shared responsibility model

下图汇总了主要的系统安全领域,以及在每个领域提供的安全解决方案。The following image summarizes the major system security areas and the security solutions that are available to you in each. 此外,它还突出显示了哪些安全领域是作为客户的你的责任,It also highlights which security areas are your responsibility as a customer. 哪些领域是作为服务提供商的 HDInsight 的责任。And which areas are the responsibility of HDInsight as the service provider.

HDInsight 共享责任图

下表提供了每类安全解决方案的资源的链接。The following table provides links to resources for each type of security solution.

安全领域Security area 可用解决方案Solutions available 责任方Responsible party
数据访问安全性Data Access Security 为 Azure Data Lake Storage Gen2 配置访问控制列表 (ACL)Configure access control lists ACLs for Azure Data Lake Storage Gen2 客户Customer
在存储帐户中启用“需要安全传输”属性。Enable the "Secure transfer required" property on storage accounts. 客户Customer
配置 Azure 存储防火墙和虚拟网络Configure Azure Storage firewalls and virtual networks 客户Customer
为 Cosmos DB 和 Azure SQL DB 配置 Azure 虚拟网络服务终结点Configure Azure virtual network service endpoints for Cosmos DB and Azure SQL DB 客户Customer
确保为传输中的数据启用 TLS 加密Ensure TLS encryption is enabled for data in transit. 客户Customer
配置客户管理的密钥以进行 Azure 存储加密Configure customer-managed keys for Azure Storage encryption 客户Customer
使用客户密码箱控制对数据的访问权限Control access to your data by Azure support using Customer lockbox 客户Customer
应用程序和中间件安全性Application and middleware security 集成 AAD-DS 并配置身份验证Integrate with AAD-DS and Configure Authentication 客户Customer
配置 Apache Ranger 授权策略Configure Apache Ranger Authorization policies 客户Customer
操作系统安全性Operating system security 使用最新且安全的基础映像创建群集Create clusters with most recent secure base image 客户Customer
确保定期进行 OS 修补Ensure OS Patching on regular intervals 客户Customer
网络安全Network security 配置虚拟网络Configure a virtual network
配置网络安全组 (NSG) 入站规则Configure Inbound network security group (NSG) rules 客户Customer
使用防火墙配置出站流量限制Configure Outbound traffic restriction with Firewall 客户Customer
虚拟化的基础结构Virtualized infrastructure 空值N/A HDInsight(云提供商)HDInsight (Cloud provider)
物理基础结构安全性Physical infrastructure security 空值N/A HDInsight(云提供商)HDInsight (cloud provider)

后续步骤Next steps