Home > Design Patterns > Centralized Access Management

Centralized Access Management (Buhler, Erl, Khattak)

How can access to resources within a Big Data platform be managed efficiently and consistently?

Centralized Access Management

Problem

Separately configuring access for each resource within a Big Data platform is time-consuming, inefficient and can result in inconsistent security configuration.

Solution

Access to the Big Data platform’s resources is centrally configured and stored as policies that are consulted at runtime by the resource requested by the user.

Application

A graphical user interface (GUI) is used to add security policies that are stored in a central location and are automatically evaluated at runtime by a security component.

A security engine is used to enable security policy authoring via a graphical user interface. Generally, a set of policies are created by the system administrator for each resource. Depending on the nature of the resource, the policy contains different levels of granularity. For example, in the case of a distributed file system, the policy includes permissions at the directory level. However, in the case of a NoSQL database, the policy normally includes permissions for table and individual columns. Permissions are configured by adding user IDs or user groups and granting access as required.

Internally, a plugin exists for each resource that acts as an intermediary by handling resource access requests. The plugin consults the relevant security policy and performs authorization based on the permissions set in the policy. Some security engines may also provide access auditing features in the form of a log file.

In order to ensure longevity of the security engine in the face of Big Data platform evolution (addition of new resources), its extensibility needs to be taken into account to evaluate how easy would it be to integrate new resources. In case a plugin is not available for a particular resource, in-hose development of the plugin may be required.

Centralized Access Management: Functionality is added to the Big Data platform that enables specifying polices for different resources within the Big Data platform via a central interface. When a user accesses a resource, such as the distributed file system, the corresponding policy defined for that resource is checked, and access is granted or denied based on the permissions set in the policy.

Functionality is added to the Big Data platform that enables specifying polices for different resources within the Big Data platform via a central interface. When a user accesses a resource, such as the distributed file system, the corresponding policy defined for that resource is checked, and access is granted or denied based on the permissions set in the policy.

  1. A system administrator needs to configure security for different components in a Big Data platform.
  2. The system administrator secures each component individually through a centralized interface.
  3. The entire configuration process takes a short time to complete.