[/map {"- map/map "}) [/map/title {"- topic/title "}) Security_collection (title][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Introduction (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Introduction (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) The security of your Oracle Big Data Discovery (BDD) installation is highly important. Lapses in security can leave your system, your data, and your users vulnerable to exploitation and attack. Fortunately, there are a number of ways you can keep your installation safe using BDD's own security features as well as third party products. (shortdesc] (topicmeta] (topicref] [/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Operating System-Level Security (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Operating System-Level Security (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) This section describes how to protect your BDD installation at the operating system (OS) level. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) OS user accounts (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) OS user accounts (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) You should limit the number of OS users on BDD nodes to minimize the risk of an unauthorized person gaining access to them. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) File permissions (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) File permissions (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) You should use OS file permissions to restrict user access to BDD files. You can control permissions with chmod, umask, or a similar utility. (shortdesc] (topicmeta] (topicref] (topicref][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Network Security (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Network Security (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) This section describes ways you can keep your network secure. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Firewalls (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Firewalls (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Oracle recommends using a firewall to protect your network from external entities. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Reverse proxy servers (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Reverse proxy servers (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Using a reverse proxy server in front of Studio adds another layer of protection to BDD by preventing users from accessing your servers directly. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) TLS/SSL (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) TLS/SSL (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) The TLS (Transport Layer Security) and SSL (Secure Sockets Layer) protocols provide end-to-end encryption for communications between applications over a network. (Note that TLS is technically the replacement of SSL, but both are commonly referred to as SSL.) (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Kerberos (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Kerberos (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) The Kerberos network authentication protocol enables client/server applications to identify one another in a secure manner, even when communicating over an unsecured network. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) WebLogic Server security (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) WebLogic Server security (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) WebLogic Server provides a J2EE container for hosting and managing Studio and the Dgraph Gateway Java applications. Additionally, WebLogic's Admin Server is used to perform many administrative tasks for the BDD cluster. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Jetty security (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Jetty security (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Jetty provides an open-source javax.servlet container for hosting the BDD Transform Service, which is a RESTful service that enables Studio users to preview the effects of transformations on their data. (shortdesc] (topicmeta] (topicref] (topicref][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Data Set Security (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Data Set Security (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) This section describes options for securing your data sets. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Sentry (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Sentry (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Sentry is a Hadoop component that provides role-based authorization in a Hadoop cluster. Among other things, it can be used to restrict access to Hive data at a granular level. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) HDFS data at rest encryption (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) HDFS data at rest encryption (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) HDFS data at rest encryption allows HDFS data to be stored in encrypted directories called encryption zones. All files within an encryption zone are transparently encrypted and decrypted on the client side, meaning decrypted data is never stored in HDFS. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Data set whitelists and blacklists (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Data set whitelists and blacklists (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) BDD whitelists and blacklists control which Hive tables are processed by the DP CLI. Whitelists specify tables that should be processed and blacklists specify tables that should be ignored. Only tables that have been processed are available to BDD and its users. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) User roles (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) User roles (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Studio users are assigned application-wide roles that determine which parts of the application they can access and the data they can view. Studio administrators can assign and modify user roles. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Project roles (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Project roles (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In Studio, project roles determine which users can access project data and configuration. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Project types (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Project types (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In Studio, a project's type determines which users can access it. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Data set permissions (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Data set permissions (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Default access to data sets in Studio is determined by how they're created. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Custom transform scripts and visualizations (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Custom transform scripts and visualizations (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Studio enables users to create custom visualizations and transform scripts, which require them to do some coding. In these cases, special security measures have been implemented to prevent users from accessing sensitive data. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Security Manager (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Security Manager (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) The Security Manager is a Studio feature that filters the data that users can see in Studio. If you want to provide extra security for Studio, you can use the Component SDK to create a custom Security Manager to restrict access to specific data. (shortdesc] (topicmeta] (topicref] (topicref][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Studio User Access (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Studio User Access (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) This section describes ways to control the way users access Studio. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Managing Studio users (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Managing Studio users (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In situations where LDAP isn't used, Studio administrators can add, edit, and remove users. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) User authentication (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) User authentication (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In situations where LDAP isn't used, administrators can configure user authentication with Studio's own user management tools. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) LDAP (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) LDAP (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Studio can be integrated with an existing Lightweight Directory Access Protocol (LDAP) system. This is supported for systems that use TLS/SSL and those that don't. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) SSO (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) SSO (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) You can integrate Studio with single sign-on (SSO) to enable users to log in through the SSO system. (shortdesc] (topicmeta] (topicref] (topicref] (map]