Abstract: Methods for centralized access control for cloud relational database management system resources are performed by systems and devices. The methods utilize a central policy storage, managed externally to database servers, which stores external policies for access to internal database resources at up to fine granularity. Database servers in the processing system each receive external access policies that correspond to users of the system by push or pull operations from the central policy storage, and store the external access policies in a cache of the database servers for databases. For resource access, access conditions are determined via policy engines of database servers based on an external access policy in the cache that corresponds to a user, responsive to a resource access request from a device of the user specifying the internal resource. Data associated with the resource is provided to the user based on the access condition being met.

Abstract: Methods for centralized access control for cloud relational database management system resources are performed by systems and devices. The methods utilize a central policy storage, managed externally to database servers, which stores external policies for access to internal database resources at up to fine granularity. Database servers in the processing system each receive external access policies that correspond to users of the system by push or pull operations from the central policy storage, and store the external access policies in a cache of the database servers for databases. For resource access, access conditions are determined via policy engines of database servers based on an external access policy in the cache that corresponds to a user, responsive to a resource access request from a device of the user specifying the internal resource. Data associated with the resource is provided to the user based on the access condition being met.

Abstract: A policy system enforces data security policies for requests from accessing data stored on a distributed data storage system received from a client device. The policy enforcement system can determine user credentials from the requests. The enforcement system then determines whether the user credentials allow the request to retrieve the data and if yes, whether the user credentials allow the request to retrieve the data without obligations. Upon determining that user credentials allow the request to retrieve the data without obligations, the policy enforcement system directs the client device to communicate directly with a name node of the data storage system, short-circuiting additional data retrieval and filtering of the policy system.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for maintaining, by a policy enforcement system in a first compute node, a plurality of policies and data associating a plurality of user credentials with the plurality of policies. A request is received from a compute process for data from a file system in the first compute node. The request includes user credentials. The request for data is sent to the file system, and the data is received from the file system. Based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials is selected from the plurality of policies. The policy enforcement system filters the data from the file system based on the one or more policies, and sends the filtered data to the compute process.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.

Abstract: Systems, computer program products and methods implementing access control on a distributed file system are described. A file system enforcement point protects an HDFS from unauthorized access by authenticating a declared identity of a task submitting a request from a client. Upon receiving the request, the file system enforcement point submits a challenge to the client, requesting the task to provide credentials of the declared identity. The task submits credentials. On the client, each task has access to credentials of a true identity of the task. Accordingly, in case a task submits a claimed identity that is different from the true identity of the task, the task cannot submit correct credentials in response to the challenge. The file system enforcement point authenticates the declared identity using the submitted credentials. The file system enforcement point allows the client to access the HDFS only upon successful authentication.

Abstract: Systems, computer program products and methods implementing YARN service protection are described. A reverse proxy in a cluster of computers in a distributed computing system can intercept a request to access a YARN service. The request can be associated with requester credentials. The reverse proxy determines that the request includes a REST API call. The reverse proxy determines, based on authentication configuration information, that the call needs to be authenticated. The reverse proxy authenticates the call based on the requester credentials using an authentication mechanism specified in the configuration information. Upon successful authentication of the call, the reverse proxy makes authorization checks based on specified configuration information. If the authorization checks pass, the reverse proxy forwards the request to a server that provides the YARN service in the cluster. If the authentication or authorization checks fail, the reverse proxy denies the request.

Abstract: Systems, computer program products and methods implementing access control on a distributed file system are described. A policy engine enforces one or more policies to access a data item stored in the distributed file system by utilizing non-system extended attributes of the data item. The policy engine receives, from a client device, a request to access the data item. The policy engine determines a policy for access the data item. The policy specifies one or more conditions for accessing the data item in one or more extended attributes. The one or more extended attributes are associated with the data item in the distributed file system. The policy determines whether to grant the request to access the data item according to values of the one or more extended attributes.

Abstract: Systems, computer program products and methods implementing YARN service protection are described. A reverse proxy in a cluster of computers in a distributed computing system can intercept a request to access a YARN service. The request can be associated with requester credentials. The reverse proxy determines that the request includes a REST API call. The reverse proxy determines, based on authentication configuration information, that the call needs to be authenticated. The reverse proxy authenticates the call based on the requester credentials using an authentication mechanism specified in the configuration information. Upon successful authentication of the call, the reverse proxy makes authorization checks based on specified configuration information. If the authorization checks pass, the reverse proxy forwards the request to a server that provides the YARN service in the cluster. If the authentication or authorization checks fail, the reverse proxy denies the request.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.

Abstract: Systems, computer program products and methods implementing YARN service protection are described. A reverse proxy in a cluster of computers in a distributed computing system can intercept a request to access a YARN service. The request can be associated with requester credentials. The reverse proxy determines that the request includes a REST API call. The reverse proxy determines, based on authentication configuration information, that the call needs to be authenticated. The reverse proxy authenticates the call based on the requester credentials using an authentication mechanism specified in the configuration information. Upon successful authentication of the call, the reverse proxy makes authorization checks based on specified configuration information. If the authorization checks pass, the reverse proxy forwards the request to a server that provides the YARN service in the cluster. If the authentication or authorization checks fail, the reverse proxy denies the request.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.

Abstract: Systems, computer program products and methods implementing access control on a distributed file system are described. A policy engine enforces one or more policies to access a data item stored in the distributed file system by utilizing non-system extended attributes of the data item. The policy engine receives, from a client device, a request to access the data item. The policy engine determines a policy for access the data item. The policy specifies one or more conditions for accessing the data item in one or more extended attributes. The one or more extended attributes are associated with the data item in the distributed file system. The policy determines whether to grant the request to access the data item according to values of the one or more extended attributes.

Abstract: Systems, computer program products and methods implementing access control on a distributed file system are described. A file system enforcement point protects an HDFS from unauthorized access by authenticating a declared identity of a task submitting a request from a client. Upon receiving the request, the file system enforcement point submits a challenge to the client, requesting the task to provide credentials of the declared identity. The task submits credentials. On the client, each task has access to credentials of a true identity of the task. Accordingly, in case a task submits a claimed identity that is different from the true identity of the task, the task cannot submit correct credentials in response to the challenge. The file system enforcement point authenticates the declared identity using the submitted credentials. The file system enforcement point allows the client to access the HDFS only upon successful authentication.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for maintaining, by a policy enforcement system in a first compute node, a plurality of policies and data associating a plurality of user credentials with the plurality of policies. A request is received from a compute process for data from a file system in the first compute node. The request includes user credentials. The request for data is sent to the file system, and the data is received from the file system. Based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials is selected from the plurality of policies. The policy enforcement system filters the data from the file system based on the one or more policies, and sends the filtered data to the compute process.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for maintaining, by a policy enforcement system in a first compute node, a plurality of policies and data associating a plurality of user credentials with the plurality of policies. A request is received from a compute process for data from a file system in the first compute node. The request includes user credentials. The request for data is sent to the file system, and the data is received from the file system. Based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials is selected from the plurality of policies. The policy enforcement system filters the data from the file system based on the one or more policies, and sends the filtered data to the compute process.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing, by a policy enforcement system, a plurality of policies and data associating a plurality of user credentials with the plurality of policies; receiving, from a client device, a request for data from a file system, the request further comprising user credentials; forwarding the request for data to a second node that stores the data from the file system; receiving, from the node, the data from the file system; selecting from the plurality of policies, based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials; filtering, by the policy enforcement system, the data from the file system based on the one or more policies; and sending the filtered data to the client device.

Abstract: A policy system enforces data security policies for requests from accessing data stored on a distributed data storage system received from a client device. The policy enforcement system can determine user credentials from the requests. The enforcement system then determines whether the user credentials allow the request to retrieve the data and if yes, whether the user credentials allow the request to retrieve the data without obligations. Upon determining that user credentials allow the request to retrieve the data without obligations, the policy enforcement system directs the client device to communicate directly with a name node of the data storage system, short-circuiting additional data retrieval and filtering of the policy system.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for maintaining, by a policy enforcement system in a first compute node, a plurality of policies and data associating a plurality of user credentials with the plurality of policies. A request is received from a compute process for data from a file system in the first compute node. The request includes user credentials. The request for data is sent to the file system, and the data is received from the file system. Based on the received user credentials and the data associating the plurality of user credentials with the plurality of policies, one or more policies that correspond to the received user credentials is selected from the plurality of policies. The policy enforcement system filters the data from the file system based on the one or more policies, and sends the filtered data to the compute process.