Secure Oracle Big Data Service using Zero Trust Packet Routing

Oracle Data Intelligence Platform in Oracle Cloud Infrastructure (OCI) provides a set of data services that help organizations manage, process, and integrate vast amounts of data efficiently. These services, tailored for cloud environments, span data discovery, big data processing, integration, and governance.

• Data lake services: Oracle Big Data Service (BDS), OCI Data Flow (DFS), OCI Data Catalog, Oracle Intelligent Data Lake* (IDL)
• Data motion and integration services: OCI Data Integration (DIS)

* Oracle Intelligent Data Lake (IDL) is a new data lake service in the Oracle Data Intelligence Platform. For a deeper understanding, check the blog Oracle’s Unique 360-degree vision for Data Intelligence.

This article describes how to secure Oracle Big Data Service (BDS) using Zero Trust Packet Routing (ZPR). The article is part of the Securing Oracle Data Intelligence Platform Services using Zero Trust Packet Routing series and a companion article to Secure Oracle Cloud Infrastructure Data Flow using Zero Trust Packet Routing. It includes architectural diagrams, component descriptions, deployment scenarios, and links to other references.

This article uses an existing scenario, where data files stored in OCI Object Storage are loaded into Hadoop Distributed File System (HDFS), and then loaded into HIVE tables. Oracle Analytics Cloud (OAC) connects to the BDS Cluster HIVE tables, creates a dataset from the data, and uses the dataset to create data visualizations and generate insights. Refer to this blog to understand more about the scenario, Connect Oracle Analytics Cloud to Oracle Big Data Service Cluster with Hive and Spark for Enhanced Data Insights.

The ZPR configuration described here uses the resources involved in the scenario, where Oracle Analytics Cloud connects to the BDS Cluster’s HIVE table, creates a dataset, and uses the dataset to create data visualization workbooks.

To follow this article you need:

• An existing OCI tenancy.
• An OCI administrator with the privileges to:
  • Manage resources in compartments
  • Manage ZPR policies in the tenancy
• ZPR components (introduced in the post Prepare Zero Trust Packet Routing Components for Securing Oracle Data Intelligence Platform Services):
  • An OCI compartment for ZPR
  • OCI policies that allow you to manage resources in the OCI compartment
  • ZPR namespace
  • ZPR attributes
  • An understanding of ZPR policy statements
• A VCN (Virtual Cloud Network).
• VNIC’s of nodes of the Oracle Big Data Service High Availability Cluster in the private subnet of the VCN.
• Oracle Analytics Cloud (OAC) instance with a private endpoint. A private access channel (PAC) must be enabled and all endpoints must be in the same VCN as the BDS Cluster.
• Bastion or Windows VM to access the OAC instance from the public subnet of the same VCN as the BDS Cluster and OAC instance
• Security lists and route tables configured to allow ingress from users to OAC and egress to BDS.
• Connections in OAC that connect to the BDS Hive and Spark before ZPR is configured.

The OCI Zero Trust Packet Routing documentation provides an excellent introduction and a short video.

ZPR helps prevent unauthorized access to data by decoupling network security policies from the underlying network architecture. Using an easily understood, intent-based policy language, functional security administrators can define specific access pathways for data that build upon the foundation of network firewalls, route tables, and security lists managed by network administrators.

ZPR policies require that the network administration components exist but take precedence over them. For example, security lists and route tables in a VCN (Virtual Cloud Network) secure BDS and OAC resources. ZPR policies restrict access to only the resources explicitly assigned to ZPR security attributes referenced in a ZPR policy.

ZPR is VCN-centric. Components secured with ZPR security attributes must reside in the same VCN.

• Architecture
• Components
• Validation
• Explore More

This diagram shows a VCN in an OCI region that contains a BDS Cluster, OAC private endpoint,  and public Windows VM.

This diagram shows the ZPR components required to secure the Windows VM, OAC services, and the BDS Cluster.

ZPR configuration requires that you configure the following:

• ZPR IAM policies
• ZPR enablement
• ZPR compartment
• ZPR namespace
• ZPR attributes

The secured architecture includes the following components:

• ZPR attribute values
• ZPR policy statements
• ZPR resource assignments

User Device Connect to the OAC instance from the Bastion or Windows VM in the public subnet of the same VCN as the BDS Cluster and OAC.

Use Oracle Cloud Infrastructure Identity and Access Management (IAM) to create policies to control access to the Zero Trust Packet Routing (ZPR) service.

• Allow group OracleIdentityCloudService/ZPR_Admin to manage zpr-configuration in tenancy
• Allow group OracleIdentityCloudService/ZPR_Admin to manage security-attribute-namespace in tenancy
• Allow group OracleIdentityCloudService/ZPR_Admin to manage zpr-policy in tenancy
• Allow group OracleIdentityCloudService/ZPR_Admin to manage all-resources in compartment ZPR_BD_Comp

ZPR is disabled by default. When you enable ZPR in your tenancy, a default Oracle-ZPR security attribute namespace is created that you can use.

Oracle recommends separate compartments for ZPR namespaces to separate duties. For example, a Human Resources ZPR security administrator may not be a Financials ZPR security administrator.

Create a ZPR compartment for each planned ZPR functional area. For example, HR, ERP, and so on.

ZPR namespaces are containers for ZPR security attributes. In this example, ZPR_BD_NS is the ZPR namespace.

ZPR security attributes are labels that you can reference in ZPR policies to control access to supported resources. Attributes are used in conjunction with attribute values when creating ZPR policies. The documentation uses application, network, and database as example attributes.

• app (application)

  

• network

  

• database

  

You reference ZPR security attribute values in ZPR policies to control access to supported resources. This post uses the following values:

• app:oac-app
• network:dsvcn-network
• database:bds-cluster

Use a Windows VM in the public subnet of the same VCN as BDS and OAC to access the private OAC instance. You must use the Windows VM private IP CIDR block to create the ZPR policy to allow access from the public Windows VM to the private OAC instance:

• 197.0.0.98/32 for the public Windows VM

A ZPR policy is a rule that governs the communication between specific endpoints identified by their security attributes. Refer to Policy Syntax.

In OCI Console, navigate to Identity & Security. Under Zero Trust Packet Routing, click Policies à Create Policy.

• in ZPR_BD_NS.network:dsvcn-network VCN allow ZPR_BD_NS.app:oac-app endpoints to connect to ZPR_BD_NS.database:bds-cluster endpoints
• in ZPR_BD_NS.network:dsvcn-network VCN allow ‘197.0.0.98/32’ to connect to ZPR_BD_NS.app:oac-app endpoints

app:oac-app

Get the details of the private OAC instance. To list the OAC in ZPR Protected Resources, use the VNIC of the OAC Instance.

In this article, the goal is to protect access from OAC (or Dbeaver or any client tools) to the Oracle BDS Cluster.

This article doesn’t describe how to protect OAC using ZPR. This is described in the article, Secure Oracle Analytics Cloud using Zero Trust Packet Routing.

network:dsvcn-network

Get the details of the VCN where the BDS cluster, private OAC instance, and the public Windows VM exist.

In OCI Console, navigate to Networking à Virtual Cloud Networks, select the compartment, select the VCN, and get the OCID of the VCN.

The VCN name in this example is: dsvcn

database:bds-cluster

In OCI Console, get the details of the BDS Cluster and its nodes that are involved in this scenario for the ZPR security configuration. Get the OCID values of the Node and the VNIC.

• HIVE Server is running on the First Utility Node of the BDS Cluster.
• BDS Cluster is a High Available and Secure cluster:
  • For Kerberos authentication, the KDC Server runs on the First (mn0) and Second (mn1) Master Nodes. Get the OCID values of the Node and the VNIC.

Get the OCID of the Node. For example: ocid1.instance.oc1.phx.anyhql********************************************d2keka and prefix the value with customer_vnic_ which will be the VNIC OCID.

In OCI Console, navigate to Identity & Security. Under Zero Trust Packet Routing, click Protected Resources, select the compartment where the BDS Cluster exists, select the ZPR Security attribute namespace, click Add security attribute to resources.

Search and select the VNIC of the BDS Cluster un0 node.

Click Next.

Click Next, and then click Submit after a review.

Also, add BDS cluster mn0 and mn1 node’s VNIC’s to the database security attribute with the same value as bds-cluster.

VCN

Select the resource you need, click Next, then Add security attributes to the resources.

Click Next, and then click Submit after a review.

VNIC of the OAC instance:

Select the resource you need, click Next and then click Add security attributes to the resources.

Click Next, and then click Submit after a review.

Currently, ZPR security attributes supports only a few resources such as Compute, Database, Networking and Network Load Balancer.

In the next step, you use the VNIC of the private endpoint of OCI Object Storage, add Object Storage as a ZPR protected resource, and test the ZPR security.

Validation

Validate OAC access from the public Windows server which is in the same dsvcn VCN.

Validate access to the BDS Cluster using the HIVE connection type. Either create a new connection or the existing connection to create a dataset from the data.

The OAC instance can’t connect to the BDS Cluster using the HIVE connection if we add the BDS Cluster’s un0 node VNIC to the database: bds-cluster security attribute and leave the mn0 and mn1 node VNIC’s for the database: bds-cluster security attribute. This is because, the connection uses Kerberos authentication, and it can’t reach the KDC admin server at mn0 and mn1 BDS Cluster nodes.

This proves that the Oracle BDS Cluster is protected by Zero Trust Packet Routing (ZPR).

Read more about ZPR:

Read more about securing services on Oracle Intelligence Data Platform with ZPR: