By default, when you provision a HDInsight cluster, you are required to create a local admin user and local SSH user that has full access to the cluster. The local admin user can access all the files, folders, tables, columns, etc. With a single local user, there is no need for role-based access control. However, as enterprise customers move to the cloud, they must enable strict security requirements in terms of authentication, authorization, auditing, and governance. This is especially important with larger or multiple teams that share the same cluster. Admins don’t want to create individual clusters for individual users. When we talked to customers, we received three main requests as part of enabling cluster access to multiple users:
As a data scientist, I want to use my Active Directory domain credentials to run queries on the cluster.
As a cluster admin, I want to configure role-based access control to restrict access to data only as needed.
As a cluster admin, I want to view audit logs, in terms of who accessed what data, and whether access succeeded or failed.
Today, we are excited to announce that these features are available as part of the add-on (optional) Enterprise Security Package. As part of provisioning the HDInsight cluster, you can optionally select the Enterprise Security Package.