Data Security Construction in Berserker Platform

This article introduces the data security construction in Berserker, Bilibili's one-stop data development and governance platform. Berserker is built on common big data ecosystem components and supports various business scenarios including data query, analysis, reporting, integration, development, real-time computing, and governance.

The article focuses on Berserker's data security construction, which provides unified data security management for internal assets like Hive, Kafka, ClickHouse, and ETL tasks, and offers unified functional security control for various data products within the data platform department.

The data security construction follows the CIA triad (Confidentiality, Integrity, Availability) and implements the 5A methodology (Authentication, Authorization, Access Control, Asset Protection, Auditable). The architecture includes identity authentication through company unified authentication and Kerberos, authorization through data security services, access control via Ranger and data security services, asset protection through various measures like download restrictions and data desensitization, and auditing through operation logs and HDFS metadata analysis.

The article details the evolution from version 1.0 to 2.0, highlighting major changes including redesigned permission management system and introduction of workspaces. It discusses challenges faced during the upgrade process, particularly around permission changes and migration. The new permission system simplifies account management, standardizes resource models, and enriches permission types while separating functional and data permissions.

Key issues addressed include Hive table permission migration using HDFS metadata analysis, workspace introduction to better support flexible business needs, and Casbin optimization for performance improvements in permission management. The article also outlines future directions for data security development focusing on lifecycle coverage, fine-grained permission management, sensitive data protection, and risk assessment.