01-18-2017 10:46 AM
Cloudera takes cluster security very seriously, and provides guidelines for securing CDH environments:
Security measures become especially important when clusters are exposed to the internet. For example, hackers using network scanning tools are actively looking for WebHDFS ports on clusters, and when they find an open port, they can wreak havoc on the cluster (delete data, steal data, corrupt data).
There are many other services and access considerations that should be protected as well.
It’s imperative that you design clusters in a secure fashion which will not leave the services interfaces exposed to the Internet this way. It’s our strong recommendation that you secure your cluster with kerberos, TLS, proper firewall or proxy access, and use the guidance from our security guide to protect your deployment.
All unsecured clusters exposed to the internet
Cluster data may be copied, downloaded and deleted. Cluster altered or permanently disabled
For perimeter security consider a quick test to be a check of: "Can I access this cluster from a public network with no vpn or other security in place?" If so, check with your network administration team or in the Cloudera community discussion forums as a resource to this evaluation and setup of proper security.
Securing a cluster requires the following
Cloudera provides an overview on securing a cluster properly for the Cloudera 5.x platform in a Vision blog post. It is provided here for reference:
To check if your existing cluster has authentication security enabled: Navigate within Cloudera Manager from the home page to the Administration menu. Click the "Security" sub menu. A table of the clusters being managed is presented, and the statement "Successfully enabled Kerberos" will be next to the cluster name. The following link discusses the concepts and steps to completing this setup properly:
If you are using CDH without Cloudera Manager, both the hadoop.security.authentication parameter needs to not be set to “kerberos”, and the hadoop.security.authorization parameter needs to be set to “true” in core-site.xml to indicate that security is enabled:
To verify if TLS is enabled for Cloudera Manager and Navigator, navigate from the Cloudera Manager home page to the Administration Menu -> Settings, and search for TLS in the configuration settings search field:
To verify if TLS is enabled for CDH components managed by Cloudera Manager, search for “tls enabled” in each of the services:
To verify if TLS is enabled for CDH components not managed by Cloudera Manager, look for the setting “hadoop.ssl.enabled” within the configuration files.
For CDH and hadoop community users the following Apache reference documentation can be consulted for considerations on securing webHDFS.
Here is a copy of the Apache release documentation in our mirror for current platform:
If your cluster has been compromised, data has been deleted, or you would like to engage with a Cloudera security professional services team member, please reach out to your account manager or contact us at email@example.com.
01-20-2017 12:42 PM
We have just published a new Engineering blog post How to secure ‘Internet exposed’ Apache Hadoop that may be of interest as well.