Product Announcements

Find the latest product announcements and version updates
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

[Advisory] Unsecured clusters exposed to the internet may be vulnerable to attacks

avatar
Community Manager

Cloudera takes cluster security very seriously, and provides guidelines for securing CDH environments:

 

http://www.cloudera.com/documentation/enterprise/latest/topics/sg_edh_overview.html

 

Security measures become especially important when clusters are exposed to the internet. For example, hackers using network scanning tools are actively looking for WebHDFS ports on clusters, and when they find an open port, they can wreak havoc on the cluster (delete data, steal data, corrupt data).

 

There are many other services and access considerations that should be protected as well.

 

It’s imperative that you design clusters in a secure fashion which will not leave the services interfaces exposed to the Internet this way. It’s our strong recommendation that you secure your cluster with kerberos, TLS, proper firewall or proxy access, and use the guidance from our security guide to protect your deployment.

 

Users affected:

All unsecured clusters exposed to the internet

 

Impact:

Cluster data may be copied, downloaded and deleted. Cluster altered or permanently disabled

 

Action required:

 

For perimeter security consider a quick test to be a check of: "Can I access this cluster from a public network with no vpn or other security in place?" If so, check with your network administration team or in the Cloudera community discussion forums as a resource to this evaluation and setup of proper security.

 

Securing a cluster requires the following

 

Cloudera provides an overview on securing a cluster properly for the Cloudera 5.x platform in a Vision blog post. It is provided here for reference:

 

https://vision.cloudera.com/production-ready-hadoop-an-overview-of-security-in-cloudera-5/

 

To check if your existing cluster has authentication security enabled: Navigate within Cloudera Manager from the home page to the Administration menu. Click the "Security" sub menu. A table of the clusters being managed is presented, and the statement "Successfully enabled Kerberos" will be next to the cluster name. The following link discusses the concepts and steps to completing this setup properly:

 

http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_authentication.html

 

If you are using CDH without Cloudera Manager, both the hadoop.security.authentication parameter needs to not be set to “kerberos”, and the hadoop.security.authorization parameter needs to be set to “true” in core-site.xml to indicate that security is enabled:

 

http://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_hadoop_security_enable.html

 

To verify if TLS is enabled for Cloudera Manager and Navigator, navigate from the Cloudera Manager home page to the Administration Menu -> Settings, and search for TLS in the configuration settings search field:

 

http://www.cloudera.com/documentation/enterprise/latest/topics/how_to_configure_cm_tls.html

 

To verify if TLS is enabled for CDH components managed by Cloudera Manager, search for “tls enabled” in each of the services:

 

http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_hadoop_ssl_cm.html

 

To verify if TLS is enabled for CDH components not managed by Cloudera Manager, look for the setting “hadoop.ssl.enabled” within the configuration files.

 

For CDH and hadoop community users the following Apache reference documentation can be consulted for considerations on securing webHDFS.

 

https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Authentication

 

Here is a copy of the Apache release documentation in our mirror for current platform:

 

https://archive.cloudera.com/cdh5/cdh/5/hadoop/hadoop-project-dist/hadoop-hdfs/WebHDFS.html?_ga=1.20...

 

If your cluster has been compromised, data has been deleted, or you would like to engage with a Cloudera security professional services team member, please reach out to your account manager or contact us at sales@cloudera.com.

1 REPLY 1

avatar
Community Manager

We have just published a new Engineering blog post How to secure ‘Internet exposed’ Apache Hadoop that may be of interest as well.