Community Articles

ISSUE:

While configuring NFS mounts to access HDFS as a part of local FS, we do tend to control the access using nfs proxies as shown below,

<property>
  <name>hadoop.proxyuser.nfsserver.groups</name>
  <value>nfs-users1,nfs-users2</value>
  <description>
    The 'nfsserver' user is allowed to proxy all members of the
    'nfs-users1' and 'nfs-users2' groups. Set this to '*' to allow
    nfsserver user to proxy any group.
  </description>
</property>

<property>
  <name>hadoop.proxyuser.nfsserver.hosts</name>
  <value>nfs-client-host1.com</value>
  <description>
    This is the host where the nfs gateway is running. Set this to
    '*' to allow requests from any hosts to be proxied.
  </description>
</property>

However, a user who has access to NFS server would be able to access (view) the HDFS file system even if they are not part of "hadoop.proxyuser.nfsserver.groups" and "hadoop.proxyuser.nfsserver.hosts" . This may be a security flaw in certain scenarios,

ROOT CAUSE:

This is due to a property, "nfs.exports.allowed.hosts" which is used to allow the access to the HDFS from the hosts.

RESOLUTION:

Make sure the desired hosts and permissions are assigned to HDFS.

Permissions for the property can be defined as below,

<property>
  <name>nfs.exports.allowed.hosts</name>
  <value>* rw</value>
</property>

NOTE: NFS gateway restart may be needed if the property is altered

Links: https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html#Allow_moun...