Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Cloudera Employee

ISSUE:

While configuring NFS mounts to access HDFS as a part of local FS, we do tend to control the access using nfs proxies as shown below,

<property>
  <name>hadoop.proxyuser.nfsserver.groups</name>
  <value>nfs-users1,nfs-users2</value>
  <description>
    The 'nfsserver' user is allowed to proxy all members of the
    'nfs-users1' and 'nfs-users2' groups. Set this to '*' to allow
    nfsserver user to proxy any group.
  </description>
</property>

<property>
  <name>hadoop.proxyuser.nfsserver.hosts</name>
  <value>nfs-client-host1.com</value>
  <description>
    This is the host where the nfs gateway is running. Set this to
    '*' to allow requests from any hosts to be proxied.
  </description>
</property>

However, a user who has access to NFS server would be able to access (view) the HDFS file system even if they are not part of "hadoop.proxyuser.nfsserver.groups" and "hadoop.proxyuser.nfsserver.hosts" . This may be a security flaw in certain scenarios,

ROOT CAUSE:

This is due to a property, "nfs.exports.allowed.hosts" which is used to allow the access to the HDFS from the hosts.

RESOLUTION:

Make sure the desired hosts and permissions are assigned to HDFS.

Permissions for the property can be defined as below,

<property>
  <name>nfs.exports.allowed.hosts</name>
  <value>* rw</value>
</property>

NOTE: NFS gateway restart may be needed if the property is altered

Links: https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsNfsGateway.html#Allow_moun...

467 Views
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎05-26-2017 12:58 AM
Updated by:
 
Contributors
Top Kudoed Authors