Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Hardening Security on cloudera Cluster

avatar
author-rank teo123
Explorer

Created ‎05-05-2025 06:26 AM

Hello,

During a security scan, two issues have been discovered in my Cloudera cluster (Cloudera Manager version 7.13.1, Cloudera Runtime 7.3.1).

Zookeeper issue (Zookeeper version 3.8.1.7.3.1.0-197):

  • On the nodes where zookeeper runs, I have the bellow issue:
  • HTTP TRACE / TRACK Methods Allowed - Debugging functions are enabled on the remote web server - port 7000

Mapreduce HSTS header:

  • HSTS Missing From HTTPS Server / port 13562

 

Can you please assist on how to mitigate these issues?

 

Thank you!

 

672 Views
0 Kudos
4 REPLIES 4

avatar
jzumbado author-rank
Cloudera Employee

Created ‎05-05-2025 10:23 AM

1. We can see the PORT 7000 is not used by any service from cloudera
https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/installation/topics/cdpdc-ports-used-by-runti...

Please confirm and update
for disallow or disable HTTP TRACE please follow the below link https://access.redhat.com/solutions/198813

2. The  Port 13562 is part of MapReduce Shuffle Port. This port is listening on all Yarn nodeManager nodes.  If SSL is enabled for MapReduce , this port shall operate with SSL. You can set the HSTS credentials in configurations. 

652 Views
0 Kudos

avatar
author-rank teo123
Explorer

Created ‎05-05-2025 10:39 PM

hello,

 

Thank you for your answer.

1. port 7000

  • here: https://access.redhat.com/solutions/198813 it says to modify 'echo TraceEnable off >>/etc/httpd/conf/httpd.conf' & and restart 'service httpd reload' apache server. The problem is that on none of my servers in the cluster, the httpd service is not actually running.

Do you have any other suggestions?

 

2. For MapReduce -> I enabled HTTS on MapReduce Shuffle with:

teo123_0-1746509405244.png

 

but I still don't understand where I should add the HSTS header configuration. In ssl-server.xml? How would the config look like? Like in the image bellow?

teo123_1-1746509527718.png

 

I tested with what I stated in the images above and HSTS header is not present.

 

Thank you!

636 Views
0 Kudos

avatar
author-rank teo123
Explorer

Created ‎05-05-2025 11:18 PM

Sorry, just an update regarding port 7000. From my debug on the server, this port is opened by a java process running the zookeeper-server process. This is why I mentioned it here. 

Also, the configuration in the zookeeper service -> Server -> metrics

teo123_1-1746512286978.png

 

Thanks!

630 Views
0 Kudos

avatar
author-rank dimi_yu
Explorer

Created ‎09-17-2025 10:10 PM

I ran into the same findings in a Cloudera 7.x setup. For the Zookeeper TRACE/TRACK warning on port 7000, you can mitigate it by disabling these methods in the embedded Jetty config or, more commonly, by placing a reverse proxy (Apache/Nginx) in front of ZooKeeper and blocking TRACE/TRACK.

For the MapReduce HSTS warning (port 13562), HSTS isn’t enabled by default. The fix is to add the Strict Transport Security header either through the service’s HTTPS response configuration or again via a reverse proxy. This enforces HTTPS and clears the scan finding.

56 Views
0 Kudos
Announcements
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
Community Announcements
June 2021 Community Highlights
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
View More Announcements