Support Questions

Find answers, ask questions, and share your expertise

Restrict/Protect free access to users through web

avatar
Explorer

Hello,

Is there a way to restrict/protect the access to the following service URLs through browser. As of now all these URLs are accessible without authentication and our Security Assessment team list these as part of the vulnerabilities.

http://domainame:50070/logs/

http://domainame:50070/explorer.html#/

http://domainame:50070/dfshealth.html#tab-datanode

http://domainame:16030/rs-status

http://domainame:8088/cluster/cluster

http://domainame:8188/applicationhistory

http://domainame:8042/node

http://secondarynamenode:16010/logs/

http://datanode:61310/logs/

Your speedy response is highly appreciated.

Thanks

1 ACCEPTED SOLUTION

avatar
Master Guru

@Saravanan Ramaraj have you looked into apache knox?

The Knox API Gateway is designed as a reverse proxy with consideration for pluggability in the areas of policy enforcement, through providers and the backend services for which it proxies requests. The Apache Knox Gateway is a REST API Gateway for interacting with Apache Hadoop clusters. The Knox Gateway provides a single access point for all REST interactions with Apache Hadoop clusters.

In this capacity, the Knox Gateway is able to provide valuable functionality to aid in the control, integration, monitoring and automation of critical administrative and analytical needs of the enterprise.

  • Authentication (LDAP and Active Directory Authentication Provider)
  • Federation/SSO (HTTP Header Based Identity Federation)
  • Authorization (Service Level Authorization)
  • Auditing

And then for authorization you can use Apache Ranger which offers a centralized security framework to manage fine-grained access control over Hadoop data access components

coupled with kerberos you cluster will be secured and the links shall be authenticed using kerberos and ranger will provide authorization on what services the user has access to. Finally knox will be your perimeter security.

View solution in original post

1 REPLY 1

avatar
Master Guru

@Saravanan Ramaraj have you looked into apache knox?

The Knox API Gateway is designed as a reverse proxy with consideration for pluggability in the areas of policy enforcement, through providers and the backend services for which it proxies requests. The Apache Knox Gateway is a REST API Gateway for interacting with Apache Hadoop clusters. The Knox Gateway provides a single access point for all REST interactions with Apache Hadoop clusters.

In this capacity, the Knox Gateway is able to provide valuable functionality to aid in the control, integration, monitoring and automation of critical administrative and analytical needs of the enterprise.

  • Authentication (LDAP and Active Directory Authentication Provider)
  • Federation/SSO (HTTP Header Based Identity Federation)
  • Authorization (Service Level Authorization)
  • Auditing

And then for authorization you can use Apache Ranger which offers a centralized security framework to manage fine-grained access control over Hadoop data access components

coupled with kerberos you cluster will be secured and the links shall be authenticed using kerberos and ranger will provide authorization on what services the user has access to. Finally knox will be your perimeter security.