Support Questions

testsaran09 · ‎07-14-2016

Hello,

Is there a way to restrict/protect the access to the following service URLs through browser. As of now all these URLs are accessible without authentication and our Security Assessment team list these as part of the vulnerabilities.

http://domainame:50070/logs/

http://domainame:50070/explorer.html#/

http://domainame:50070/dfshealth.html#tab-datanode

http://domainame:16030/rs-status

http://domainame:8088/cluster/cluster

http://domainame:8188/applicationhistory

http://domainame:8042/node

http://secondarynamenode:16010/logs/

http://datanode:61310/logs/

Your speedy response is highly appreciated.

Thanks

sunile_manjee · ‎07-14-2016

@Saravanan Ramaraj have you looked into apache knox?

The Knox API Gateway is designed as a reverse proxy with consideration for pluggability in the areas of policy enforcement, through providers and the backend services for which it proxies requests. The Apache Knox Gateway is a REST API Gateway for interacting with Apache Hadoop clusters. The Knox Gateway provides a single access point for all REST interactions with Apache Hadoop clusters.

In this capacity, the Knox Gateway is able to provide valuable functionality to aid in the control, integration, monitoring and automation of critical administrative and analytical needs of the enterprise.

Authentication (LDAP and Active Directory Authentication Provider)
Federation/SSO (HTTP Header Based Identity Federation)
Authorization (Service Level Authorization)
Auditing

And then for authorization you can use Apache Ranger which offers a centralized security framework to manage fine-grained access control over Hadoop data access components

coupled with kerberos you cluster will be secured and the links shall be authenticed using kerberos and ranger will provide authorization on what services the user has access to. Finally knox will be your perimeter security.

View solution in original post

sunile_manjee · ‎07-14-2016

@Saravanan Ramaraj have you looked into apache knox?

The Knox API Gateway is designed as a reverse proxy with consideration for pluggability in the areas of policy enforcement, through providers and the backend services for which it proxies requests. The Apache Knox Gateway is a REST API Gateway for interacting with Apache Hadoop clusters. The Knox Gateway provides a single access point for all REST interactions with Apache Hadoop clusters.

In this capacity, the Knox Gateway is able to provide valuable functionality to aid in the control, integration, monitoring and automation of critical administrative and analytical needs of the enterprise.

Authentication (LDAP and Active Directory Authentication Provider)
Federation/SSO (HTTP Header Based Identity Federation)
Authorization (Service Level Authorization)
Auditing

And then for authorization you can use Apache Ranger which offers a centralized security framework to manage fine-grained access control over Hadoop data access components

coupled with kerberos you cluster will be secured and the links shall be authenticed using kerberos and ranger will provide authorization on what services the user has access to. Finally knox will be your perimeter security.

Cloudera Community

Support Questions

Restrict/Protect free access to users through web

Permission denied: user=yarn, access=WRITE oozie s...

Cannot access Hue Web UI

Kerberos authentication from MacOS Monterey to acc...

Control User Access to Capacity Scheduler Queues.

Is the HDP Version 3.1.5 free for user?

Permission denied: user=root, access=WRITE, inode=...

CDP7 can't access Atlas Web UI

Getting past "Access denied for user" error during...

Listing directories to which user has access

Cloudera Manager user access