My actual HDP version is :HDP-126.96.36.199
I have enabled Kerberos on the hadoop cluster but still the security officer checked a lot of vulnerabilitites
1. we could access via these URLs the content without any authentication :
P.S : I did not install Hbase as a service
2. This URL also is accessible without authentication from all datanodes:
3. Grafana si also accessible without authentication
Any ideas please
You might have enabled kerberos authentication for your cluster components. However, in order to secure the Web UIs offered by these components you will also need to enable the "SPNEGO Authentication".
By default, access to the HTTP-based services and UIs for the cluster are not configured to require authentication. Kerberos authentication can be configured for the Web UIs for HDFS, YARN, MapReduce2, HBase, Oozie, Falcon and Storm. Please see  & 
1. Create a secret key used for signing authentication tokens.
dd if=/dev/urandom of=/etc/security/http_secret bs=1024 count=1 chown hdfs:hadoop /etc/security/http_secret chmod 440 /etc/security/http_secret
2. Add additional properties for http authentication.
Example: in Advanced core-site:
hadoop.http.authentication.simple.anonymous.allowed =false hadoop.http.authentication.signature.secret.file = /etc/security/http_secret hadoop.http.authentication.type = kerberos hadoop.http.authentication.kerberos.keytab = /etc/security/keytabs/spnego.service.keytab hadoop.http.authentication.kerberos.principal = HTTP/_HOST@ EXAMPLE.COM hadoop.http.filter.initializers = org.apache.hadoop.security.AuthenticationFilterInitializer hadoop.http.authentication.cookie.domain = hortonworks.local
Once that is done then you will not be able to access those UIs without having a valid kerberos ticket. You will need to configure your web browser as mentioned in  in order to securely access those SPNEGO enabled component UIs.
- Similarly the following doc tells about how to enable HTTP Authentication for Ambari 
# ambari-server setup-kerberos Using python /usr/bin/python Setting up Kerberos authentication Enable Kerberos authentication [true|false] (false): true
Thank you for your pertinent answers as usual
so there is no another option except configuring browser with SPENGo for browsers?!
Is it recommander to configure the Hadoop cluster with https? If yes do you have a procedure please ?
In order to enable SSL for various component you can refer to individual component docs.
following are some references:
1). Enabling HTTPS for Grafana & AMS
2). Enabling HTTPS for AmbariServer
3). Enabling HTTPS for HDFS
4). Enabling HTTPS for various HDP services:
If your question is answered then, Please make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
For different queries it is better to open new thread that way the responses are more organised.
one last question please
should I use both kerberos and SSL for a secured cluster?