ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luciano Resende (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-10777) Security exposure - Quicklinks to Web UI exposes cluster servers
Date Thu, 14 May 2015 22:18:33 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-10777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14544468#comment-14544468
] 

Luciano Resende commented on AMBARI-10777:
------------------------------------------

These are pretty much the same, with a "security spin" on the current jira. Once one is fixed,
both should be marked fixed.

> Security exposure - Quicklinks to Web UI exposes cluster servers
> ----------------------------------------------------------------
>
>                 Key: AMBARI-10777
>                 URL: https://issues.apache.org/jira/browse/AMBARI-10777
>             Project: Ambari
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.7.0, 2.0.0, 2.2.0, Ambari-2.1
>         Environment: All
>            Reporter: Jeffrey E  Rodriguez
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Ambari Security exposure - 
> "Quick Links"  Ambari allow Ambari users to access servers inside of users cluster. e.g.
Click oozie Web UI, if installed, you get redirected to Ooozie UI server. Worse yet, if not
SSL set up that is a gapping security hole.
> Since Knox is a component of Ambari then it makes sense to set the Quickreferences as
a proxified links.
> This could work as follows:
> + If Knox is installed, the current topology may be picked and the proxified links could
be derived from the Knox gateway configuration.
> The URL variable can then be set to  the proxy URLs.
> +  If Knox is not installed then  we use the default non proxy URL variables.
> In the example of Oozie, if you put the Oozie Knox through a proxy and put the proxified
link that would be accessed through Knox securely and outsiders to the cluster would not gain
information about the inside of the cluster.
> Also We need to think about customers who may want to set a firewall, how would customer
access User Interfaces services in  a cluster managed by Ambari



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message