hadoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Dechoux <decho...@gmail.com>
Subject Re: Securing cluster from access
Date Fri, 28 Sep 2012 10:24:35 GMT
Harsh is right. It is important to know what is the difference between
authorization and authentication.
However if you do not want anybody to write to your cluster from outside
then a firewall might be enough.
You block everything but you allow access to the webinterfaces (without
private actions enabled) from only a limited set of IPs.

Regards

Bertrand

On Fri, Sep 28, 2012 at 12:00 PM, Harsh J <harsh@cloudera.com> wrote:

> ACLs are a good way to control roles of users, but in insecure mode
> users can easily be impersonated, rendering ACLs useless as a 'secure'
> measure.
>
> On Fri, Sep 28, 2012 at 3:15 PM, Shin Chan <hadoop@gmx.com> wrote:
> > Hello Bertrand ,
> >
> > Thanks for your reply.
> >
> > Apology if this confused you. Yes IP Tables is one of the way to go but
> my
> > question is more if there is configuration within hadoop xml files to
> say if
> > this user is there then only allow to see HDFS.
> >
> > I can see that we can do something for Map reduce jobs using acl
> properties
> > ( old link for 1.x version)
> >
> > http://hadoop.apache.org/docs/r1.0.3/service_level_auth.html
> >
> >
> > But does similar properties exists for HDFS side , where Namednode can
> see
> > that this client is allowed to connect to cluster
> >
> > Thanks
> >
> >
> >
> > ----- Original Message -----
> >
> > From: Bertrand Dechoux
> >
> > Sent: 09/28/12 07:34 PM
> >
> > To: user@hadoop.apache.org
> >
> > Subject: Re: Securing cluster from access
> >
> >
> > What you are looking for is not related to Hadoop in the end. It is how
> to
> > restrict requests in a network.
> > 'Firewall' is a broad term. iptables can allow you to do so quickly. You
> > drop everything and then accept only from a set of IPs.
> > You may receive answers using this mailing list but its purpose is not
> > really to discuss about firewall solutions and configurations.
> >
> > Regards
> >
> > Bertrand
> >
> >
> >
> > On Fri, Sep 28, 2012 at 11:23 AM, Shin Chan <hadoop@gmx.com> wrote:
> >>
> >> Hello,
> >>
> >> We have 15 node cluster and right now we dont have Kerberos implemented.
> >>
> >> But on urgent basis we want to secure the cluster.
> >>
> >> Right now anyone who know IP of Namenode can just download the Hadoop
> jar
> >> , configure xml files and say
> >>
> >> hadoop fs -ls /
> >>
> >> And he can see the data.
> >>
> >> How to stop this ?
> >>
> >> We have Hadoop 2.0 verison
> >>
> >> Do we have any configuration settings which we can change so that only
> set
> >> of users or set of IPs should be able to see the HDFS.
> >>
> >> We dont have firewall implemented yet outside cluster so that is not an
> >> option.
> >>
> >> Thanks in advance for your help
> >
> >
> >
> >
> > --
> > Bertrand Dechoux
> >
> >
> >
> >
> >
> >
> > Thanks and Regards ,
>
>
>
> --
> Harsh J
>



-- 
Bertrand Dechoux

Mime
View raw message