Return-Path: 
 <user-return-1697-apmail-hadoop-user-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-user-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-user-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 584F2D732
	for <apmail-hadoop-user-archive@minotaur.apache.org>;
 Fri, 28 Sep 2012 10:00:49 +0000 (UTC)
Received: (qmail 94912 invoked by uid 500); 28 Sep 2012 10:00:44 -0000
Delivered-To: apmail-hadoop-user-archive@hadoop.apache.org
Received: (qmail 94800 invoked by uid 500); 28 Sep 2012 10:00:44 -0000
Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@hadoop.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@hadoop.apache.org>
List-Post: <mailto:user@hadoop.apache.org>
List-Id: <user.hadoop.apache.org>
Reply-To: user@hadoop.apache.org
Delivered-To: mailing list user@hadoop.apache.org
Received: (qmail 94789 invoked by uid 99); 28 Sep 2012 10:00:44 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Sep 2012 10:00:44 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of harsh@cloudera.com designates
 209.85.214.176 as permitted sender)
Received: from [209.85.214.176] (HELO mail-ob0-f176.google.com)
 (209.85.214.176)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Sep 2012 10:00:38 +0000
Received: by obhx4 with SMTP id x4so3613781obh.35
        for <user@hadoop.apache.org>; Fri, 28 Sep 2012 03:00:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type:x-gm-message-state;
        bh=g7vEhZF8exgBXGC078/b1LOsPXySmiK7/qGbo4IhScY=;
        b=P5nsoyMC5Nye3/Xpn24GwQWeUkOCvaoAkewsM3Pza8+zXKoHhjK0sTFFFawg25SNZI
         dcqen3I2PQC6Z5zQxQnX4qRUsfG0EQetHo4Olhc6+SZiZC6JJfeQQXGkwgzbYcGMpHZm
         J0NjEQdLEWeQ8DIqVhQ9DsAZPPIYSbHGTd3q3PcqzsPsm6xxaJTdNZ4U5Moe1D3lTH//
         PUSLiC4s4L6LeEnuNU8x0AcEddNzD/luW7Y6RbyhEGE72UwK4ZEDGxMZ4I+UOqpZaUPp
         W0fgyZCiDqLg2bc6Eeudy9WRA3JYWjFmHYoaJMfBKQnowZQya4dFOHuKb8cuBz4ZF8ME
         OkPg==
Received: by 10.182.50.103 with SMTP id b7mr5501978obo.15.1348826417445; Fri,
 28 Sep 2012 03:00:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.11.168 with HTTP; Fri, 28 Sep 2012 02:59:57 -0700 (PDT)
In-Reply-To: <20120928094532.112100@gmx.com>
References: <20120928094532.112100@gmx.com>
From: Harsh J <harsh@cloudera.com>
Date: Fri, 28 Sep 2012 15:29:57 +0530
Message-ID: 
 <CAOcnVr3X+mFyewNsSDjx3-XVEA1XGiu-qhL1N3Jfwr3rP3_ZeQ@mail.gmail.com>
Subject: Re: Securing cluster from access
To: user@hadoop.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: 
 ALoCoQn08GrxF868P0o48ChK9Jqa3IE2Tlrvr3Ephq35cP2dVa3+w/lQSD/xCB5e4PJy76o/a2+n

You need a stronger authentication method (Kerberos), period. It isn't
just fs -ls / you should be scared
about. Read Natty's post here, on what it means to run an insecure
cluster when you have secure requirements:
http://www.cloudera.com/blog/2012/03/authorization-and-authentication-in-hadoop/.
Firewalls can only help so much in multi-user environments.

On Fri, Sep 28, 2012 at 3:15 PM, Shin Chan <hadoop@gmx.com> wrote:
> Hello Bertrand ,
>
> Thanks for your reply.
>
> Apology if this confused you. Yes IP Tables is one of the way to go but my
> question is more if there is configuration within hadoop xml files to say if
> this user is there then only allow to see HDFS.
>
> I can see that we can do something for Map reduce jobs using acl properties
> ( old link for 1.x version)
>
> http://hadoop.apache.org/docs/r1.0.3/service_level_auth.html
>
>
> But does similar properties exists for HDFS side , where Namednode can see
> that this client is allowed to connect to cluster
>
> Thanks
>
>
>
> ----- Original Message -----
>
> From: Bertrand Dechoux
>
> Sent: 09/28/12 07:34 PM
>
> To: user@hadoop.apache.org
>
> Subject: Re: Securing cluster from access
>
>
> What you are looking for is not related to Hadoop in the end. It is how to
> restrict requests in a network.
> 'Firewall' is a broad term. iptables can allow you to do so quickly. You
> drop everything and then accept only from a set of IPs.
> You may receive answers using this mailing list but its purpose is not
> really to discuss about firewall solutions and configurations.
>
> Regards
>
> Bertrand
>
>
>
> On Fri, Sep 28, 2012 at 11:23 AM, Shin Chan <hadoop@gmx.com> wrote:
>>
>> Hello,
>>
>> We have 15 node cluster and right now we dont have Kerberos implemented.
>>
>> But on urgent basis we want to secure the cluster.
>>
>> Right now anyone who know IP of Namenode can just download the Hadoop jar
>> , configure xml files and say
>>
>> hadoop fs -ls /
>>
>> And he can see the data.
>>
>> How to stop this ?
>>
>> We have Hadoop 2.0 verison
>>
>> Do we have any configuration settings which we can change so that only set
>> of users or set of IPs should be able to see the HDFS.
>>
>> We dont have firewall implemented yet outside cluster so that is not an
>> option.
>>
>> Thanks in advance for your help
>
>
>
>
> --
> Bertrand Dechoux
>
>
>
>
>
>
> Thanks and Regards ,



-- 
Harsh J