Details
-
Sub-task
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
The default setting to restrict the cluster nodes to communicate with peer nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened which allows any hosts to impersonate any user.
The proposal is to default settings to:
<property> <name>hadoop.proxyuser.hdfs.hosts</name> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value> </property> <property> <name>hadoop.proxyuser.hdfs.groups</name> <value>wheel</value> </property> <property> <name>hadoop.proxyuser.yarn.hosts</name> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value> </property> <property> <name>hadoop.proxyuser.yarn.groups</name> <value>users</value> </property>
This will allow the cluster to default to a closed network and default "users" group to reduce risks.