[HADOOP-15600] Set default proxy user settings to non-routable IP addresses and default users group - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: security
Labels:
None

Description

The default setting to restrict the cluster nodes to communicate with peer nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened which allows any hosts to impersonate any user.

The proposal is to default settings to:

    <property>
      <name>hadoop.proxyuser.hdfs.hosts</name>
      <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
    </property>

    <property>
      <name>hadoop.proxyuser.hdfs.groups</name>
      <value>wheel</value>
    </property>

    <property>
      <name>hadoop.proxyuser.yarn.hosts</name>
      <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
    </property>

    <property>
      <name>hadoop.proxyuser.yarn.groups</name>
      <value>users</value>
    </property>

This will allow the cluster to default to a closed network and default "users" group to reduce risks.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Eric Yang

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 11/Jul/18 22:59

Updated:: 26/Jul/18 05:26