[
https://issues.apache.org/jira/browse/HADOOP-15600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Yang updated HADOOP-15600:
-------------------------------
Description:
The default setting to restrict the cluster nodes to communicate with peer
nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and
hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened
which allows any hosts to impersonate any user.
The proposal is to default settings to:
{code}
<property>
<name>hadoop.proxyuser.hdfs.hosts</name>
<value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
</property>
<property>
<name>hadoop.proxyuser.hdfs.groups</name>
<value>wheel</value>
</property>
<property>
<name>hadoop.proxyuser.yarn.hosts</name>
<value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
</property>
<property>
<name>hadoop.proxyuser.yarn.groups</name>
<value>users</value>
</property>
{code}
This will allow the cluster to default to a closed network and default "users"
group to reduce risks.
was:
The default setting to restrict the cluster nodes to communicate with peer
nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and
hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened
which allows any hosts to impersonate any user.
The proposal is to default settings to:
{code}
<property>
<name>hadoop.proxyuser.hdfs.hosts</name>
<value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
</property>
<property>
<name>hadoop.proxyuser.hdfs.groups</name>
<value>users</value>
</property>
<property>
<name>hadoop.proxyuser.yarn.hosts</name>
<value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
</property>
<property>
<name>hadoop.proxyuser.yarn.groups</name>
<value>users</value>
</property>
{code}
This will allow the cluster to default to a closed network and default "users"
group to reduce risks.
> Set default proxy user settings to non-routable IP addresses and default
> users group
> ------------------------------------------------------------------------------------
>
> Key: HADOOP-15600
> URL: https://issues.apache.org/jira/browse/HADOOP-15600
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Eric Yang
> Priority: Major
>
> The default setting to restrict the cluster nodes to communicate with peer
> nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and
> hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened
> which allows any hosts to impersonate any user.
> The proposal is to default settings to:
> {code}
> <property>
> <name>hadoop.proxyuser.hdfs.hosts</name>
>
> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
> </property>
> <property>
> <name>hadoop.proxyuser.hdfs.groups</name>
> <value>wheel</value>
> </property>
> <property>
> <name>hadoop.proxyuser.yarn.hosts</name>
>
> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
> </property>
> <property>
> <name>hadoop.proxyuser.yarn.groups</name>
> <value>users</value>
> </property>
> {code}
> This will allow the cluster to default to a closed network and default
> "users" group to reduce risks.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
