hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15600) Set default proxy user settings to non-routable IP addresses and default users group
Date Thu, 26 Jul 2018 05:27:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16556923#comment-16556923
] 

Eric Yang commented on HADOOP-15600:
------------------------------------

For good intend and practical purpose, the default ASF release may assume admin == root like
Redhat or MacOSX does.  The more exotics features that [~daryn] listed are pass through for
admin users.


> Set default proxy user settings to non-routable IP addresses and default users group
> ------------------------------------------------------------------------------------
>
>                 Key: HADOOP-15600
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15600
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Eric Yang
>            Priority: Major
>
> The default setting to restrict the cluster nodes to communicate with peer nodes are
controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and hadoop.proxyuser.[hdfs|yarn].groups.
 These settings are default to be opened which allows any hosts to impersonate any user.
> The proposal is to default settings to:
> {code}
>     <property>
>       <name>hadoop.proxyuser.hdfs.hosts</name>
>       <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
>     </property>
>     <property>
>       <name>hadoop.proxyuser.hdfs.groups</name>
>       <value>wheel</value>
>     </property>
>     <property>
>       <name>hadoop.proxyuser.yarn.hosts</name>
>       <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
>     </property>
>     <property>
>       <name>hadoop.proxyuser.yarn.groups</name>
>       <value>users</value>
>     </property>
> {code}
> This will allow the cluster to default to a closed network and default "users" group
to reduce risks.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message