Hadoop web Ui security

Question

mine is a kerborised HDP 2.3 cluster with AD users support. we know that by using hadoop's web UI at http://namenode-ip/50070 anyone can access the hdfs details. Can we secure it only to certain authorized users and not publicly to all.. in production.

Answer 1

You can turn on kerberos/SPNEGO for UI access. This will require SPNEGO to be enabled for your users' browsers as well.

See: https://hadoop.apache.org/docs/r1.2.1/HttpAuthentication.html for general instructions in securing the UIs.

At a high level, you can have the HTTP authentication set to simple, kerberos or the classname of a custom authentication handler.

You may also be interested in using Apache Knox to proxy the UIs in question. This will allow you to provide HTTP Basic Auth against LDAP or a number of other authentication options in order to access the ports. See: http://knox.apache.org/books/knox-0-7-0/user-guide.html#UI+Service+Details for UI proxying details.

This of course would require you to firewall off other direct access to the UIs. It is also worth noting that leaving the HTTP authentication type to simple in secure clusters also leaves the REST API open to anyone that can get to it.