You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-user@hadoop.apache.org by Visioner Sadak <vi...@gmail.com> on 2013/09/11 09:46:53 UTC
hadoop web UI security
Hello friends i m using the below configuration to hide hadoop web UI the
problem is that when i access
http://192.34.8.8:50070/ it works properly and blocks access but when i
use
http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(anyusername)......
it failes and allows access even if i set my signature
username as hadoopuser
its allowing access for any username
<property>
<name>hadoop.http.filter.initializers</name>
<value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
</property>
<property>
<name>hadoop.http.authentication.type</name>
<value>simple</value>
</property>
<property>
<name>hadoop.http.authentication.token.validity</name>
<value>60</value>
</property>
<property>
<name>hadoop.http.authentication.signature.secret.file</name>
<value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
</property>
<property>
<name>hadoop.http.authentication.cookie.domain</name>
<value>
</value>
</property>
<property>
<name>hadoop.http.authentication.simple.anonymous.allowed</name>
<value>false</value>
</property>
Re: hadoop web UI security
Posted by Visioner Sadak <vi...@gmail.com>.
Ohh god i think i have messed up!!!!!! badly............ I think my only
option is to go for custom writing an AuthenticatorHandler as mentioned
here http://hadoop.apache.org/docs/stable/HttpAuthentication.html
does anyone know any links on how to do it......
Thanks a lot harsh...........
On Wed, Sep 11, 2013 at 9:37 PM, Harsh J <ha...@cloudera.com> wrote:
> What you're seeing is the right behavior for the auth type "simple".
> It just expects a username, and doesn't do anything other than that -
> i.e. there's no passwords/etc. or a user list to cross-reference to.
>
> For securing properly, you'd either need to use kerberos, or develop
> your own HTTP auth filter that allows only certain usernames or
> expects a password string too/do some other auth mechanism/etc.
>
> On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
> <vi...@gmail.com> wrote:
> > Hello friends i m using the below configuration to hide hadoop web UI
> the
> > problem is that when i access
> >
> > http://192.34.8.8:50070/ it works properly and blocks access but
> when i
> > use
> >
> >
> > http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any
> > username)...... it failes and allows access even if i set my signature
> > username as hadoopuser
> >
> > its allowing access for any username
> >
> >
> > <property>
> > <name>hadoop.http.filter.initializers</name>
> >
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.type</name>
> > <value>simple</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.token.validity</name>
> > <value>60</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.signature.secret.file</name>
> > <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.cookie.domain</name>
> > <value>
> > </value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> > <value>false</value>
> > </property>
>
>
>
> --
> Harsh J
>
Re: hadoop web UI security
Posted by Visioner Sadak <vi...@gmail.com>.
Ohh god i think i have messed up!!!!!! badly............ I think my only
option is to go for custom writing an AuthenticatorHandler as mentioned
here http://hadoop.apache.org/docs/stable/HttpAuthentication.html
does anyone know any links on how to do it......
Thanks a lot harsh...........
On Wed, Sep 11, 2013 at 9:37 PM, Harsh J <ha...@cloudera.com> wrote:
> What you're seeing is the right behavior for the auth type "simple".
> It just expects a username, and doesn't do anything other than that -
> i.e. there's no passwords/etc. or a user list to cross-reference to.
>
> For securing properly, you'd either need to use kerberos, or develop
> your own HTTP auth filter that allows only certain usernames or
> expects a password string too/do some other auth mechanism/etc.
>
> On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
> <vi...@gmail.com> wrote:
> > Hello friends i m using the below configuration to hide hadoop web UI
> the
> > problem is that when i access
> >
> > http://192.34.8.8:50070/ it works properly and blocks access but
> when i
> > use
> >
> >
> > http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any
> > username)...... it failes and allows access even if i set my signature
> > username as hadoopuser
> >
> > its allowing access for any username
> >
> >
> > <property>
> > <name>hadoop.http.filter.initializers</name>
> >
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.type</name>
> > <value>simple</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.token.validity</name>
> > <value>60</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.signature.secret.file</name>
> > <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.cookie.domain</name>
> > <value>
> > </value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> > <value>false</value>
> > </property>
>
>
>
> --
> Harsh J
>
Re: hadoop web UI security
Posted by Visioner Sadak <vi...@gmail.com>.
Ohh god i think i have messed up!!!!!! badly............ I think my only
option is to go for custom writing an AuthenticatorHandler as mentioned
here http://hadoop.apache.org/docs/stable/HttpAuthentication.html
does anyone know any links on how to do it......
Thanks a lot harsh...........
On Wed, Sep 11, 2013 at 9:37 PM, Harsh J <ha...@cloudera.com> wrote:
> What you're seeing is the right behavior for the auth type "simple".
> It just expects a username, and doesn't do anything other than that -
> i.e. there's no passwords/etc. or a user list to cross-reference to.
>
> For securing properly, you'd either need to use kerberos, or develop
> your own HTTP auth filter that allows only certain usernames or
> expects a password string too/do some other auth mechanism/etc.
>
> On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
> <vi...@gmail.com> wrote:
> > Hello friends i m using the below configuration to hide hadoop web UI
> the
> > problem is that when i access
> >
> > http://192.34.8.8:50070/ it works properly and blocks access but
> when i
> > use
> >
> >
> > http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any
> > username)...... it failes and allows access even if i set my signature
> > username as hadoopuser
> >
> > its allowing access for any username
> >
> >
> > <property>
> > <name>hadoop.http.filter.initializers</name>
> >
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.type</name>
> > <value>simple</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.token.validity</name>
> > <value>60</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.signature.secret.file</name>
> > <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.cookie.domain</name>
> > <value>
> > </value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> > <value>false</value>
> > </property>
>
>
>
> --
> Harsh J
>
Re: hadoop web UI security
Posted by Visioner Sadak <vi...@gmail.com>.
Ohh god i think i have messed up!!!!!! badly............ I think my only
option is to go for custom writing an AuthenticatorHandler as mentioned
here http://hadoop.apache.org/docs/stable/HttpAuthentication.html
does anyone know any links on how to do it......
Thanks a lot harsh...........
On Wed, Sep 11, 2013 at 9:37 PM, Harsh J <ha...@cloudera.com> wrote:
> What you're seeing is the right behavior for the auth type "simple".
> It just expects a username, and doesn't do anything other than that -
> i.e. there's no passwords/etc. or a user list to cross-reference to.
>
> For securing properly, you'd either need to use kerberos, or develop
> your own HTTP auth filter that allows only certain usernames or
> expects a password string too/do some other auth mechanism/etc.
>
> On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
> <vi...@gmail.com> wrote:
> > Hello friends i m using the below configuration to hide hadoop web UI
> the
> > problem is that when i access
> >
> > http://192.34.8.8:50070/ it works properly and blocks access but
> when i
> > use
> >
> >
> > http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any
> > username)...... it failes and allows access even if i set my signature
> > username as hadoopuser
> >
> > its allowing access for any username
> >
> >
> > <property>
> > <name>hadoop.http.filter.initializers</name>
> >
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.type</name>
> > <value>simple</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.token.validity</name>
> > <value>60</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.signature.secret.file</name>
> > <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.cookie.domain</name>
> > <value>
> > </value>
> > </property>
> >
> > <property>
> > <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> > <value>false</value>
> > </property>
>
>
>
> --
> Harsh J
>
Re: hadoop web UI security
Posted by Harsh J <ha...@cloudera.com>.
What you're seeing is the right behavior for the auth type "simple".
It just expects a username, and doesn't do anything other than that -
i.e. there's no passwords/etc. or a user list to cross-reference to.
For securing properly, you'd either need to use kerberos, or develop
your own HTTP auth filter that allows only certain usernames or
expects a password string too/do some other auth mechanism/etc.
On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
<vi...@gmail.com> wrote:
> Hello friends i m using the below configuration to hide hadoop web UI the
> problem is that when i access
>
> http://192.34.8.8:50070/ it works properly and blocks access but when i
> use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any
> username)...... it failes and allows access even if i set my signature
> username as hadoopuser
>
> its allowing access for any username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> <value>simple</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.token.validity</name>
> <value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name>
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> <value>false</value>
> </property>
--
Harsh J
Re: hadoop web UI security
Posted by Harsh J <ha...@cloudera.com>.
What you're seeing is the right behavior for the auth type "simple".
It just expects a username, and doesn't do anything other than that -
i.e. there's no passwords/etc. or a user list to cross-reference to.
For securing properly, you'd either need to use kerberos, or develop
your own HTTP auth filter that allows only certain usernames or
expects a password string too/do some other auth mechanism/etc.
On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
<vi...@gmail.com> wrote:
> Hello friends i m using the below configuration to hide hadoop web UI the
> problem is that when i access
>
> http://192.34.8.8:50070/ it works properly and blocks access but when i
> use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any
> username)...... it failes and allows access even if i set my signature
> username as hadoopuser
>
> its allowing access for any username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> <value>simple</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.token.validity</name>
> <value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name>
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> <value>false</value>
> </property>
--
Harsh J
Re: hadoop web UI security
Posted by Visioner Sadak <vi...@gmail.com>.
any hints hadoopers we have a prod deployment today & my manager is
killling me .......................[?][?]
On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak <vi...@gmail.com>wrote:
> Hello friends i m using the below configuration to hide hadoop web UI the
> problem is that when i access
>
> http://192.34.8.8:50070/ it works properly and blocks access but when
> i use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(anyusername)...... it failes and allows access even if i set my signature
> username as hadoopuser
>
> its allowing access for any username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> <value>simple</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.token.validity</name>
> <value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name>
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> <value>false</value>
> </property>
>
Re: hadoop web UI security
Posted by Harsh J <ha...@cloudera.com>.
What you're seeing is the right behavior for the auth type "simple".
It just expects a username, and doesn't do anything other than that -
i.e. there's no passwords/etc. or a user list to cross-reference to.
For securing properly, you'd either need to use kerberos, or develop
your own HTTP auth filter that allows only certain usernames or
expects a password string too/do some other auth mechanism/etc.
On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
<vi...@gmail.com> wrote:
> Hello friends i m using the below configuration to hide hadoop web UI the
> problem is that when i access
>
> http://192.34.8.8:50070/ it works properly and blocks access but when i
> use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any
> username)...... it failes and allows access even if i set my signature
> username as hadoopuser
>
> its allowing access for any username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> <value>simple</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.token.validity</name>
> <value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name>
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> <value>false</value>
> </property>
--
Harsh J
Re: hadoop web UI security
Posted by Visioner Sadak <vi...@gmail.com>.
any hints hadoopers we have a prod deployment today & my manager is
killling me .......................[?][?]
On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak <vi...@gmail.com>wrote:
> Hello friends i m using the below configuration to hide hadoop web UI the
> problem is that when i access
>
> http://192.34.8.8:50070/ it works properly and blocks access but when
> i use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(anyusername)...... it failes and allows access even if i set my signature
> username as hadoopuser
>
> its allowing access for any username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> <value>simple</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.token.validity</name>
> <value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name>
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> <value>false</value>
> </property>
>
Re: hadoop web UI security
Posted by Visioner Sadak <vi...@gmail.com>.
any hints hadoopers we have a prod deployment today & my manager is
killling me .......................[?][?]
On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak <vi...@gmail.com>wrote:
> Hello friends i m using the below configuration to hide hadoop web UI the
> problem is that when i access
>
> http://192.34.8.8:50070/ it works properly and blocks access but when
> i use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(anyusername)...... it failes and allows access even if i set my signature
> username as hadoopuser
>
> its allowing access for any username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> <value>simple</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.token.validity</name>
> <value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name>
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> <value>false</value>
> </property>
>
Re: hadoop web UI security
Posted by Harsh J <ha...@cloudera.com>.
What you're seeing is the right behavior for the auth type "simple".
It just expects a username, and doesn't do anything other than that -
i.e. there's no passwords/etc. or a user list to cross-reference to.
For securing properly, you'd either need to use kerberos, or develop
your own HTTP auth filter that allows only certain usernames or
expects a password string too/do some other auth mechanism/etc.
On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak
<vi...@gmail.com> wrote:
> Hello friends i m using the below configuration to hide hadoop web UI the
> problem is that when i access
>
> http://192.34.8.8:50070/ it works properly and blocks access but when i
> use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(any
> username)...... it failes and allows access even if i set my signature
> username as hadoopuser
>
> its allowing access for any username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> <value>simple</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.token.validity</name>
> <value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name>
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> <value>false</value>
> </property>
--
Harsh J
Re: hadoop web UI security
Posted by Visioner Sadak <vi...@gmail.com>.
any hints hadoopers we have a prod deployment today & my manager is
killling me .......................[?][?]
On Wed, Sep 11, 2013 at 1:16 PM, Visioner Sadak <vi...@gmail.com>wrote:
> Hello friends i m using the below configuration to hide hadoop web UI the
> problem is that when i access
>
> http://192.34.8.8:50070/ it works properly and blocks access but when
> i use
>
>
> http://192.34.8.8:50070/dfshealth.jsp?user.name=blahblahh(anyusername)...... it failes and allows access even if i set my signature
> username as hadoopuser
>
> its allowing access for any username
>
>
> <property>
> <name>hadoop.http.filter.initializers</name>
> <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.type</name>
> <value>simple</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.token.validity</name>
> <value>60</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.signature.secret.file</name>
> <value>/home/hadoop/hadoop-0.23.3/conf/security/username</value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.cookie.domain</name>
> <value>
> </value>
> </property>
>
> <property>
> <name>hadoop.http.authentication.simple.anonymous.allowed</name>
> <value>false</value>
> </property>
>