You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/07/11 23:00:01 UTC
[jira] [Created] (HADOOP-15600) Set default proxy user settings to
non-routable IP addresses and default users group
Eric Yang created HADOOP-15600:
----------------------------------
Summary: Set default proxy user settings to non-routable IP addresses and default users group
Key: HADOOP-15600
URL: https://issues.apache.org/jira/browse/HADOOP-15600
Project: Hadoop Common
Issue Type: Sub-task
Components: security
Reporter: Eric Yang
The default setting to restrict the cluster nodes to communicate with peer nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened which allows any hosts to impersonate any user.
The proposal is to default settings to:
{code}
<property>
<name>hadoop.proxyuser.hdfs.hosts</name>
<value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
</property>
<property>
<name>hadoop.proxyuser.hdfs.groups</name>
<value>users</value>
</property>
<property>
<name>hadoop.proxyuser.yarn.hosts</name>
<value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
</property>
<property>
<name>hadoop.proxyuser.yarn.groups</name>
<value>users</value>
</property>
{code}
This will allow the cluster to default to a closed network and default "users" group to reduce risks.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org