[
https://issues.apache.org/jira/browse/HADOOP-15600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16556094#comment-16556094
]
Daryn Sharp commented on HADOOP-15600:
--------------------------------------
*-Infinity*. This would cause a landslide of CVEs. There must be no default
proxy users. Defaults will apply to every service. The exposure from
exploitable systems would be huge. I would never want my clusters configured
in such a nightmarish way.
{quote}These settings are default to be opened which allows any hosts to
impersonate any user.{quote}
First off, this completely false unless something is terribly broken in 3.x.
There are NO proxy users unless defined. If a proxy user is configured with an
ACL, but has no explicit hosts, it will fail. You must very specifically
configure a proxy user.
bq. This will allow the cluster to default to a closed network and default
"users" group to reduce risks.
Quite the opposite. Proxy users should be tightly controlled. When it comes to
security the default posture must be deny, with specific rules for specific
rules to limit attack vectors. Opening proxy access from entire network ranges
is unfathomable. My proxy definitions specifically list every host. I would
never use a network range, esp. 10.0.0.0/8.
There is no reason for "hdfs" to be a proxy user. While one may think it's ok
because hdfs can access everything anyway, that's false. Allowing hdfs to
proxy will allow the admin to walk right through:
# the "security.hdfs.unreadable.by.superuser" feature
# external access enforcers that restrict the capabilities of hdfs
# kms key ACLs are moot and EZ data is no longer shielded from admins
Letting the RM, and presumably the NMs, be proxy users to all services is a
terrible idea. Steal credentials from one node and it's game over.
> Set default proxy user settings to non-routable IP addresses and default
> users group
> ------------------------------------------------------------------------------------
>
> Key: HADOOP-15600
> URL: https://issues.apache.org/jira/browse/HADOOP-15600
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Eric Yang
> Priority: Major
>
> The default setting to restrict the cluster nodes to communicate with peer
> nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and
> hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened
> which allows any hosts to impersonate any user.
> The proposal is to default settings to:
> {code}
> <property>
> <name>hadoop.proxyuser.hdfs.hosts</name>
>
> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
> </property>
> <property>
> <name>hadoop.proxyuser.hdfs.groups</name>
> <value>users</value>
> </property>
> <property>
> <name>hadoop.proxyuser.yarn.hosts</name>
>
> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value>
> </property>
> <property>
> <name>hadoop.proxyuser.yarn.groups</name>
> <value>users</value>
> </property>
> {code}
> This will allow the cluster to default to a closed network and default
> "users" group to reduce risks.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
