[ https://issues.apache.org/jira/browse/HADOOP-15600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Yang updated HADOOP-15600: ------------------------------- Description: The default setting to restrict the cluster nodes to communicate with peer nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened which allows any hosts to impersonate any user. The proposal is to default settings to: {code} <property> <name>hadoop.proxyuser.hdfs.hosts</name> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value> </property> <property> <name>hadoop.proxyuser.hdfs.groups</name> <value>wheel</value> </property> <property> <name>hadoop.proxyuser.yarn.hosts</name> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value> </property> <property> <name>hadoop.proxyuser.yarn.groups</name> <value>users</value> </property> {code} This will allow the cluster to default to a closed network and default "users" group to reduce risks. was: The default setting to restrict the cluster nodes to communicate with peer nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened which allows any hosts to impersonate any user. The proposal is to default settings to: {code} <property> <name>hadoop.proxyuser.hdfs.hosts</name> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value> </property> <property> <name>hadoop.proxyuser.hdfs.groups</name> <value>users</value> </property> <property> <name>hadoop.proxyuser.yarn.hosts</name> <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value> </property> <property> <name>hadoop.proxyuser.yarn.groups</name> <value>users</value> </property> {code} This will allow the cluster to default to a closed network and default "users" group to reduce risks. > Set default proxy user settings to non-routable IP addresses and default > users group > ------------------------------------------------------------------------------------ > > Key: HADOOP-15600 > URL: https://issues.apache.org/jira/browse/HADOOP-15600 > Project: Hadoop Common > Issue Type: Sub-task > Components: security > Reporter: Eric Yang > Priority: Major > > The default setting to restrict the cluster nodes to communicate with peer > nodes are controlled by: hadoop.proxyuser.[hdfs.yarn].hosts, and > hadoop.proxyuser.[hdfs|yarn].groups. These settings are default to be opened > which allows any hosts to impersonate any user. > The proposal is to default settings to: > {code} > <property> > <name>hadoop.proxyuser.hdfs.hosts</name> > > <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value> > </property> > <property> > <name>hadoop.proxyuser.hdfs.groups</name> > <value>wheel</value> > </property> > <property> > <name>hadoop.proxyuser.yarn.hosts</name> > > <value>127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16</value> > </property> > <property> > <name>hadoop.proxyuser.yarn.groups</name> > <value>users</value> > </property> > {code} > This will allow the cluster to default to a closed network and default > "users" group to reduce risks. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org