ACLs are a good way to control roles of users, but in insecure mode users can easily be impersonated, rendering ACLs useless as a 'secure' measure.
On Fri, Sep 28, 2012 at 3:15 PM, Shin Chan <[email protected]> wrote: > Hello Bertrand , > > Thanks for your reply. > > Apology if this confused you. Yes IP Tables is one of the way to go but my > question is more if there is configuration within hadoop xml files to say if > this user is there then only allow to see HDFS. > > I can see that we can do something for Map reduce jobs using acl properties > ( old link for 1.x version) > > http://hadoop.apache.org/docs/r1.0.3/service_level_auth.html > > > But does similar properties exists for HDFS side , where Namednode can see > that this client is allowed to connect to cluster > > Thanks > > > > ----- Original Message ----- > > From: Bertrand Dechoux > > Sent: 09/28/12 07:34 PM > > To: [email protected] > > Subject: Re: Securing cluster from access > > > What you are looking for is not related to Hadoop in the end. It is how to > restrict requests in a network. > 'Firewall' is a broad term. iptables can allow you to do so quickly. You > drop everything and then accept only from a set of IPs. > You may receive answers using this mailing list but its purpose is not > really to discuss about firewall solutions and configurations. > > Regards > > Bertrand > > > > On Fri, Sep 28, 2012 at 11:23 AM, Shin Chan <[email protected]> wrote: >> >> Hello, >> >> We have 15 node cluster and right now we dont have Kerberos implemented. >> >> But on urgent basis we want to secure the cluster. >> >> Right now anyone who know IP of Namenode can just download the Hadoop jar >> , configure xml files and say >> >> hadoop fs -ls / >> >> And he can see the data. >> >> How to stop this ? >> >> We have Hadoop 2.0 verison >> >> Do we have any configuration settings which we can change so that only set >> of users or set of IPs should be able to see the HDFS. >> >> We dont have firewall implemented yet outside cluster so that is not an >> option. >> >> Thanks in advance for your help > > > > > -- > Bertrand Dechoux > > > > > > > Thanks and Regards , -- Harsh J
