Optional Step 10: Configuring a secure HDFS NFS Gateway

To deploy a Kerberized HDFS NFS gateway, add the following configuration properties to hdfs-site.xml on the NFS server.
<property>
<name>dfs.nfs.keytab.file</name>
<value>/etc/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS or NFS gateway keytab -->
</property>

<property>
<name>dfs.nfs.kerberos.principal</name>
<value>hdfs/_HOST@YOUR-REALM.COM</value>
</property>

Potential Insecurities with a Kerberized NFS Gateway

When configuring an NFS gateway in a secure cluster, the gateway accesses the contents of HDFS using the HDFS service principals. However, authorization for end users is handled by comparing the end user's UID/GID against the UID/GID of the files on the NFS mount. No Kerberos is involved in authenticating the user first.

Because HDFS metadata doesn't have any UIDs/GIDs, only names and groups, the NFS gateway maps user names and group names to UIDs and GIDs. The user names and group names used for this mapping are derived from the local users of the host where the NFS gateway is running. The mapped IDs are then presented to the NFS client for authorization. The NFS client performs the authorization locally, comparing the UID/GID presented by the NFS Gateway to the IDs of the users on the remote host.

The main risk with this procedure is that it's quite possible to create local users with UIDs that were previously associated with any superusers. For example, users with access to HDFS can view the directories that belong to the hdfs user, and they can also access the underlying metadata to obtain the associated UID. Assuming the directories owned by hdfs have their UID set to xyz, a malicious user could create a new local user on the NFS gateway host with the UID set to xyz. This local user will now be able to freely access the hdfs user's files.

Solutions:
  • Set the NFS Gateway property, Allowed Hosts and Privileges, to allow only those NFS clients that are trusted and managed by the Hadoop administrators.
    1. Go to the Cloudera Manager Admin Console and navigate to the HDFS service.
    2. Click the Configuration tab.
    3. Select Scope > NFS Gateway.
    4. Select Category > Main.
    5. Locate the Allowed Hosts and Privileges property and set it to a list of trusted host names and access privileges (ro - read-only, rw - read/write). For example:
      192.168.0.0/22 rw
      host1.example.org ro
      The current default setting of this property is * rw, which is a security risk because it lets everybody map the NFS export in read-write mode.
    6. Click Save Changes to commit the changes.
  • Specify a user with restricted privileges for the dfs.nfs.kerberos.principal property, so that the NFS gateway has limited access to the NFS contents. The current default setting for this property is hdfs/_HOST@YOUR-REALM.COM</value>, which gives the NFS gateway unrestricted access to HDFS.