Enabling Authorization for HDFS Web UIs

You can enforce authorization for the following HDFS web UIs: the NameNode, DataNode, and JournalNode. To do so, you must have Kerberos authentication for HTTP web consoles and Hadoop Secure Authorization enabled. When both configurations are set, only the hdfs user can access the HDFS web UIs by default. Any other user who attempts to access the web UI will encounter an HTTP 403 error because the user is not authorized to access the page.

For users and groups other than hdfs to access the web UIs, you must add them to hdfs-site.xml with an HDFS Service Advanced Configuration Snippet (Safety Valve).

Perform the following steps to enforce authorization for the HDFS web UIs:

  1. In the Cloudera Manager Admin Console, go to Clusters > <HDFS service>.
  2. Navigate to the Configurations tab and search for the following property: HDFS Service Advanced Configuration Snippet (Safety Valve) for hdfs-site.xml.
  3. Add the following property:
    • Name: dfs.cluster.administrators
    • Value: <comma separated list of user names and/or group names>
    For example, a sample property might look like this:
    • Name: dfs.cluster.administrators
    • Value: hdfs,admin_user_milton,HTTP,hue,admin_group
    These values would allow the users hdfs, admin_user_milton, HTTP, and hue as well as the group admin_group to the following web UIs: NameNode, DataNode, and JournalNode.

    If you perform the steps under Additional Configuration to restrict access to the /jmx, /stack, /conf, and /metrics servlets, you must add the HTTP user and the Service Monitor Kerberos Principal so that Cloudera Manager can access the /jmx and /metrics servlets.

    You can view the Service Monitor Kerberos Principal by navigating to Cloudera Management Service > Configuration and searching for Role-Specific Kerberos Principal. The default Service Monitor Kerberos Principal is hue.

  4. Save the configuration.
  5. Restart all stale HDFS services.

Additional Configuration

For a higher level of security, you can enforce authorization for the following HDFS web UI servlets, which may contain sensitive data: /jmx, /stack, /conf, and /metrics. When you enforce authorization for the servlets, only the users listed in the dfs.cluster.administrators property can access them.

Cloudera Manager requires access to the /jmx and /metrics servlets and uses the HTTP user as well as the Service Monitor Kerberos Principal to access them. Make sure to add both users to dfs.cluster.administrators as described in Enabling Authorization for HDFS Web UIs.

Perform the following steps to enforce authorization for the servlets:

  1. In the Cloudera Manager Admin Console, go to Clusters > <HDFS service>.
  2. Navigate to the Configurations tab and search for the following property: HDFS Service Advanced Configuration Snippet (Safety Valve) for hdfs-site.xml.
  3. Add the following property:
    • Name: hadoop.security.instrumentation.requires.admin
    • Value: true
  4. Save the configuration.
  5. Restart all stale HDFS services.