From 459719ea554f4f181d9feb86aacc0ab23fce2dbc Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Wed, 15 Feb 2023 12:04:41 +0100 Subject: [PATCH 1/3] HADOOP-18627 Stronger wording in 'secure mode' intro Make it more clear that when exposing Hadoop to untrusted users, 'secure mode' is not optional. --- .../hadoop-common/src/site/markdown/SecureMode.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md b/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md index 98c3dd2bbb9b8..8df1f352447a2 100644 --- a/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md +++ b/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md @@ -20,7 +20,9 @@ Hadoop in Secure Mode Introduction ------------ -This document describes how to configure authentication for Hadoop in secure mode. When Hadoop is configured to run in secure mode, each Hadoop service and each user must be authenticated by Kerberos. +In its default configuration, we expect you to make sure attackers don't have access to your Hadoop deployment by restricting all network access. If you want to expose Hadoop to untrusted users, you will have to configure authentication for Hadoop in secure mode as described in this document. + +When Hadoop is configured to run in secure mode, each Hadoop service and each user must be authenticated by Kerberos. Forward and reverse host lookup for all service hosts must be configured correctly to allow services to authenticate with each other. Host lookups may be configured using either DNS or `/etc/hosts` files. Working knowledge of Kerberos and DNS is recommended before attempting to configure Hadoop services in Secure Mode. From d5bdea929eaa2027497affe4e9083efa100b8010 Mon Sep 17 00:00:00 2001 From: Steve Loughran Date: Fri, 17 Feb 2023 16:27:16 +0000 Subject: [PATCH 2/3] tune that introductory sentence --- .../hadoop-common/src/site/markdown/SecureMode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md b/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md index 8df1f352447a2..278971044659a 100644 --- a/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md +++ b/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md @@ -20,7 +20,7 @@ Hadoop in Secure Mode Introduction ------------ -In its default configuration, we expect you to make sure attackers don't have access to your Hadoop deployment by restricting all network access. If you want to expose Hadoop to untrusted users, you will have to configure authentication for Hadoop in secure mode as described in this document. +In its default configuration, we expect you to make sure attackers don't have access to your Hadoop deployment by restricting all network access. If you want any restrictions on who can remotely access data or submit work, you MUST secure authentication and access for your Hadoop cluster as described in this document. When Hadoop is configured to run in secure mode, each Hadoop service and each user must be authenticated by Kerberos. From 6dd305a28684cfc1766e579af862e7b8189834da Mon Sep 17 00:00:00 2001 From: Steve Loughran Date: Fri, 17 Feb 2023 16:28:12 +0000 Subject: [PATCH 3/3] bit more tuning --- .../hadoop-common/src/site/markdown/SecureMode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md b/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md index 278971044659a..4ef2cd9291a8a 100644 --- a/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md +++ b/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md @@ -20,7 +20,7 @@ Hadoop in Secure Mode Introduction ------------ -In its default configuration, we expect you to make sure attackers don't have access to your Hadoop deployment by restricting all network access. If you want any restrictions on who can remotely access data or submit work, you MUST secure authentication and access for your Hadoop cluster as described in this document. +In its default configuration, we expect you to make sure attackers don't have access to your Hadoop cluster by restricting all network access. If you want any restrictions on who can remotely access data or submit work, you MUST secure authentication and access for your Hadoop cluster as described in this document. When Hadoop is configured to run in secure mode, each Hadoop service and each user must be authenticated by Kerberos.