How to protect webUI
port 50070 of namenode ?
By default webUI
port of namenode running on 50070 is not protected and details of
HDFS and file system in read only mode are open to all , by accessing
http://<namenodeServer>:50070
All hadoop daemons
use an embedded Jetty web container to host JSP for webui.
Version used in the
example : apache 2.7.2
1. Go to
<hadoop_home>/ share/hadoop/hdfs/webapps/hdfs/WEB-INF
2. edit web.xml
From
<web-app
version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
</web-app>
<web-app
version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
</web-app>
To
<web-app
version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee">
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>explorerRelam</realm-name>
</login-config>
</web-app>
3.
Create new file : jetty-web.xml
CopyPaste:
<Configure
class="org.mortbay.jetty.webapp.WebAppContext">
<Get
name="securityHandler">
<Set
name="userRealm">
<New
class="org.mortbay.jetty.security.HashUserRealm">
<Set
name="name">explorerRelam</Set>
<Set
name="config">
<SystemProperty
name="hadoop.home.dir"/>/jetty/etc/realm.properties
</Set>
</New>
</Set>
</Get>
</Configure>
4.
Create new file <hadoop_home>/jetty/etc/realm.properties
(folder
jetty/etc should be created )
format
:
Username:
password,group
tushar:
welcome1,admin
5.
Access http://IP:50070
6. If only explorer need to protect use , in step 2
<url-pattern>/explorer.html/*</url-pattern>
Reference : https://streever.atlassian.net/wiki/display/HADOOP/2014/03/06/Securing+Hadoop+%28HDP%29+Web+UI+Component's
No comments:
Post a Comment