Help Center > > User Guide> Security> Security Configuration Suggestions for Clusters with Kerberos Authentication Disabled

Security Configuration Suggestions for Clusters with Kerberos Authentication Disabled

Updated at: Dec 31, 2019 GMT+08:00

The Hadoop community version provides two authentication modes: Kerberos authentication (security mode) and Simple authentication (normal mode). When creating a cluster, you can choose to enable or disable Kerberos authentication.

Clusters in security mode use the Kerberos protocol for security authentication.

In normal mode, MRS cluster components use a native open source authentication mechanism, which is typically Simple authentication. If Simple authentication is used, authentication is automatically performed by a client user (for example, user root) by default when a client connects to a server. The authentication is imperceptible to the administrator or service user. In addition, when being executed, the client may even pretend to be any user (including superuser) by injecting UserGroupInformation. Cluster resource management and data control APIs are not authenticated on the server and are easily exploited and attacked by hackers.

Therefore, in normal mode, network access permissions must be strictly controlled to ensure cluster security. You are advised to perform the following operations to ensure cluster security.

  • Deploy service applications on ECSs in the same VPC and subnet and avoid accessing MRS clusters through an external network.
  • Configure security group rules to strictly control the access scope. Do not configure access rules that allow Any or 0.0.0.0 for the inbound direction of MRS cluster ports.
  • If you want to access the native pages of the components in the cluster from the external, follow instructions in Creating an SSH Channel to Connect an MRS Cluster and Configuring the Browser for configuration.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel