Security

Known issues with security.

When using LDAP to authenticate users do not leave LDAP Business User Groups field empty

When using LDAP to authenticate users, if the LDAP Business User Groups Group(s) field is left empty, then ALL users within the LDAP organization will be able to log into CDSW. This only happens on brand new CDSW 1.10 installations. Upgraded clusters should not see this Business Users feature.

Workaround:

Set LDAP Business User Groups Group(s) group to an existing group, or if not using this feature, then set to some undefined group.

Cloudera Bug: DSE-20519

Using TLS 1.0 and 1.1 to access CDSW is not recommended

Using TLS 1.0 or 1.1 to access CDSW is not recommended. Functionality is deprecated and can be removed in future versions.

Cloudera Bug: DSE-16534

Working in the terminal or an editor should not count as idle session

If a user opens a workbench and is either working exclusively in the terminal or just editing files, Cloudera Data Science Workbench counts that time as idle time and the user gets kicked out after the configured max idle timeout.

Workaround:
  • Increase the idle session timeout by adding a new environmental variable IDLE_MAXIMUM_MINUTES. Click CDSW > Project > Settings > Environmental variables.Note: This approach would require you to keep your containers running.

    You can set the value of the variables IDLE_MAXIMUM_MINUTES or SESSION_MAXIMUM_MINUTES to their maximum allowed value, which is 35000 (~3 weeks).

  • Alternatively, run a simple script inside CDSW session to keep the session alive. Opening the Cloudera Data Science Workbench and create a file as shown here (assuming Python project), and then run it in the Workbench.
    import time
    time.sleep(10000)

Cloudera Bug: DSE-3080

SSH access to Cloudera Data Science Workbench hosts must be disabled

The container runtime and application data storage is not fully secure from untrusted users who have SSH access to the gateway hosts. Therefore, SSH access to the gateway hosts for untrusted users should be disabled for security and resource utilization reasons.

TLS/SSL

  • Self-signed certificates where the Certificate Authority is not part of the user's trust store are not supported for TLS termination.

  • Cloudera Data Science Workbench does not support the use of encrypted private keys for TLS.

    Cloudera Bug: DSE-1708

  • A "certificate has expired" error displays when you log in to the Cloudera Data Science Workbench web UI. This issue can occur if Cloudera Data Science Workbench exceeds 365 days of continuous uptime because the internal certificate for Kubernetes expires after 1 year.

    Workaround: Restart the Cloudera Data Science Workbench deployment.
    • For CSD installations, restart the Cloudera Data Science Workbench service in Cloudera Manager.
    • For RPM installations, run the following command on the Master host:
      cdsw restart

Kerberos

  • Upon installation, you might encounter a "Missing Kerberos Credentials" error. This error will prevent the CDSW Master Role from starting.

    Workaround: You can regenerate Kerberos credentials by going to Cloudera Manager > Admin > Security > Kerberos Credentials > Regenerate.

    Cloudera Bug: DSE-16313

  • Using Kerberos plugin modules in krb5.conf is not supported.

  • Modifying the default_ccache_name parameter in krb5.conf does not work in Cloudera Data Science Workbench. Only the default path for this parameter, /tmp/krb5cc_${uid}, is supported.

  • PowerBroker-equipped Active Directory is not supported.

    Cloudera Bug: DSE-1838

  • When you upload a Kerberos keytab to authenticate yourself to the CDH cluster, Cloudera Data Science Workbench might display a fleeting error message ('cancelled') in the bottom right corner of the screen, even if authentication was successful. This error message can be ignored.

    Cloudera Bug: DSE-2344