Security
Known issues with security.
CDSW does not allow self-signed certificates
CDSW does not allow customer managed certificates for Kubernetes.
Cannot uncheck Disabled flag when LDAP or SAML groups enabled
When LDAP or SAML groups are enabled, administrators cannot check or uncheck the Disabled flag on the User Settings screen.
Workaround: When LDAP or SAML groups are used, this flag does not do anything, and is just a visual glitch that can be ignored.
When using LDAP or SAML to authenticate users do not leave the LDAP Business User Groups or SAML Business User Groups field empty
When using LDAP or SAML to authenticate users, if the LDAP Business User Groups or the SAML Business User Groups field is left empty, then ALL users within the LDAP or SAML organization will be able to log into CDSW. This only happens on brand new CDSW 1.10 installations. Upgraded clusters should not see this Business Users feature.
Workaround:
Set the LDAP Business User Groups or the SAML Busines User Groups to an existing group, or if not using this feature, then set to some undefined group.
Cloudera Bug: DSE-20519
Using TLS 1.0 and 1.1 to access CDSW is not recommended
Using TLS 1.0 or 1.1 to access CDSW is not recommended. Functionality is deprecated and can be removed in future versions.
Cloudera Bug: DSE-16534
Working in the terminal or an editor should not count as idle session
If a user opens a workbench and is either working exclusively in the terminal or just editing files, Cloudera Data Science Workbench counts that time as idle time and the user gets kicked out after the configured max idle timeout.
Workaround:- Increase the idle session timeout by adding a new environmental variable
IDLE_MAXIMUM_MINUTES. Click CDSW >
Project > Settings > Environmental variables.Note:
This approach would require you to keep your containers running.
You can set the value of the variables IDLE_MAXIMUM_MINUTES or SESSION_MAXIMUM_MINUTES to their maximum allowed value, which is 35000 (~3 weeks).
- Alternatively, run a simple script inside CDSW session to keep the session alive.
Opening the Cloudera Data Science Workbench and create a file as shown here
(assuming Python project), and then run it in the
Workbench.
import time time.sleep(10000)
Cloudera Bug: DSE-3080
SSH access to Cloudera Data Science Workbench hosts must be disabled
The container runtime and application data storage is not fully secure from untrusted users who have SSH access to the gateway hosts. Therefore, SSH access to the gateway hosts for untrusted users should be disabled for security and resource utilization reasons.
TLS/SSL
-
Self-signed certificates where the Certificate Authority is not part of the user's trust store are not supported for TLS termination.
-
Cloudera Data Science Workbench does not support the use of encrypted private keys for TLS.
Cloudera Bug: DSE-1708
A "certificate has expired" error displays when you log in to the Cloudera Data Science Workbench web UI. This issue can occur if Cloudera Data Science Workbench exceeds 365 days of continuous uptime because the internal certificate for Kubernetes expires after 1 year.
Workaround: Restart the Cloudera Data Science Workbench deployment.- For CSD installations, restart the Cloudera Data Science Workbench service in Cloudera Manager.
- For RPM installations, run the following command on the Master
host:
cdsw restart
Kerberos
- Upon installation, you might encounter a "Missing Kerberos Credentials" error. This
error will prevent the CDSW Master Role from starting.
Workaround: You can regenerate Kerberos credentials by going to Cloudera Manager > Admin > Security > Kerberos Credentials > Regenerate.
Cloudera Bug: DSE-16313
-
Using Kerberos plugin modules in krb5.conf is not supported.
-
Modifying the default_ccache_name parameter in krb5.conf does not work in Cloudera Data Science Workbench. Only the default path for this parameter, /tmp/krb5cc_${uid}, is supported.
-
PowerBroker-equipped Active Directory is not supported.
Cloudera Bug: DSE-1838
-
When you upload a Kerberos keytab to authenticate yourself to the CDH cluster, Cloudera Data Science Workbench might display a fleeting error message ('cancelled') in the bottom right corner of the screen, even if authentication was successful. This error message can be ignored.
Cloudera Bug: DSE-2344
CDSW must run as root user
Running CDSW as a non-root machine user is not, and will not, be supported. This issue has been resolved in Private Cloud.
There are no security concerns Cloudera is aware of. The root user is required for the kubernetes and docker systems and their ability to read/write to the file system, however all user sessions and user docker containers run as the CDSW user, not as the root user, so end users are not able to ever use root.
Cloudera Bug: DSE-20519