Enable authorization for HDFS web UIs

You can enforce authorization for the following HDFS web UIs: the NameNode, DataNode, and JournalNode.

You must have Kerberos authentication for HTTP web consoles and Hadoop Secure Authorization enabled. When both configurations are set, only the hdfs user can access the HDFS web UIs by default. Any other user who attempts to access the web UI will encounter an error because the user is not authorized to access the page.

For users and groups other than hdfs to access the web UIs, you must add them to hdfs-site.xml with an HDFS Service Advanced Configuration Snippet (Safety Valve).

  1. In the Cloudera Manager Admin Console, go to Clusters > <HDFS service>.
  2. Navigate to the Configurations tab and search for the following property: HDFS Service Advanced Configuration Snippet (Safety Valve) for hdfs-site.xml.
  3. Add a value for the dfs.cluster.administrators property.
    For example, a sample property might look like this:
    • Name: dfs.cluster.administrators
    • Description: ACL for admins, this configuration is used to control who can access the default servlets in the namenode and so on. The value should be a comma separated list of users and groups. The user list comes first and is separated by a space followed by the group list. For example, user1,user2 group1,group2. Both users and groups are optional. So "user1", " group1", "", "user1 group1", "user1,user2 group1,group2" are all valid. You must note the leading space in " group1". '*' grants access to all users and groups, for example, '', ' ' and ' *' are all valid.

    These values would allow the users and groups to the following web UIs: NameNode, DataNode, and JournalNode.

  4. Save the configuration.
  5. Restart all stale HDFS services.