You can enforce authorization for the following HDFS web UIs: the NameNode, DataNode,
and JournalNode.
You must have Kerberos authentication for HTTP web consoles
and Hadoop Secure Authorization enabled. When both configurations are set, only the
hdfs user can access the HDFS web UIs by default. Any other user
who attempts to access the web UI will encounter an error because the user is not
authorized to access the page.
For users and groups other than hdfs
to access the web UIs, you must add them to hdfs-site.xml with an
HDFS Service Advanced Configuration Snippet (Safety
Valve).
In the Cloudera Manager Admin Console, go to Clusters > <HDFS service>.
Navigate to the Configurations tab and search for the
following property: HDFS Service Advanced
Configuration Snippet (Safety Valve) for hdfs-site.xml.
Add a value for the dfs.cluster.administrators property.
For example, a sample property might look like this:
Name:dfs.cluster.administrators
Description: ACL for admins, this configuration
is used to control who can access the default servlets in the namenode
and so on. The value should be a comma separated list of users and
groups. The user list comes first and is separated by a space followed
by the group list. For example, user1,user2
group1,group2. Both users and groups are optional. So
"user1", " group1",
"", "user1 group1", "user1,user2
group1,group2" are all valid. You must note the leading
space in " group1". '*'
grants access to all users and groups, for example, '',
' ' and ' *'
are all valid.
These values would allow the users and groups to the following web UIs:
NameNode, DataNode, and JournalNode.
