Controlling Network Access for Services That Are Not in Availability Domains

When a cluster is hosted in a data center that is not in an availability domain, network access to services is controlled through whitelists. Access is allowed only on ports 22 (SSH), 7183 (Cloudera Manager), and 8888 (Hue and Oracle Big Data Manager).

A whitelist configuration specifies whether network requests from specified clients will be accepted or denied for services at specified ports. When a connection tries to establish itself, iptables looks for a matching client IP address or range of IP addresses in the whitelist. If it doesn’t find one, it uses the default action.

You must have administrative privileges to configure whitelists.

Services That Can Be Added to the Whitelist

The following table shows the services that can be configured through the whitelist, their default port numbers, and the default access enforced through the whitelist:

Service	Port	Default Access
Cloudera Manager	7183	Deny access
Hue	8888	Deny access
Oracle Big Data Manager	8888 (same port as used Hue)	Deny access
Secure Shell (SSH)	22	Allow access

Managing the Whitelist With the bdacli bdcs_whitelist Command

Use the bdacli bdcs_whitelist command to manage the whitelist configuration for a cluster.

Run the command as the root user on the primary host of the cluster. To find out what your primary host is, connect to any node and enter bdacli getinfo cluster_primary_host. For example:

# bdacli getinfo cluster_primary_host
host1891

bdacli bdcs_whitelist Usage

Syntax

bdacli bdcs_whitelist parameters

Parameters

The following table describe the parameters for the bdacli bdcs_whitelist command.

Parameter	Description
`reset_default_config`	Resets the files to empty and applies the default configuration. Denies all incoming traffic to the server except SSH, which allows all traffic. This only affects ports controlled by the whitelist. All other `iptables` configurations aren’t touched.
`reload_config`	Deletes all `iptables` rules on ports controlled by the whitelist files and reprocesses what is in the whitelist files. If the files are empty, the default configuration is applied. If there are one or more entries, then all traffic is denied except the whitelist in the files.
`allow service ip/range`	Adds an IP address or a range of IP addresses to the whitelist of the named service and runs an `iptables` command to allow access to that service from those IP addresses. See the Variable table, below, for descriptions of the `service` and `ip/range` variables.
`deny service ip/range`	Removes an IP address or a range of IP addresses to the whitelist of a specific service and runs an `iptables` command to deny access to that service from those IP addresses. See the Variables table, below, for descriptions of the `service` and `ip/range` variables.

Variables

The following table describe the variables for the bdacli bdcs_whitelist allow and bdacli bdcs_whitelist deny commands.

Variable Description

Variable	Description
`service`	One of the following: `cloudera_manager` `hue` `ssh` `all` — where the command applies to all the above services. We recommend that you do not use `all`, but rather run the command for just the services you need to open. This is recommended because it leaves the critical SSH settings alone (which default to open) unless you explicitly change them. Changing SSH settings from the default can lock you permanently out of the cluster.
`ip/range`	One of the following: Specify a single IP address by simply giving the address, for example: `192.0.2.48` Specify a range of IP addresses by using either of the following: `192.0.2.0/24` `192.0.2.0/255.255.255.0` Both of the above ranges mean `192.0.2.0` to `192.0.2.255` inclusive

service

One of the following:

cloudera_manager
hue
ssh
all — where the command applies to all the above services. We recommend that you do not use all, but rather run the command for just the services you need to open. This is recommended because it leaves the critical SSH settings alone (which default to open) unless you explicitly change them. Changing SSH settings from the default can lock you permanently out of the cluster.

ip/range

One of the following:

Specify a single IP address by simply giving the address, for example: 192.0.2.48
Specify a range of IP addresses by using either of the following:

192.0.2.0/24

192.0.2.0/255.255.255.0

Both of the above ranges mean 192.0.2.0 to 192.0.2.255 inclusive

Example

# bdacli bdcs_whitelist allow cloudera_manager 198.51.100.48
BDCS Network Services Firewall & Whitelist
host1891.us.example.com
host1892.us.example.com
host1893.us.example.com
host1894.us.example.com
host1895.us.example.com

In the above example:

bdacli bdcs_whitelist allow cloudera_manager specifies that Cloudera Manager will accept requests from the specified client IP addresses.
198.51.100.48 specifies that the client with that IP address will be allowed access to the service.
host1891.us.example.com through host1895.us.example.com are the host names of the nodes of the cluster.

Opening the Port for Big Data Manager

Big Data Manager uses the same port as Hue (8888). Therefore, opening the port for Hue also opens it for Big Data Manager. For example, either of the following commands enables Big Data Manager as well as Hue:

bdcs_whitelist allow hue 198.51.100.48

bdcs_whitelist allow all 198.51.100.48