Controlling Network Access for Services That Are Not in Availability Domains
When a cluster is hosted in a data center that is not in an availability domain, network access to services is controlled through whitelists. Access is allowed only on ports 22 (SSH), 7183 (Cloudera Manager), and 8888 (Hue and Oracle Big Data Manager).
A whitelist configuration specifies whether network requests from specified clients will be accepted or denied for services at specified ports. When a connection tries to establish itself, iptables
looks for a matching client IP address or range of IP addresses in the whitelist. If it doesn’t find one, it uses the default action.
You must have administrative privileges to configure whitelists.
Services That Can Be Added to the Whitelist
The following table shows the services that can be configured through the whitelist, their default port numbers, and the default access enforced through the whitelist:
Service | Port | Default Access |
---|---|---|
Cloudera Manager |
7183 |
Deny access |
Hue |
8888 |
Deny access |
Oracle Big Data Manager |
8888 (same port as used Hue) |
Deny access |
Secure Shell (SSH) |
22 |
Allow access |
Managing the Whitelist With the bdacli bdcs_whitelist Command
Use the bdacli bdcs_whitelist
command to manage the whitelist configuration for a cluster.
Run the command as the root
user on the primary host of the cluster. To find out what your primary host is, connect to any node and enter bdacli getinfo cluster_primary_host
. For example:
# bdacli getinfo cluster_primary_host
host1891
bdacli bdcs_whitelist Usage
Syntax
bdacli bdcs_whitelist parameters
Parameters
The following table describe the parameters for the bdacli bdcs_whitelist
command.
Parameter | Description |
---|---|
reset_default_config |
Resets the files to empty and applies the default configuration. Denies all incoming traffic to the server except SSH, which allows all traffic. This only affects ports controlled by the whitelist. All other iptables configurations aren’t touched.
|
reload_config |
Deletes all iptables rules on ports controlled by the whitelist files and reprocesses what is in the whitelist files. If the files are empty, the default configuration is applied. If there are one or more entries, then all traffic is denied except the whitelist in the files.
|
allow service ip/range |
Adds an IP address or a range of IP addresses to the whitelist of the named service and runs an |
deny service ip/range |
Removes an IP address or a range of IP addresses to the whitelist of a specific service and runs an |
Variables
The following table describe the variables for the bdacli bdcs_whitelist allow
and bdacli bdcs_whitelist deny
commands.
Variable | Description |
---|---|
service |
One of the following:
|
ip/range |
One of the following:
|
Example
# bdacli bdcs_whitelist allow cloudera_manager 198.51.100.48
BDCS Network Services Firewall & Whitelist
host1891.us.example.com
host1892.us.example.com
host1893.us.example.com
host1894.us.example.com
host1895.us.example.com
In the above example:
-
bdacli bdcs_whitelist allow cloudera_manager
specifies that Cloudera Manager will accept requests from the specified client IP addresses. -
198.51.100.48
specifies that the client with that IP address will be allowed access to the service. -
host1891.us.example.com
throughhost1895.us.example.com
are the host names of the nodes of the cluster.
Opening the Port for Big Data Manager
Big Data Manager uses the same port as Hue (8888). Therefore, opening the port for Hue also opens it for Big Data Manager. For example, either of the following commands enables Big Data Manager as well as Hue:
bdcs_whitelist allow hue 198.51.100.48
bdcs_whitelist allow all 198.51.100.48