Threat Finder

Threat ID
2779
Threat Date
06/19/2013
Threat Name
ACL for job and queue operations is not enabled
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Medium
Database Type
Hadoop
Category
Improper Access Controls
Versions
All versions of Hadoop
Summary
Hadoop should be configured to enable ACL (Access Control List) for job and queue operations.
Overview
Hadoop should be configured to enable ACL (Access Control List) for job and queue operations.

mapred.acls.enabled configuration parameter specifies whether ACLs should be checked for authorization of users for doing various queue and job level operations. ACLs are disabled by default. If enabled, access control checks are made by JobTracker and TaskTracker when requests are made by users for queue operations like submit job to a queue and kill a job in the queue, and job operations like viewing the job-details or for modifying the job using Map/Reduce APIs, RPCs or via the console and web user interfaces.

However, irrespective of the job ACLs configured, a job's owner, the superuser and cluster administrators (mapreduce.cluster.administrators) and queue administrators of the queue to which the job was submitted to (mapred.queue.queue-name.acl-administer-jobs) always have access to view and modify a job.
References
http://hadoop.apache.org/docs/stable/cluster_setup.html
http://hadoop.apache.org/docs/stable/mapred_tutorial.html#Job+Authorization
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by