Threat Finder

Threat ID
2786
Threat Date
07/08/2013
Threat Name
Queue ACL
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Informational
Database Type
Hadoop
Category
Misconfigurations
Versions
All versions of Hadoop
Summary
Hadoop can be configured to allow a list of accounts/groups to act as queue administrators, thus granting them unrestricted control over the jobs submitted to that queue. This permissions should be present in the system policy and audited by the system admin.
Overview
mapred.acls.enabled configuration parameter specifies whether ACLs should be checked for authorization of users for doing various queue and job level operations. ACLs are disabled by default. If enabled, access control checks are made by JobTracker and TaskTracker when requests are made by users for queue operations like submit job to a queue and kill a job in the queue and job operations like viewing the job-details or for modifying the job using Map/Reduce APIs, RPCs or via the console and web user interfaces.
However, irrespective of the job ACLs configured, a list of accounts/groups can be granted permissions on the jobs submitted to a particular queue.
Queue names to which jobs can be submitted are listed in parameter mapred.queue.names on file mapred-site.xml. The Map/Reduce system always supports at least one queue with the name 'default'. Hence, mapred.queue.names value should always contain the string 'default'.
For each queue, a list of accounts/groups with special permissions can be specified in file mapred-queue-acls.xml:

mapred.queue..acl-submit-job: list of users and groups that can submit jobs to the specified .

mapred.queue..acl-administer-job: list of users and groups that can change the priority or kill jobs that have been submitted to the specified .

These ACLs should be present in system policy and audited by the system administrator.
References
http://archive.cloudera.com/cdh/3/hadoop/mapred_tutorial.html
http://hadoop.apache.org/docs/r0.19.1/cluster_setup.html
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by