Hadoop YARN ResourceManager publicly accessible
Description
Apache Hadoop YARN (Yet Another Resource Negotiator) ResourceManager is the central authority that manages cluster resources and schedules distributed applications. This vulnerability occurs when the YARN ResourceManager web interface and API endpoints are exposed to the internet without authentication enabled. By default, Hadoop YARN does not enforce authentication, allowing any user to access the ResourceManager interface and submit or manipulate jobs. Production deployments must implement proper access controls to prevent unauthorized access.
Remediation
Implement the following security controls to protect the YARN ResourceManager:
1. Enable Kerberos Authentication: Configure Hadoop to use Kerberos for strong authentication. Set the following properties in yarn-site.xml:
yarn.resourcemanager.principal=rm/_HOST@REALM yarn.resourcemanager.keytab=/etc/security/keytabs/rm.service.keytab yarn.resourcemanager.webapp.spnego-principal=HTTP/_HOST@REALM yarn.resourcemanager.webapp.spnego-keytab=/etc/security/keytabs/spnego.service.keytab
2. Restrict Network Access: Use firewall rules or security groups to limit access to the ResourceManager ports (default 8088 for web UI, 8032 for client API) to only trusted networks and authorized users.
3. Enable Authorization: Configure YARN ACLs in yarn-site.xml to control administrative access:
yarn.admin.acl=hadoop_admin_group yarn.acl.enable=true
4. Use Ranger or Sentry: Deploy Apache Ranger or Sentry for fine-grained authorization policies across your Hadoop ecosystem.
5. Enable TLS/SSL: Encrypt communications to the ResourceManager by enabling SSL for the web interface and RPC connections.