This section provides an overview of security features of the and links to configuration workflows for each area.
The following sections cover how to enhance security for the .
By default, the enforces very limited requirements on password strength.
By default, a password can be a single character with no other requirements. Please configure password requirements.
For more information, see Configure Password Criteria.
As soon as the is operational, you should change the password on the admin account.
See Change Admin Password.
The can integrate with Active Directory at the KDC/Kerberos level or directory level.
NOTE: SSO integration requires set up of an Apache server as a reverse proxy. Instructions are provided in the link below.
See Configure SSO for AD-LDAP.
Whether you use SSO or not, you should consider disabling user self-registration. When self-registration is disabled, an admin must provision individual users. See Configure User Self-Registration.
As needed, you can review and modify various application timeouts, which may need modification to meet your enterprise standards. For more information, see Configure Application Limits.
HTTP Strict-Transport security headers force web browsers to use secure communications when interacting with the server and prevent any communications over insecure HTTP protocol.
Set the following setting to true:
Set the following setting to true:
To enable HTTPS communications with the web application of the , you must create and install an SSL certificate for use by the platform.
NOTE: After you have deployed an SSL certificate, you can enable secure headers and secure cookies to be used by the web application.
See Install SSL Certificate.
If the platform is integrated with an SMTP email server, by default it assumes that the server supports SSL. If not, this capability must be disabled.
NOTE: Access to SMTP server is required for password reset communications.
See Enable SMTP Email Server Integration.
For more information on these parameters, see Configure Application Limits.
For some access logs, you can configure the fields that are included, which permits you to remove sensitive information like IP addresses. For more information, see Configure Logging for Services.
If you are enabling connections to relational databases, you must create and deploy a key file containing the credentials to use for your JDBC sources. These credentials are then used for encrypted access.
NOTE: Encrypted authentication with your JDBC resources is required.
These options security options enhance the security of communications between the and the integrated cluster.
Secure impersonation enables users to securely access the Hadoop cluster through a dedicated user or set of users, which enables use of cluster security features and permissions structures.
NOTE: Secure impersonation requires Kerberos applied to the cluster.
See Configure for Secure Impersonation.
If user access on your Hadoop cluster is secured via Kerberos, you can configure the platform to leverage this cluster security feature.
See Configure for Kerberos Integration.
Hadoop supports the use of encrypted transport to and from the cluster KMS system. Depending on the software distribution, configuration steps may vary.
NOTE: If KMS is enabled on the cluster, you must configure KMS for the regardless of other security features enabled on the cluster.
See Configure for KMS.
Optionally, you can enable SSL connections between the and the cluster's instance of HttpFS. See Enable HttpFS.
You can configure SSL access to Hive. See Configure for Hive.