Securing Web User Interfaces of Cloudera Data Platform (CDP) Services via Apache Httpd Reverse Proxy

It’s an HTTP Server built by Apache Foundation. HTTP Stands for Hypertext Transfer Protocol, which decodes Hypertext and Multimedia documents through a server-side program. An HTTP daemon (background process) program runs and serves the requests from any HTTP client like a Web Browser. It is important to note that Apache HTTP Server can only serve static content like text or media that doesn’t change during the web page loading. To serve the dynamic content via scripts technologies/protocols like Common Gateway Interface (CGI), Java Server Pages (JSP), etc. are being used.

What Are Apache Modules?

As stated above, Apache HTTP Server is a basic web server that can be used to serve non-dynamic content. Still, it also doesn’t provide any functionalities like Authentication, Encryption of requests, Logging, Support, SSL, Heartbeat, LDAP, Caching, etc. So, it provides special program modules to extend the core Apache HTTP Server's functionality.

What Are Apache mod_ldap Module and mod_authnz_ldap.so Module?

Lightweight Directory Access Protocol (LDAP) is used to store the database of principals (users, organizations, functional IDs, service accounts, etc.). It has a server that supports LDAP. mod_ldap is an Apache module that provides the core functionality of LDAP to the Apache Server. Similarly, mod_authnz_ldap is another module that allows the LDAP directory to store the database for basic authentication for these principals.

What Is the Problem With Cloudera Data Platform Web Services?

Cloudera Data Platform (CDP) is a Big Data Platform that provides open source services like Hadoop, YARN, Spark, Impala, HUE, Hive, Kafka, NiFi, etc., for Data Warehousing, Real-Time Data Processing, Data Analytics, Machine Learning, Scalability, Security and a lot of other advances features. A lot of these services expose web user interfaces (Web UIs), which provide static content but are not controlled by any authentication mechanisms whatsoever and hence are against the overall security governance best practices.

How Apache Modules Can Help

Apache LDAP modules help control the authentication of these services and also ensure that access to these Web UIs is done by authorized individuals only.  Below are some of the best practices that need to be used to secure these Web UIs.

• For any existing CDP service, identify the port or list of ports where the Web UI can be accessed.
• Ensure that all these Web UIs are SSL/TLS enabled.
• Add the authentication using Apache HTTP modules to enable the authentication and authorization.

Demonstration With Code

Let us enable the authentication for the Hadoop Datanode Web User Interface. Datanode UI works on the port number 50075, and when SSL/TLS is enabled, the port number changes to 50470.

The process to enable it is done via reverse proxy, which is done by installing and configuring Apache HTTP Server, Apache LDAP modules mentioned above, and enabling software firewalls (IPTables).

Operating System: RedHat Enterprise Linux/CentOS 7.9

Cloudera Data Platform: v7.x 

Below are the steps to enable this.

1. Install the httpd server.

yum -y install httpd

2. Install the ldap_mod packages required for authentication.

   yum -y install ldap_mod

3. Install the iptables services package

yum -y install iptables-services

4. Create a file and give it any name, we are calling it datanode.conf. The contents of this file are mentioned below. Place this file in directory /etc/httpd/conf.d/

#Port for Datanode Web User Interface
Listen 50471

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile <LOCATION OF CERTIFICATE>
SSLCertificateKeyFile <LOCATION OF CERTIFICATE'S PRIVATE KEY IN .pem FORMAT>
ServerSignature Off
ServerTokens Prod

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

<AuthnProviderAlias ldap ad-ldap>
    AuthLDAPBindAuthoritative on
    AuthLdapUrl "ldaps://ldaps.<LDAP SERVER ADDRESS>:636/OU=YOUR BUSINESS UNIT,DC=BUSINESS,DC=COUNTRY?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=<BINDING USER WHICH WILL AUTHENTICATE AGAINST AD>,OU=<BINDING USER'S OU>,dc=<BUSINESS>,DC=<COUNTRY>"
    AuthLDAPBindPassword "<BINDING USER'S PASSWORD>"
</AuthnProviderAlias>

<AuthzProviderAlias ldap-group ldap-group-<AD GROUP NAME> "CN=<AD GROUP NAME>,OU=<AD GROUP'S OU>,DC=<BUSINESS>,DC=<COUNTRY>">
    AuthLdapUrl "ldaps://ldaps.<LDAP SERVER ADDRESS>:636/OU=<YOUR BUSINESS UNIT>,DC=<BUSINESS>,DC=<COUNTRY>?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=<BINDING USER WHICH WILL AUTHENTICATE AGAINST AD>,OU=<BINDING USER'S OU>,dc=<BUSINESS>,DC=<COUNTRY>"
    AuthLDAPBindPassword "<BINDING USER'S PASSWORD>"
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPMaxSubGroupDepth 0
</AuthzProviderAlias>

<VirtualHost *:50471>
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) 
RewriteRule .* - [F]

<Location "/">
    LDAPReferrals off
    AuthType Basic
    AuthName "<YOUR MESSAGE TO BE DISPLAYED WHEN USER OPEN'S THE UI>"
    AuthBasicProvider ad-ldap

    <RequireAny>
         Require ldap-group-<AD GROUP NAME>
    </RequireAny>

    ProxyPreserveHost On
    ProxyPass https://<DATANODE IP ADDRESS OR HOSTNAME>:50470/
    ProxyPassReverse https://<DATANODE IP ADDRESS OR HOSTNAME:50470/
</Location>
</VirtualHost>

5. Create a new file for iptables. Give it any name; we are calling it iptables_config. The contents of this file are mentioned below. Place this file in the directory /etc/sysconfig/iptables/

# Configuration for iptables service
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#Accept the traffic from which all IP Addresses
-A INPUT -s <ADD YOUR SUBNET> -p tcp -m tcp --dport 50470 -j ACCEPT
#Drop the traffic on port 50470
-A INPUT -p tcp -m tcp --dport 50470 -j DROP
COMMIT

6. We need to load the LDAP modules now in the httpd directory. Create a new file and add the below contents. Name the file as 01-ldap.conf. The directory to be placed in /etc/httpd/conf.modules.d/   

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

7. After the above changes are made, restart the HTTPD and iptables services; the commands below can be used to do the same.

sysconfig iptables restart
sysconfig httpd restart

Once the services are restarted, Datanode WebUI will start running on port 50471, and opening its WebUI will require authentication, which is your LDAP user ID and password.

Limitations of This Security Mechanism

Apache HTTPD Reverse Proxy implementation doesn’t support Kerberos authentication. Kerberos is a service that allows users and services of the platform to authenticate each other. So, if you have Kerberos service enabled for Web UIs, then the above implementation will not work.