2.4. Securing Access

As described in Section 1.2, “Architecture”, the frontend of WebMapReduce, not the backend, is responsible for authenticating users. As a result, anyone who can communicate with the backend has the ability to submit Hadoop jobs and gain (hopefully limited) access to the system.

It is usually desirable, then, to ensure that only your WebMapReduce frontend is allowed to communicate with the backend. There are three main strategies for this:

Use a firewall to block all outside requests to the WMRServer port. This is only possible if your frontend runs on the same machine as the backend. It also still allows anyone with access to the machine to communicate with the backend, but this is usually a very minor issue.
Use WebMapReduce's built-in support for password authentication. This strategy makes use of HTTP digest authentication, requiring the client to produce a username and password contained in a list maintained by WMRServer.
Use WebMapReduce's built-in SSL support. This strategy makes use of SSL client authentication, requiring the client to produce a certificate that is issued to it by WMRServer.

These strategies can be combined, but just one should be sufficient. If you do not need your frontend to run on a separate machine, we recommend simply using a firewall. Otherwise, choose based on how much security you want: password authentication is basically secure, but vulnerable to certain attacks that SSL protects against. Use SSL if you are concerned about very determined attackers.

The next two sections document the password and SSL methods. For the firewall method, consult your system's documentation.

2.4.1. Password Authentication

2.4.1.1. Backend Configuration

First, add the following directive to wmr-site.xml to enable password authentication support:

<property>
  <name>wmr.server.httpauth.enable</name>
  <value>true</value>
</property>

Next, we need to set up the password list. By default, account names and passwords are stored in a file named accounts.properties in the $WMR_HOME/conf directory. The format is a standard Java properties file with account names as keys and usernames as values.

Important

Be careful about storing passwords with punctuation: as in all Java properties files, some characters need to be escaped, and due to the way the embedded Jetty webserver processes values in this file, commas are not allowed. See the file accounts.properties.example for details.

Add accounts for each of your frontend installations by adding lines similar to the following:

username: password

Finally, restart your backend to reload the configuration:

$ cd $WMR_HOME
$ bin/stop-wmr.sh
$ bin/start-wmr.sh

2.4.1.2. Frontend Configuration

Set the appropriate username and password by the following lines to include/settings.php, which will enable password authentication automatically:

$wmrUser = 'username';
$wmrPass = 'password';

Important

Since you are now storing passwords in the include/settings.php file, make sure this file is only readable by the webserver.

Try submitting a job to check that everything is working properly. WebMapReduce should now be protected from unauthorized submissions.