ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Hurley" <jhur...@hortonworks.com>
Subject Review Request 26443: Allow nologin shell to be the default shell for service users.
Date Wed, 08 Oct 2014 12:52:48 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26443/
-----------------------------------------------------------

Review request for Ambari, Sumit Mohanty, Sid Wagle, and Tom Beerbower.


Bugs: AMBARI-7687
    https://issues.apache.org/jira/browse/AMBARI-7687


Repository: ambari


Description
-------

Our scripts autmatically assumed that hadoop users could use /bin/bash as their login shell.
This causes security problems for some users as those accounts should not be able to logon.
Without /bin/bash, our scripts fail to execute since we cannot impersonate the user.

The solution is to:

- Prevent our code from manually setting /bin/bash in the hook scripts
- Using the su -s /bin/bash format for impersonation commands


Diffs
-----

  ambari-agent/src/test/python/resource_management/TestUserResource.py 859b111f2a057f8a4db91ef4ee6bc23ac6e948d1

  ambari-common/src/main/python/resource_management/core/resources/accounts.py f498db531d496f146e96bc8138d6ae76592f20e4

  ambari-common/src/main/python/resource_management/core/shell.py a2e3af3d8ec7ac43f8077794a079f3b47b5f9a3c

  ambari-server/src/main/resources/stacks/HDP/1.3.2/hooks/before-START/files/checkForFormat.sh
d14091af2e9913964c944962425498a864e095e6 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/GANGLIA/package/files/startRrdcached.sh
258d178b7001754844f0b0f7bceae45bbe7f4dcf 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HDFS/package/files/checkForFormat.sh
d14091af2e9913964c944962425498a864e095e6 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HDFS/package/scripts/hdfs_namenode.py
cb6195b3c45058e149b40056503f0b80819fefd0 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HDFS/package/scripts/service_check.py
e04d68c60c13a6cd09f8152c415ea5c353f7b20e 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HDFS/package/scripts/utils.py
a0ac1c234e27ecf68729af954e667ae9261cecd7 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HIVE/package/files/templetonSmoke.sh
21204e664eb932a958083dca2d1c216057f7fdd9 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/OOZIE/package/files/oozieSmoke.sh
e61bd4d3b70b5bff2bacf787c4171fb264df2e8f 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/OOZIE/package/scripts/oozie_service.py
f4cc2837dbbd780ab714c6295fe62edf0e18c19d 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/ZOOKEEPER/package/files/zkService.sh
32dfce464aad7fca831bd55aaa1d48fec18bbce6 
  ambari-server/src/main/resources/stacks/HDP/1.3.2/services/ZOOKEEPER/package/files/zkSmoke.sh
c1c11b4286b947d0b891f193ed08512a66003db9 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/files/checkForFormat.sh
9036ab230f6ae351921a38fdd654ece2bde8e758 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/GANGLIA/package/files/startRrdcached.sh
262f716ba45d284bea722205c26bd2e9a87e050a 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/files/checkForFormat.sh
c9a3828a664cbae36a46a4995d9c051cb93f0114 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/scripts/hdfs_namenode.py
68cf4fd2ff60df83966be2c2095d4d8e38dc7b71 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/scripts/service_check.py
f30a2c51493fa2c80b50db726518af69c32a93ad 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/scripts/utils.py
6eba10220c1a58dd9ba713b14be9864af05f16e8 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/templetonSmoke.sh
2d07b8b813f80b972e5039af601e9ac626cbc331 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/OOZIE/package/files/oozieSmoke2.sh
6446e15feb5c9b9bc0a895f231d7a0c36c3646c3 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/OOZIE/package/scripts/oozie_service.py
041c2cddaa211d1fffd860ac179b7a8e473cd187 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/ZOOKEEPER/package/files/zkService.sh
a5c7c8bbca6ebdbcb9e15a1eb7a5e93986921af1 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/ZOOKEEPER/package/files/zkSmoke.sh
02cc996a0082d6e03123bba89f94716cb198b4ff 
  ambari-server/src/test/python/stacks/1.3.2/HDFS/test_datanode.py 70127b83854c4fd017c54496289e85a74d29aebf

  ambari-server/src/test/python/stacks/1.3.2/HDFS/test_namenode.py 7cc4a1faeed30840b16664adde106700fe042497

  ambari-server/src/test/python/stacks/1.3.2/HDFS/test_service_check.py 7c089a5dbf2a2cc8966c5553e1c6e8b658c459ad

  ambari-server/src/test/python/stacks/1.3.2/HDFS/test_snamenode.py 50065e4e5f951de1af37c41987d78f85e841dccc

  ambari-server/src/test/python/stacks/1.3.2/OOZIE/test_oozie_server.py ccfea3d798d6df4d4c028a0b2938eb12eec92326

  ambari-server/src/test/python/stacks/2.0.6/HDFS/test_datanode.py c9e638bd7371a2fb0be67de9a875b215ea7eb288

  ambari-server/src/test/python/stacks/2.0.6/HDFS/test_journalnode.py 9d4e9dbdd88cfaee789cad476b664e5aeb6c01d3

  ambari-server/src/test/python/stacks/2.0.6/HDFS/test_namenode.py bf26877c3dbfa57c2c76cc602a67702581aa807a

  ambari-server/src/test/python/stacks/2.0.6/HDFS/test_service_check.py 38f04ab8d738f93c0332f892c81a343b4e7adcc5

  ambari-server/src/test/python/stacks/2.0.6/HDFS/test_snamenode.py a675b335589166a73595547bd6caa52a9d7ca441

  ambari-server/src/test/python/stacks/2.0.6/HDFS/test_zkfc.py be8d3821fd10f8468b8c0d40b082ec865217da4f

  ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py b720a2de6b89e499a578b9beedb1546fbd762ef3


Diff: https://reviews.apache.org/r/26443/diff/


Testing
-------

I performed a full install of my cluster and verified that initially all users were created
with /bin/bash. I changed their login shell to /bin/nologin and then attempted to stop all
services. I verified that this fails. I then updated the appropriate scripts and agents. The
following items were then tested successfully:

- Stopping all services
- Start all services
- Running all smoke tests

I then verified that all hadoop users were still set to /bin/nologin

[INFO] Rat check: Summary of files. Unapproved: 0 unknown: 0 generated: 0 approved: 41 licence.
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO]
[INFO] Ambari Main ........................................ SUCCESS [  2.609 s]
[INFO] Apache Ambari Project POM .......................... SUCCESS [  0.307 s]
[INFO] Ambari Web ......................................... SUCCESS [ 18.079 s]
[INFO] Ambari Views ....................................... SUCCESS [  1.714 s]
[INFO] Ambari Admin View .................................. SUCCESS [  8.838 s]
[INFO] Ambari Server ...................................... SUCCESS [22:55 min]
[INFO] Ambari Agent ....................................... SUCCESS [  6.777 s]
[INFO] Ambari Client ...................................... SUCCESS [  0.024 s]
[INFO] Ambari Python Client ............................... SUCCESS [  0.269 s]
[INFO] Ambari Groovy Client ............................... SUCCESS [  9.943 s]
[INFO] Ambari Shell ....................................... SUCCESS [  0.033 s]
[INFO] Ambari Python Shell ................................ SUCCESS [  0.036 s]
[INFO] Ambari Groovy Shell ................................ SUCCESS [  6.721 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 23:51 min
[INFO] Finished at: 2014-10-08T00:37:52-04:00
[INFO] Final Memory: 48M/247M
[INFO] ------------------------------------------------------------------------


Thanks,

Jonathan Hurley


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message