ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sumit Mohanty" <smoha...@hortonworks.com>
Subject Re: Review Request 26443: Allow nologin shell to be the default shell for service users.
Date Wed, 08 Oct 2014 14:26:53 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/26443/#review55795
-----------------------------------------------------------

Ship it!


Ship It!

- Sumit Mohanty


On Oct. 8, 2014, 12:52 p.m., Jonathan Hurley wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/26443/
> -----------------------------------------------------------
> 
> (Updated Oct. 8, 2014, 12:52 p.m.)
> 
> 
> Review request for Ambari, Sumit Mohanty, Sid Wagle, and Tom Beerbower.
> 
> 
> Bugs: AMBARI-7687
>     https://issues.apache.org/jira/browse/AMBARI-7687
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Our scripts autmatically assumed that hadoop users could use /bin/bash as their login
shell. This causes security problems for some users as those accounts should not be able to
logon. Without /bin/bash, our scripts fail to execute since we cannot impersonate the user.
> 
> The solution is to:
> 
> - Prevent our code from manually setting /bin/bash in the hook scripts
> - Using the su -s /bin/bash format for impersonation commands
> 
> 
> Diffs
> -----
> 
>   ambari-agent/src/test/python/resource_management/TestUserResource.py 859b111f2a057f8a4db91ef4ee6bc23ac6e948d1

>   ambari-common/src/main/python/resource_management/core/resources/accounts.py f498db531d496f146e96bc8138d6ae76592f20e4

>   ambari-common/src/main/python/resource_management/core/shell.py a2e3af3d8ec7ac43f8077794a079f3b47b5f9a3c

>   ambari-server/src/main/resources/stacks/HDP/1.3.2/hooks/before-START/files/checkForFormat.sh
d14091af2e9913964c944962425498a864e095e6 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/GANGLIA/package/files/startRrdcached.sh
258d178b7001754844f0b0f7bceae45bbe7f4dcf 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HDFS/package/files/checkForFormat.sh
d14091af2e9913964c944962425498a864e095e6 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HDFS/package/scripts/hdfs_namenode.py
cb6195b3c45058e149b40056503f0b80819fefd0 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HDFS/package/scripts/service_check.py
e04d68c60c13a6cd09f8152c415ea5c353f7b20e 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HDFS/package/scripts/utils.py
a0ac1c234e27ecf68729af954e667ae9261cecd7 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/HIVE/package/files/templetonSmoke.sh
21204e664eb932a958083dca2d1c216057f7fdd9 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/OOZIE/package/files/oozieSmoke.sh
e61bd4d3b70b5bff2bacf787c4171fb264df2e8f 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/OOZIE/package/scripts/oozie_service.py
f4cc2837dbbd780ab714c6295fe62edf0e18c19d 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/ZOOKEEPER/package/files/zkService.sh
32dfce464aad7fca831bd55aaa1d48fec18bbce6 
>   ambari-server/src/main/resources/stacks/HDP/1.3.2/services/ZOOKEEPER/package/files/zkSmoke.sh
c1c11b4286b947d0b891f193ed08512a66003db9 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-START/files/checkForFormat.sh
9036ab230f6ae351921a38fdd654ece2bde8e758 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/GANGLIA/package/files/startRrdcached.sh
262f716ba45d284bea722205c26bd2e9a87e050a 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/files/checkForFormat.sh
c9a3828a664cbae36a46a4995d9c051cb93f0114 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/scripts/hdfs_namenode.py
68cf4fd2ff60df83966be2c2095d4d8e38dc7b71 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/scripts/service_check.py
f30a2c51493fa2c80b50db726518af69c32a93ad 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/scripts/utils.py
6eba10220c1a58dd9ba713b14be9864af05f16e8 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HIVE/package/files/templetonSmoke.sh
2d07b8b813f80b972e5039af601e9ac626cbc331 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/OOZIE/package/files/oozieSmoke2.sh
6446e15feb5c9b9bc0a895f231d7a0c36c3646c3 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/OOZIE/package/scripts/oozie_service.py
041c2cddaa211d1fffd860ac179b7a8e473cd187 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/ZOOKEEPER/package/files/zkService.sh
a5c7c8bbca6ebdbcb9e15a1eb7a5e93986921af1 
>   ambari-server/src/main/resources/stacks/HDP/2.0.6/services/ZOOKEEPER/package/files/zkSmoke.sh
02cc996a0082d6e03123bba89f94716cb198b4ff 
>   ambari-server/src/test/python/stacks/1.3.2/HDFS/test_datanode.py 70127b83854c4fd017c54496289e85a74d29aebf

>   ambari-server/src/test/python/stacks/1.3.2/HDFS/test_namenode.py 7cc4a1faeed30840b16664adde106700fe042497

>   ambari-server/src/test/python/stacks/1.3.2/HDFS/test_service_check.py 7c089a5dbf2a2cc8966c5553e1c6e8b658c459ad

>   ambari-server/src/test/python/stacks/1.3.2/HDFS/test_snamenode.py 50065e4e5f951de1af37c41987d78f85e841dccc

>   ambari-server/src/test/python/stacks/1.3.2/OOZIE/test_oozie_server.py ccfea3d798d6df4d4c028a0b2938eb12eec92326

>   ambari-server/src/test/python/stacks/2.0.6/HDFS/test_datanode.py c9e638bd7371a2fb0be67de9a875b215ea7eb288

>   ambari-server/src/test/python/stacks/2.0.6/HDFS/test_journalnode.py 9d4e9dbdd88cfaee789cad476b664e5aeb6c01d3

>   ambari-server/src/test/python/stacks/2.0.6/HDFS/test_namenode.py bf26877c3dbfa57c2c76cc602a67702581aa807a

>   ambari-server/src/test/python/stacks/2.0.6/HDFS/test_service_check.py 38f04ab8d738f93c0332f892c81a343b4e7adcc5

>   ambari-server/src/test/python/stacks/2.0.6/HDFS/test_snamenode.py a675b335589166a73595547bd6caa52a9d7ca441

>   ambari-server/src/test/python/stacks/2.0.6/HDFS/test_zkfc.py be8d3821fd10f8468b8c0d40b082ec865217da4f

>   ambari-server/src/test/python/stacks/2.0.6/OOZIE/test_oozie_server.py b720a2de6b89e499a578b9beedb1546fbd762ef3

> 
> Diff: https://reviews.apache.org/r/26443/diff/
> 
> 
> Testing
> -------
> 
> I performed a full install of my cluster and verified that initially all users were created
with /bin/bash. I changed their login shell to /bin/nologin and then attempted to stop all
services. I verified that this fails. I then updated the appropriate scripts and agents. The
following items were then tested successfully:
> 
> - Stopping all services
> - Start all services
> - Running all smoke tests
> 
> I then verified that all hadoop users were still set to /bin/nologin
> 
> [INFO] Rat check: Summary of files. Unapproved: 0 unknown: 0 generated: 0 approved: 41
licence.
> [INFO] ------------------------------------------------------------------------
> [INFO] Reactor Summary:
> [INFO]
> [INFO] Ambari Main ........................................ SUCCESS [  2.609 s]
> [INFO] Apache Ambari Project POM .......................... SUCCESS [  0.307 s]
> [INFO] Ambari Web ......................................... SUCCESS [ 18.079 s]
> [INFO] Ambari Views ....................................... SUCCESS [  1.714 s]
> [INFO] Ambari Admin View .................................. SUCCESS [  8.838 s]
> [INFO] Ambari Server ...................................... SUCCESS [22:55 min]
> [INFO] Ambari Agent ....................................... SUCCESS [  6.777 s]
> [INFO] Ambari Client ...................................... SUCCESS [  0.024 s]
> [INFO] Ambari Python Client ............................... SUCCESS [  0.269 s]
> [INFO] Ambari Groovy Client ............................... SUCCESS [  9.943 s]
> [INFO] Ambari Shell ....................................... SUCCESS [  0.033 s]
> [INFO] Ambari Python Shell ................................ SUCCESS [  0.036 s]
> [INFO] Ambari Groovy Shell ................................ SUCCESS [  6.721 s]
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 23:51 min
> [INFO] Finished at: 2014-10-08T00:37:52-04:00
> [INFO] Final Memory: 48M/247M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Jonathan Hurley
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message