ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hari Sekhon (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-8138) kerberos_setup.sh chmod 0440 keytabs to hadoop group too loose should be using setfacl instead
Date Tue, 04 Nov 2014 11:39:33 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-8138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Hari Sekhon updated AMBARI-8138:
--------------------------------
    Summary: kerberos_setup.sh chmod 0440 keytabs to hadoop group too loose should be using
setfacl instead  (was: kerberos_setup.sh chmod 0400 keytabs too loose should be using setfacl
instead)

> kerberos_setup.sh chmod 0440 keytabs to hadoop group too loose should be using setfacl
instead
> ----------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-8138
>                 URL: https://issues.apache.org/jira/browse/AMBARI-8138
>             Project: Ambari
>          Issue Type: Improvement
>         Environment: HDP 2.1
>            Reporter: Hari Sekhon
>            Priority: Minor
>
> kerberos_setup.sh is doing chmod 0440 on the cluster's kerberos keytabs with group hadoop
which would allow all the hadoop daemon user accounts to read each other's kerberos keytabs.
> This is technically bad practice as a single breach in any even tertiary component will
result in compromising all kerberos keytab credentials across all components and to all data
via the hdfs keytab.
> A better solution would be to use extended ACLs to grant permissions to a single additional
specific account on only the keytabs that require being shared.
> {code}
> chmod 0400 /etc/security/keytabs/hdfs.headless.keytab
> setfacl -m user:<additional_user>:r /etc/security/keytabs/hdfs.headless.keytab
> {code}
> Regards,
> Hari Sekhon
> http://www.linkedin.com/in/harisekhon



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message