Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2C7AA17F06 for ; Tue, 4 Nov 2014 11:34:34 +0000 (UTC) Received: (qmail 43634 invoked by uid 500); 4 Nov 2014 11:34:34 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 43591 invoked by uid 500); 4 Nov 2014 11:34:34 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 43384 invoked by uid 99); 4 Nov 2014 11:34:33 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Nov 2014 11:34:33 +0000 Date: Tue, 4 Nov 2014 11:34:33 +0000 (UTC) From: "Hari Sekhon (JIRA)" To: dev@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (AMBARI-8138) kerberos_setup.sh chmod 0400 keytabs too loose should be using setfacl instead MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-8138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hari Sekhon updated AMBARI-8138: -------------------------------- Description: kerberos_setup.sh is doing chmod 0440 on the cluster's kerberos keytabs with group hadoop which would allow all the hadoop daemon user accounts to read each other's kerberos keytabs. This is technically bad practice as a single breach in any even tertiary component will result in compromising all kerberos keytab credentials across all components and to all data via the hdfs keytab. A better solution would be to use extended ACLs to grant permissions to a single additional specific account to the keytabs that require being shared. {code} chmod 0400 /etc/security/keytabs/hdfs.headless.keytab setfacl -m user::r /etc/security/keytabs/hdfs.headless.keytab {code} Regards, Hari Sekhon http://www.linkedin.com/in/harisekhon was: kerberos_setup.sh is doing chmod 0440 on the cluster's kerberos keytabs with group hadoop which would allow all the hadoop daemon user accounts to read each other's kerberos keytabs. This is technically bad practice as a single breach in any even tertiary component will result in compromising all kerberos keytab credentials across all components and to all data via the hdfs keytab. A better solution would be to use extended ACLs to grant permissions to a single additional user account to the keytabs that require being shared. {code} chmod 0400 /etc/security/keytabs/hdfs.headless.keytab setfacl -m user::r /etc/security/keytabs/hdfs.headless.keytab {code} Regards, Hari Sekhon http://www.linkedin.com/in/harisekhon > kerberos_setup.sh chmod 0400 keytabs too loose should be using setfacl instead > ------------------------------------------------------------------------------ > > Key: AMBARI-8138 > URL: https://issues.apache.org/jira/browse/AMBARI-8138 > Project: Ambari > Issue Type: Improvement > Environment: HDP 2.1 > Reporter: Hari Sekhon > Priority: Minor > > kerberos_setup.sh is doing chmod 0440 on the cluster's kerberos keytabs with group hadoop which would allow all the hadoop daemon user accounts to read each other's kerberos keytabs. > This is technically bad practice as a single breach in any even tertiary component will result in compromising all kerberos keytab credentials across all components and to all data via the hdfs keytab. > A better solution would be to use extended ACLs to grant permissions to a single additional specific account to the keytabs that require being shared. > {code} > chmod 0400 /etc/security/keytabs/hdfs.headless.keytab > setfacl -m user::r /etc/security/keytabs/hdfs.headless.keytab > {code} > Regards, > Hari Sekhon > http://www.linkedin.com/in/harisekhon -- This message was sent by Atlassian JIRA (v6.3.4#6332)