ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jayush Luniya (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-8138) kerberos_setup.sh chmod 0440 keytabs to hadoop group too loose should be using setfacl instead
Date Thu, 15 Jan 2015 05:53:35 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-8138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14278295#comment-14278295
] 

Jayush Luniya commented on AMBARI-8138:
---------------------------------------

Wrong JIRA number for the commit :( Should have been AMBARI-9138. Please ignore.

> kerberos_setup.sh chmod 0440 keytabs to hadoop group too loose should be using setfacl
instead
> ----------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-8138
>                 URL: https://issues.apache.org/jira/browse/AMBARI-8138
>             Project: Ambari
>          Issue Type: Improvement
>         Environment: HDP 2.1
>            Reporter: Hari Sekhon
>            Priority: Minor
>
> kerberos_setup.sh is doing chmod 0440 on the cluster's kerberos keytabs with group hadoop
which would allow all the hadoop daemon user accounts to read each other's kerberos keytabs.
> This is technically bad practice as a single breach in any even tertiary component will
result in compromising all kerberos keytab credentials across all components and to all data
via the hdfs keytab.
> A better solution would be to use extended ACLs to grant permissions to a single additional
specific account on only the keytabs that require being shared, eg:
> {code}
> chmod 0400 /etc/security/keytabs/hdfs.headless.keytab
> setfacl -m user:<additional_user>:r /etc/security/keytabs/hdfs.headless.keytab
> {code}
> Regards,
> Hari Sekhon
> http://www.linkedin.com/in/harisekhon



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message