Return-Path: 
 <dev-return-69661-apmail-ambari-dev-archive=ambari.apache.org@ambari.apache.org>
X-Original-To: apmail-ambari-dev-archive@www.apache.org
Delivered-To: apmail-ambari-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id CA47717A79
	for <apmail-ambari-dev-archive@www.apache.org>;
 Mon,  4 May 2015 17:08:07 +0000 (UTC)
Received: (qmail 25712 invoked by uid 500); 4 May 2015 17:08:06 -0000
Delivered-To: apmail-ambari-dev-archive@ambari.apache.org
Received: (qmail 25330 invoked by uid 500); 4 May 2015 17:08:06 -0000
Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@ambari.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@ambari.apache.org>
List-Post: <mailto:dev@ambari.apache.org>
List-Id: <dev.ambari.apache.org>
Reply-To: dev@ambari.apache.org
Delivered-To: mailing list dev@ambari.apache.org
Received: (qmail 25063 invoked by uid 99); 4 May 2015 17:08:06 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 May 2015 17:08:06 +0000
Date: Mon, 4 May 2015 17:08:06 +0000 (UTC)
From: "Nick Dimiduk (JIRA)" <jira@apache.org>
To: dev@ambari.apache.org
Message-ID: <JIRA.12826418.1430425890000.71461.1430759286528@Atlassian.JIRA>
In-Reply-To: <JIRA.12826418.1430425890000@Atlassian.JIRA>
References: <JIRA.12826418.1430425890000@Atlassian.JIRA>
 <JIRA.12826418.1430425890174@arcas>
Subject: [jira] [Updated] (AMBARI-10872) Phoenix QS should run as a
 different user, with different keytabs/principal than HBase
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/AMBARI-10872?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Dimiduk updated AMBARI-10872:
----------------------------------
    Attachment: 10872.patch

Parking a patch here for now. Probably doesn't work because of user permissions in things like the log and pid dirs.

> Phoenix QS should run as a different user, with different keytabs/principal than HBase
> --------------------------------------------------------------------------------------
>
>                 Key: AMBARI-10872
>                 URL: https://issues.apache.org/jira/browse/AMBARI-10872
>             Project: Ambari
>          Issue Type: Bug
>          Components: stacks
>            Reporter: Nick Dimiduk
>         Attachments: 10872.patch
>
>
> HBase processes run as 'hbase' user, which is effectively a super-user for HBase. Running the PQS as this user is quite a wide exposure, especially on an otherwise secured cluster. PQS does not yet have the ability to act on an authenticated users' behalf. In the mean time, we should allow the PQS to run as a non-root user.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)