ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Re: Review Request 40356: Minimize HDFS and other headless keytab distribution (security concerns)
Date Mon, 16 Nov 2015 18:18:38 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40356/#review106696
-----------------------------------------------------------

Ship it!


Ship It!

- Robert Levas


On Nov. 16, 2015, 1:12 p.m., Andrew Onischuk wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40356/
> -----------------------------------------------------------
> 
> (Updated Nov. 16, 2015, 1:12 p.m.)
> 
> 
> Review request for Ambari and Robert Levas.
> 
> 
> Bugs: AMBARI-13695
>     https://issues.apache.org/jira/browse/AMBARI-13695
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Currently, we distribute the **hdfs** headless principal to pretty much every
> single host in the cluster.  
> Since **hdfs** is a super user in HDFS, if any one of the hdfs keytabs are
> compromised on any host, the user can do anything on HDFS.  
> We need to revisit and see if we can restrict the number of hosts to which we
> distribute the hdfs headless keytab.  
> For example, we can perform necessary HDFS operations on one of the master
> hosts available, rather than picking an arbitrary client / slave hosts as we
> do today.  
> Also, we should look into not only hdfs headless keytabs but all other
> headless ones like hbase, storm, etc.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/kerberos.json
9101005 
>   ambari-server/src/main/resources/common-services/FALCON/0.5.0.2.1/kerberos.json 8d5923a

>   ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json 1de417f

>   ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json df83969

>   ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/kerberos.json aac1587

>   ambari-server/src/main/resources/common-services/MAHOUT/1.0.0.2.3/kerberos.json 91fff4a

>   ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/kerberos.json f9ce38b

>   ambari-server/src/main/resources/common-services/OOZIE/4.2.0.2.3/kerberos.json 433aca9

>   ambari-server/src/main/resources/common-services/PIG/0.12.0.2.0/kerberos.json PRE-CREATION

>   ambari-server/src/main/resources/common-services/SLIDER/0.60.0.2.2/kerberos.json PRE-CREATION

>   ambari-server/src/main/resources/common-services/SPARK/1.2.0.2.2/kerberos.json 57a282a

>   ambari-server/src/main/resources/common-services/SPARK/1.4.1.2.3/kerberos.json PRE-CREATION

>   ambari-server/src/main/resources/common-services/TEZ/0.4.0.2.1/kerberos.json PRE-CREATION

>   ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/kerberos.json 15ad5af

>   ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json b464120

>   ambari-server/src/main/resources/stacks/HDP/2.3.GlusterFS/services/ACCUMULO/kerberos.json
9089367 
>   ambari-server/src/main/resources/stacks/HDP/2.3/services/ACCUMULO/kerberos.json 1315e84

>   ambari-server/src/main/resources/stacks/HDP/2.3/services/TEZ/kerberos.json 3662ed8

>   ambari-server/src/main/resources/stacks/HDP/2.3/services/YARN/kerberos.json e70287a

> 
> Diff: https://reviews.apache.org/r/40356/diff/
> 
> 
> Testing
> -------
> 
> mvn clean test
> 
> 
> Thanks,
> 
> Andrew Onischuk
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message