ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shi Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
Date Thu, 10 Nov 2016 00:15:58 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652476#comment-15652476
] 

Shi Wang commented on AMBARI-18836:
-----------------------------------

Hi Robert,
I did test on a full stack cluster, and after change hdfs headless permission to 400, I did
stop all/stop all and service check for all the services,  webhcat is the only service breaks
because of the piece of code in webhcat.py removed in the patch. Because it doesn't make sense
for me to kinit hdfs headless principal for hcat user.
I also search in the codebase and found other service like yarn, in resourcemanager.py there
is 
Execute(format("{kinit_path_local} -kt {hdfs_user_keytab} {hdfs_principal_name}"),
        user=params.hdfs_user
      )
But it will do kinit as hdfs user instead of yarn user, therefore won't break after remove
group readability.

Another place besides webhcat that will kinit hdfs.headless principal as other user is in
the copy_tarballs_to_hdfs method in dynamic_variable_interpretation.py and Ambaripreupload.py
but seems this method is deprecated?

> Remove group readable from hdfs headless keytab
> -----------------------------------------------
>
>                 Key: AMBARI-18836
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18836
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: 2.4.2
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>         Attachments: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch
>
>
> The Smoke and “Headless” Service users are used by Ambari to perform service “smoke”
checks and run alert health checks. 
> The permission for hdfs.headless.keytab is 440. But it will cause security concern to
allow other service user in hadoop group to kinit hdfs headless principal using hdfs.headless.keytab.
In this way, other service user could "pretend" to be hdfs user and be granted hdfs user's
authorities.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message