ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shi Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
Date Thu, 10 Nov 2016 00:28:58 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652505#comment-15652505
] 

Shi Wang commented on AMBARI-18836:
-----------------------------------

Yes, the smoke user keytab is also group readable. But I don't concern smokeuser as much as
hdfs user because hdfs resource is shared by all the serivces and hdfs user has the powder
to create and manipulate those resources. Maybe I should modify the description to be more
specific about this issue. But if you think we should address them all under this jira I will
do more investigation into smoke user and modify the patch accordingly.
Another issue is about hbase headless principal, I also searched for hbase headless keytab,
it seems only hbase itself uses this keytab but still it got a 440 permission.

> Remove group readable from hdfs headless keytab
> -----------------------------------------------
>
>                 Key: AMBARI-18836
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18836
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: 2.4.2
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>         Attachments: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch
>
>
> The Smoke and “Headless” Service users are used by Ambari to perform service “smoke”
checks and run alert health checks. 
> The permission for hdfs.headless.keytab is 440. But it will cause security concern to
allow other service user in hadoop group to kinit hdfs headless principal using hdfs.headless.keytab.
In this way, other service user could "pretend" to be hdfs user and be granted hdfs user's
authorities.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message