ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
Date Wed, 23 Nov 2016 14:34:58 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15690258#comment-15690258
] 

Robert Levas commented on AMBARI-18836:
---------------------------------------

[~Wancy]

Reverted 38076327525986b780942f33eff01d2de4a70ce2 on trunk:

{noformat}
commit 4551c9f9cbc3e1723a331b038dfee954098f3b44
Author: Robert Levas <rlevas@hortonworks.com>
Date:   Wed Nov 23 09:32:37 2016 -0500
{noformat}

CC: [~adoroszlai]


> Remove group readable from hdfs headless keytab
> -----------------------------------------------
>
>                 Key: AMBARI-18836
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18836
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: trunk
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>             Fix For: trunk
>
>         Attachments: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch,
AMBARI-18836-test_failure.patch
>
>
> The Smoke and “Headless” Service users are used by Ambari to perform service “smoke”
checks and run alert health checks. 
> The permission for hdfs.headless.keytab is 440. But it will cause security concern to
allow other service user in hadoop group to kinit hdfs headless principal using hdfs.headless.keytab.
In this way, other service user could "pretend" to be hdfs user and be granted hdfs user's
authorities.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message