----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/40356/#review106696 -----------------------------------------------------------
Ship it! Ship It! - Robert Levas On Nov. 16, 2015, 1:12 p.m., Andrew Onischuk wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/40356/ > ----------------------------------------------------------- > > (Updated Nov. 16, 2015, 1:12 p.m.) > > > Review request for Ambari and Robert Levas. > > > Bugs: AMBARI-13695 > https://issues.apache.org/jira/browse/AMBARI-13695 > > > Repository: ambari > > > Description > ------- > > Currently, we distribute the **hdfs** headless principal to pretty much every > single host in the cluster. > Since **hdfs** is a super user in HDFS, if any one of the hdfs keytabs are > compromised on any host, the user can do anything on HDFS. > We need to revisit and see if we can restrict the number of hosts to which we > distribute the hdfs headless keytab. > For example, we can perform necessary HDFS operations on one of the master > hosts available, rather than picking an arbitrary client / slave hosts as we > do today. > Also, we should look into not only hdfs headless keytabs but all other > headless ones like hbase, storm, etc. > > > Diffs > ----- > > > ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/kerberos.json > 9101005 > > ambari-server/src/main/resources/common-services/FALCON/0.5.0.2.1/kerberos.json > 8d5923a > > ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json > 1de417f > > ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json > df83969 > > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/kerberos.json > aac1587 > > ambari-server/src/main/resources/common-services/MAHOUT/1.0.0.2.3/kerberos.json > 91fff4a > > ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/kerberos.json > f9ce38b > > ambari-server/src/main/resources/common-services/OOZIE/4.2.0.2.3/kerberos.json > 433aca9 > > ambari-server/src/main/resources/common-services/PIG/0.12.0.2.0/kerberos.json > PRE-CREATION > > ambari-server/src/main/resources/common-services/SLIDER/0.60.0.2.2/kerberos.json > PRE-CREATION > > ambari-server/src/main/resources/common-services/SPARK/1.2.0.2.2/kerberos.json > 57a282a > > ambari-server/src/main/resources/common-services/SPARK/1.4.1.2.3/kerberos.json > PRE-CREATION > > ambari-server/src/main/resources/common-services/TEZ/0.4.0.2.1/kerberos.json > PRE-CREATION > > ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/kerberos.json > 15ad5af > ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json > b464120 > > ambari-server/src/main/resources/stacks/HDP/2.3.GlusterFS/services/ACCUMULO/kerberos.json > 9089367 > > ambari-server/src/main/resources/stacks/HDP/2.3/services/ACCUMULO/kerberos.json > 1315e84 > ambari-server/src/main/resources/stacks/HDP/2.3/services/TEZ/kerberos.json > 3662ed8 > ambari-server/src/main/resources/stacks/HDP/2.3/services/YARN/kerberos.json > e70287a > > Diff: https://reviews.apache.org/r/40356/diff/ > > > Testing > ------- > > mvn clean test > > > Thanks, > > Andrew Onischuk > >
