[
https://issues.apache.org/jira/browse/AMBARI-13695?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Onischuk resolved AMBARI-13695.
--------------------------------------
Resolution: Fixed
Committed to trunk and branch-2.1
> Minimize HDFS and other headless keytab distribution (security concerns)
> ------------------------------------------------------------------------
>
> Key: AMBARI-13695
> URL: https://issues.apache.org/jira/browse/AMBARI-13695
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.0.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Labels: hdfs, keytabs, security
> Fix For: 2.1.3
>
>
> Currently, we distribute the *hdfs* headless principal to pretty much every
> single host in the cluster.
> Since *hdfs* is a super user in HDFS, if any one of the hdfs keytabs are
> compromised on any host, the user can do anything on HDFS.
> We need to revisit and see if we can restrict the number of hosts to which we
> distribute the hdfs headless keytab.
> For example, we can perform necessary HDFS operations on one of the master
> hosts available, rather than picking an arbitrary client / slave hosts as we
> do today.
> Also, we should look into not only hdfs headless keytabs but all other
> headless ones like hbase, storm, etc.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
