[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab

Shi Wang (JIRA) Wed, 09 Nov 2016 12:06:47 -0800

     [ 
https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Shi Wang updated AMBARI-18836:
------------------------------
    Description: 
The Smoke and “Headless” Service users are used by Ambari to perform service 
“smoke” checks and run alert health checks. 
The permission for hdfs.headless.keytab is 440. But it will cause security 
concern to allow other service user in hadoop group to kinit hdfs headless 
principal using hdfs.headless.keytab. In this way, other service user could 
"pretend" to be hdfs user and be granted hdfs user's authorities.

> Remove group readable from hdfs headless keytab
> -----------------------------------------------
>
>                 Key: AMBARI-18836
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18836
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Shi Wang
>
> The Smoke and “Headless” Service users are used by Ambari to perform service 
> “smoke” checks and run alert health checks. 
> The permission for hdfs.headless.keytab is 440. But it will cause security 
> concern to allow other service user in hadoop group to kinit hdfs headless 
> principal using hdfs.headless.keytab. In this way, other service user could 
> "pretend" to be hdfs user and be granted hdfs user's authorities.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab

Reply via email to