[
https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652505#comment-15652505
]
Shi Wang commented on AMBARI-18836:
-----------------------------------
Yes, the smoke user keytab is also group readable. But I don't concern
smokeuser as much as hdfs user because hdfs resource is shared by all the
serivces and hdfs user has the powder to create and manipulate those resources.
Maybe I should modify the description to be more specific about this issue. But
if you think we should address them all under this jira I will do more
investigation into smoke user and modify the patch accordingly.
Another issue is about hbase headless principal, I also searched for hbase
headless keytab, it seems only hbase itself uses this keytab but still it got a
440 permission.
> Remove group readable from hdfs headless keytab
> -----------------------------------------------
>
> Key: AMBARI-18836
> URL: https://issues.apache.org/jira/browse/AMBARI-18836
> Project: Ambari
> Issue Type: Bug
> Affects Versions: 2.4.2
> Reporter: Shi Wang
> Assignee: Shi Wang
> Attachments:
> 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch
>
>
> The Smoke and “Headless” Service users are used by Ambari to perform service
> “smoke” checks and run alert health checks.
> The permission for hdfs.headless.keytab is 440. But it will cause security
> concern to allow other service user in hadoop group to kinit hdfs headless
> principal using hdfs.headless.keytab. In this way, other service user could
> "pretend" to be hdfs user and be granted hdfs user's authorities.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
