[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652505#comment-15652505 ]
Shi Wang commented on AMBARI-18836: ----------------------------------- Yes, the smoke user keytab is also group readable. But I don't concern smokeuser as much as hdfs user because hdfs resource is shared by all the serivces and hdfs user has the powder to create and manipulate those resources. Maybe I should modify the description to be more specific about this issue. But if you think we should address them all under this jira I will do more investigation into smoke user and modify the patch accordingly. Another issue is about hbase headless principal, I also searched for hbase headless keytab, it seems only hbase itself uses this keytab but still it got a 440 permission. > Remove group readable from hdfs headless keytab > ----------------------------------------------- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug > Affects Versions: 2.4.2 > Reporter: Shi Wang > Assignee: Shi Wang > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)