[
https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15838297#comment-15838297
]
Hudson commented on AMBARI-18836:
---------------------------------
SUCCESS: Integrated in Jenkins build Ambari-branch-2.5 #799 (See
[https://builds.apache.org/job/Ambari-branch-2.5/799/])
AMBARI-18836. Remove group readable from hdfs headless keytab (Shi Wang
(rlevas:
[http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=311349281dd8ed73e06d3deec445740ad08a240f])
* (edit)
ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json
* (edit)
ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json
* (edit)
ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py
* (edit) ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py
> Remove group readable from hdfs headless keytab
> -----------------------------------------------
>
> Key: AMBARI-18836
> URL: https://issues.apache.org/jira/browse/AMBARI-18836
> Project: Ambari
> Issue Type: Bug
> Affects Versions: trunk, 2.5.0
> Reporter: Shi Wang
> Assignee: Shi Wang
> Fix For: trunk, 2.5.0
>
> Attachments:
> 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch,
> AMBARI-18836-test_failure.patch
>
>
> The Smoke and “Headless” Service users are used by Ambari to perform service
> “smoke” checks and run alert health checks.
> The permission for hdfs.headless.keytab is 440. But it will cause security
> concern to allow other service user in hadoop group to kinit hdfs headless
> principal using hdfs.headless.keytab. In this way, other service user could
> "pretend" to be hdfs user and be granted hdfs user's authorities.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
