> On Nov. 10, 2016, 7:33 a.m., Andrew Onischuk wrote: > > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py, > > line 79 > > <https://reviews.apache.org/r/53629/diff/1/?file=1559712#file1559712line79> > > > > Can you try to do "kdestroy" for webhcat user. And than start Webhcat > > if that works +1. > > Andrew Onischuk wrote: > Also did you do full stack deploy to make sure that nobody else it using > hdfs.headless keytab? > > Robert Levas wrote: > Andrew, I tried this patch and I didnt see any issues starting up webhcat > after removing that kinit. There are no alerts in my cluster as well... but I > only have HDFS, Yarn/MR2, Tez, Hive, Zookeeper, Slider, Kerberos, and Pig > installed. > > ``` > [hcat@c6402 ~]$ klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1019) > ```
Thanks Andrew and Robert, I did kdestroy in my test. My cluster installed HDFS, Yarn/MR2, Hive, HBase, Zookeeper, Sqoop, Kerberos, Oozie, AMS, Kafka, Knox, Solr, Spark. - Shi ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53629/#review155558 ----------------------------------------------------------- On Nov. 10, 2016, 9:28 p.m., Shi Wang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53629/ > ----------------------------------------------------------- > > (Updated Nov. 10, 2016, 9:28 p.m.) > > > Review request for Ambari, Andrew Onischuk, Laszlo Puskas, and Robert Levas. > > > Bugs: AMBARI-18836 > https://issues.apache.org/jira/browse/AMBARI-18836 > > > Repository: ambari > > > Description > ------- > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. > > > Diffs > ----- > > > ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json > e8c96cb > > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py > a7feb60 > ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json > 974a69c > > Diff: https://reviews.apache.org/r/53629/diff/ > > > Testing > ------- > > Hi Robert, > What will be your opinion on this? > Is it necessary to set 440 permission to hdfs headless keytab? The kinit hdfs > headless principal operation for webhcat seems useless, I kdestroy the hdfs > ticket for hcat user and hive service check/start/stop all works fine. Is > there any other tests I should try? Thanks. > > > Thanks, > > Shi Wang > >
