[jira] [Commented] (AMBARI-11999) Blueprint export incorrectly includes Kerberos host information
[ https://issues.apache.org/jira/browse/AMBARI-11999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15343138#comment-15343138 ] Shi Wang commented on AMBARI-11999: --- Hi, I think this has been fixed in 2.2, in my generated blueprint there is no kdc server info anymore and need to add manually to blueprint a new cluster. > Blueprint export incorrectly includes Kerberos host information > --- > > Key: AMBARI-11999 > URL: https://issues.apache.org/jira/browse/AMBARI-11999 > Project: Ambari > Issue Type: Bug > Components: ambari-server >Affects Versions: 2.1.0 >Reporter: Robert Nettleton >Assignee: Robert Nettleton >Priority: Critical > Original Estimate: 24h > Remaining Estimate: 24h > > The Blueprint processor incorrectly includes some Kerberos-related hostname > properties in an exported Blueprint. Since there is no support yet for > starting a Kerberized cluster directly with a Blueprint, these properties are > confusing to users, and also include hostname information, which makes the > Blueprint less portable across different cluster types. > Steps to reproduce: > 1. Setup a single-node cluster (HDFS/Yarn/Zookeeper/Metrics) with the Ambari > UI. > 2. Enable Kerberos using the Kerberos Wizard in the Ambari UI. > 3. Export a Blueprint from the running cluster using the following REST URL: > http://host:port/api/v1/clusters/cluster_name?format=blueprint > This Blueprint will include the following Kerberos hostname properties: > "admin_server_host" in "kerberos-env" > "kdc_host" in "kerberos-env" > "hadoop.proxyuser.yarn.hosts" in "core-site" > The Blueprints configuration processor needs to updated to filter out these > properties, or export them without the hostname information. > I'm working on a fix for this, and will submit a patch shortly. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-13324) Ambari doesn't create Flume Kerberos principal + keytab
[ https://issues.apache.org/jira/browse/AMBARI-13324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-13324: -- Attachment: (was: 0001-AMBARI-13324-createFlumeKeytab.patch) > Ambari doesn't create Flume Kerberos principal + keytab > --- > > Key: AMBARI-13324 > URL: https://issues.apache.org/jira/browse/AMBARI-13324 > Project: Ambari > Issue Type: Bug > Components: ambari-server >Affects Versions: 2.1.0 > Environment: HDP 2.3 + Kerberos MIT KDC >Reporter: Hari Sekhon >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-13324-Ambari-doesn-t-create-Flume-Kerberos-pr.patch, > flume_kerberos.txt > > > When deploying Kerberos via Ambari with MIT KDC, Ambari doesn't generate a > Kerberos principal and keytab for Flume. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-13324) Ambari doesn't create Flume Kerberos principal + keytab
[ https://issues.apache.org/jira/browse/AMBARI-13324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-13324: -- Attachment: 0001-AMBARI-13324-Ambari-doesn-t-create-Flume-Kerberos-pr.patch > Ambari doesn't create Flume Kerberos principal + keytab > --- > > Key: AMBARI-13324 > URL: https://issues.apache.org/jira/browse/AMBARI-13324 > Project: Ambari > Issue Type: Bug > Components: ambari-server >Affects Versions: 2.1.0 > Environment: HDP 2.3 + Kerberos MIT KDC >Reporter: Hari Sekhon >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-13324-Ambari-doesn-t-create-Flume-Kerberos-pr.patch, > flume_kerberos.txt > > > When deploying Kerberos via Ambari with MIT KDC, Ambari doesn't generate a > Kerberos principal and keytab for Flume. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15838397#comment-15838397 ] Shi Wang commented on AMBARI-18836: --- Hi Robert, thanks, I am totally fine with it. > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk, 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk, 2.5.0 > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch, > AMBARI-18836-test_failure.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (AMBARI-20105) When spark thrift server and hive server2 located on different hosts, with kerberos spark thrift server keeps failing
[ https://issues.apache.org/jira/browse/AMBARI-20105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang reassigned AMBARI-20105: - Assignee: Shi Wang > When spark thrift server and hive server2 located on different hosts, with > kerberos spark thrift server keeps failing > - > > Key: AMBARI-20105 > URL: https://issues.apache.org/jira/browse/AMBARI-20105 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk, 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (AMBARI-20105) When spark thrift server and hive server2 located on different hosts, with kerberos spark thrift server keeps failing
Shi Wang created AMBARI-20105: - Summary: When spark thrift server and hive server2 located on different hosts, with kerberos spark thrift server keeps failing Key: AMBARI-20105 URL: https://issues.apache.org/jira/browse/AMBARI-20105 Project: Ambari Issue Type: Bug Reporter: Shi Wang -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20105) When spark thrift server and hive server2 located on different hosts, with kerberos spark thrift server keeps failing
[ https://issues.apache.org/jira/browse/AMBARI-20105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20105: -- Affects Version/s: 2.5.0 trunk > When spark thrift server and hive server2 located on different hosts, with > kerberos spark thrift server keeps failing > - > > Key: AMBARI-20105 > URL: https://issues.apache.org/jira/browse/AMBARI-20105 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk, 2.5.0 >Reporter: Shi Wang > -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18425: -- Description: Ranger-842 has added PAM support for ranger, we need to add this part to ambari, to do automatic setup for ranger to use PAM authentication. > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang reassigned AMBARI-18425: - Assignee: Shi Wang > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
Shi Wang created AMBARI-18425: - Summary: Support PAM as an authentication option for Ranger in Ambari Key: AMBARI-18425 URL: https://issues.apache.org/jira/browse/AMBARI-18425 Project: Ambari Issue Type: Task Components: ambari-server, ambari-web Affects Versions: trunk Reporter: Shi Wang Fix For: trunk -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Description: The Smoke and “Headless” Service users are used by Ambari to perform service “smoke” checks and run alert health checks. The permission for hdfs.headless.keytab is 440. But it will cause security concern to allow other service user in hadoop group to kinit hdfs headless principal using hdfs.headless.keytab. In this way, other service user could "pretend" to be hdfs user and be granted hdfs user's authorities. > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Reporter: Shi Wang > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (AMBARI-18836) Remove group readable from hdfs headless keytab
Shi Wang created AMBARI-18836: - Summary: Remove group readable from hdfs headless keytab Key: AMBARI-18836 URL: https://issues.apache.org/jira/browse/AMBARI-18836 Project: Ambari Issue Type: Bug Reporter: Shi Wang -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Attachment: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.4.2 >Reporter: Shi Wang >Assignee: Shi Wang > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang reassigned AMBARI-18836: - Assignee: Shi Wang > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Reporter: Shi Wang >Assignee: Shi Wang > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Affects Version/s: 2.4.2 Status: Patch Available (was: Open) > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.4.2 >Reporter: Shi Wang >Assignee: Shi Wang > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
[
https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15652476#comment-15652476
]
Shi Wang commented on AMBARI-18836:
---
Hi Robert,
I did test on a full stack cluster, and after change hdfs headless permission
to 400, I did stop all/stop all and service check for all the services,
webhcat is the only service breaks because of the piece of code in webhcat.py
removed in the patch. Because it doesn't make sense for me to kinit hdfs
headless principal for hcat user.
I also search in the codebase and found other service like yarn, in
resourcemanager.py there is
Execute(format("{kinit_path_local} -kt {hdfs_user_keytab}
{hdfs_principal_name}"),
user=params.hdfs_user
)
But it will do kinit as hdfs user instead of yarn user, therefore won't break
after remove group readability.
Another place besides webhcat that will kinit hdfs.headless principal as other
user is in the copy_tarballs_to_hdfs method in
dynamic_variable_interpretation.py and Ambaripreupload.py but seems this method
is deprecated?
> Remove group readable from hdfs headless keytab
> ---
>
> Key: AMBARI-18836
> URL: https://issues.apache.org/jira/browse/AMBARI-18836
> Project: Ambari
> Issue Type: Bug
>Affects Versions: 2.4.2
>Reporter: Shi Wang
>Assignee: Shi Wang
> Attachments:
> 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch
>
>
> The Smoke and “Headless” Service users are used by Ambari to perform service
> “smoke” checks and run alert health checks.
> The permission for hdfs.headless.keytab is 440. But it will cause security
> concern to allow other service user in hadoop group to kinit hdfs headless
> principal using hdfs.headless.keytab. In this way, other service user could
> "pretend" to be hdfs user and be granted hdfs user's authorities.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15652505#comment-15652505 ] Shi Wang commented on AMBARI-18836: --- Yes, the smoke user keytab is also group readable. But I don't concern smokeuser as much as hdfs user because hdfs resource is shared by all the serivces and hdfs user has the powder to create and manipulate those resources. Maybe I should modify the description to be more specific about this issue. But if you think we should address them all under this jira I will do more investigation into smoke user and modify the patch accordingly. Another issue is about hbase headless principal, I also searched for hbase headless keytab, it seems only hbase itself uses this keytab but still it got a 440 permission. > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.4.2 >Reporter: Shi Wang >Assignee: Shi Wang > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Fix Version/s: 2.4.2 > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.4.2 >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: 2.4.2 > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Attachment: (was: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch) > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Attachment: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Affects Version/s: (was: 2.4.2) trunk Fix Version/s: (was: 2.4.2) trunk > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18425: -- Attachment: (was: 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch) > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18425: -- Attachment: 0001-AMBARI-18425-Support-PAM-as-an-authentication-option (1).patch > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > Attachments: > 0001-AMBARI-18425-Support-PAM-as-an-authentication-option (1).patch > > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Resolution: Fixed Status: Resolved (was: Patch Available) > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Attachment: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch, > AMBARI-18836-test_failure.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Attachment: (was: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch) > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: AMBARI-18836-test_failure.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Status: Patch Available (was: Reopened) > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch, > AMBARI-18836-test_failure.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15702794#comment-15702794 ] Shi Wang commented on AMBARI-18836: --- Thanks Robert. > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch, > AMBARI-18836-test_failure.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18836: -- Resolution: Fixed Status: Resolved (was: Patch Available) > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch, > AMBARI-18836-test_failure.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15691464#comment-15691464 ] Shi Wang commented on AMBARI-18836: --- Thanks [~adoroszlai] for pointing out, the modified patch passed all the tests. [~rlevas] please help commit the patch again, thanks! > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch, > AMBARI-18836-test_failure.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-18836) Remove group readable from hdfs headless keytab
[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15667873#comment-15667873 ] Shi Wang commented on AMBARI-18836: --- Hi [~lpuskas] [~aonishuk] Do you have any suggestion on this issue? > Remove group readable from hdfs headless keytab > --- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18425: -- Attachment: 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > Attachments: > 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch > > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18425: -- Attachment: (was: 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch) > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > Attachments: > 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch > > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15667921#comment-15667921 ] Shi Wang commented on AMBARI-18425: --- This patch adds an authentication option "PAM" in ambari for ranger user login since RANGER-842 supports PAM authentication. How this patch works: 1. If user select "PAM" from Ranger authentication method, during ranger service restart, it will create two new pam file under either /etc/pam.d or /etc/pam.conf according to the pam version on the operating system. And ranger-admin module will be used for ranger PAM authentication, ranger-remote module is for remote user login. 2. By default, the setting in these two PAM file is: authsufficientpam_unix.so authsufficientpam_sss.so account sufficientpam_unix.so account sufficientpam_sss.so This default setting will allow user authenticate either against unix or sssd, sssd could be configured with different backends such as ldap, AD, FreeAPI... User could also configure the pam file as needed by directly modifying the pam file. 3. One thing needs to be pointed out is if using pam_unix.so module, ranger-admin must be started as root user, because it will look up password in /etc/show file and it is only readable by root. > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > Attachments: > 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch > > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18425: -- Attachment: 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > Attachments: > 0001-AMBARI-18425-Support-PAM-as-an-authentication-option.patch > > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-18425) Support PAM as an authentication option for Ranger in Ambari
[ https://issues.apache.org/jira/browse/AMBARI-18425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-18425: -- Status: Patch Available (was: In Progress) > Support PAM as an authentication option for Ranger in Ambari > > > Key: AMBARI-18425 > URL: https://issues.apache.org/jira/browse/AMBARI-18425 > Project: Ambari > Issue Type: Task > Components: ambari-server, ambari-web >Affects Versions: trunk >Reporter: Shi Wang >Assignee: Shi Wang > Labels: security > Fix For: trunk > > > Ranger-842 has added PAM support for ranger, we need to add this part to > ambari, to do automatic setup for ranger to use PAM authentication. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-13324) Ambari doesn't create Flume Kerberos principal + keytab
[ https://issues.apache.org/jira/browse/AMBARI-13324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-13324: -- Assignee: Shi Wang Fix Version/s: trunk Status: Patch Available (was: Open) > Ambari doesn't create Flume Kerberos principal + keytab > --- > > Key: AMBARI-13324 > URL: https://issues.apache.org/jira/browse/AMBARI-13324 > Project: Ambari > Issue Type: Bug > Components: ambari-server >Affects Versions: 2.1.0 > Environment: HDP 2.3 + Kerberos MIT KDC >Reporter: Hari Sekhon >Assignee: Shi Wang > Fix For: trunk > > Attachments: flume_kerberos.txt > > > When deploying Kerberos via Ambari with MIT KDC, Ambari doesn't generate a > Kerberos principal and keytab for Flume. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-13324) Ambari doesn't create Flume Kerberos principal + keytab
[ https://issues.apache.org/jira/browse/AMBARI-13324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-13324: -- Attachment: 0001-AMBARI-13324-createFlumeKeytab.patch > Ambari doesn't create Flume Kerberos principal + keytab > --- > > Key: AMBARI-13324 > URL: https://issues.apache.org/jira/browse/AMBARI-13324 > Project: Ambari > Issue Type: Bug > Components: ambari-server >Affects Versions: 2.1.0 > Environment: HDP 2.3 + Kerberos MIT KDC >Reporter: Hari Sekhon >Assignee: Shi Wang > Fix For: trunk > > Attachments: 0001-AMBARI-13324-createFlumeKeytab.patch, > flume_kerberos.txt > > > When deploying Kerberos via Ambari with MIT KDC, Ambari doesn't generate a > Kerberos principal and keytab for Flume. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (AMBARI-13324) Ambari doesn't create Flume Kerberos principal + keytab
[ https://issues.apache.org/jira/browse/AMBARI-13324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15808616#comment-15808616 ] Shi Wang commented on AMBARI-13324: --- Hi [~harisekhon] and [~gss2002], I would like to contribute to this jira, Ambari uses kerberos.json to automate the keytab and principal creation process, and relevant configuration changes. It works similarly with pull the kerberos descriptor as mentioned in comment1. The patch also includes some changes in service check and params after security is enabled. > Ambari doesn't create Flume Kerberos principal + keytab > --- > > Key: AMBARI-13324 > URL: https://issues.apache.org/jira/browse/AMBARI-13324 > Project: Ambari > Issue Type: Bug > Components: ambari-server >Affects Versions: 2.1.0 > Environment: HDP 2.3 + Kerberos MIT KDC >Reporter: Hari Sekhon >Assignee: Shi Wang > Fix For: trunk > > Attachments: 0001-AMBARI-13324-createFlumeKeytab.patch, > flume_kerberos.txt > > > When deploying Kerberos via Ambari with MIT KDC, Ambari doesn't generate a > Kerberos principal and keytab for Flume. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Status: Open (was: Patch Available) > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > > AMBARI-18425 add PAM support for ranger authentication in Ambari, but every > time restart ranger-admin it will generate the files again, which will > overwrite the user change. Need to check first if these files already exist, > do not generate again. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Affects Version/s: 2.5.0 > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Description: AMBARI-18425 add PAM support for ranger authentication in Ambari, but it relies on the default template and not allow user configure the pam file by ambari. Therefore when restart ranger admin the custom pam file content will be overwritten by the default template. > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > > AMBARI-18425 add PAM support for ranger authentication in Ambari, but it > relies on the default template and not allow user configure the pam file by > ambari. Therefore when restart ranger admin the custom pam file content will > be overwritten by the default template. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
Shi Wang created AMBARI-20329: - Summary: After restarting Ranger, PAM files are overwritten by default template Key: AMBARI-20329 URL: https://issues.apache.org/jira/browse/AMBARI-20329 Project: Ambari Issue Type: Bug Reporter: Shi Wang Assignee: Shi Wang -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Description: AMBARI-18425 add PAM support for ranger authentication in Ambari, but every time restart ranger-admin it will generate the files again, which will overwrite the user change. Need to check first if these files already exist, do not generate again. (was: AMBARI-18425 add PAM support for ranger authentication in Ambari, but it relies on the default template and not allow user configure the pam file by ambari. Therefore when restart ranger admin the custom pam file content will be overwritten by the default template. ) > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > > AMBARI-18425 add PAM support for ranger authentication in Ambari, but every > time restart ranger-admin it will generate the files again, which will > overwrite the user change. Need to check first if these files already exist, > do not generate again. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20105) When spark thrift server and hive server2 located on different hosts, with kerberos spark thrift server keeps failing
[ https://issues.apache.org/jira/browse/AMBARI-20105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20105: -- Description: Spark thrift server is run as hive user, when kerberos is enabled, hive user will need to be able to impersonate any request coming from hosts where spark thrift servers are installed. Need to change hadoop.proxyuser.hive.hosts to include spark thrift server hosts. > When spark thrift server and hive server2 located on different hosts, with > kerberos spark thrift server keeps failing > - > > Key: AMBARI-20105 > URL: https://issues.apache.org/jira/browse/AMBARI-20105 > Project: Ambari > Issue Type: Bug >Affects Versions: trunk, 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > > Spark thrift server is run as hive user, when kerberos is enabled, hive user > will need to be able to impersonate any request coming from hosts where spark > thrift servers are installed. Need to change hadoop.proxyuser.hive.hosts to > include spark thrift server hosts. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Attachment: 0001-AMBARI-20329-After-restarting-Ranger-PAM-files-are-o.patch > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-20329-After-restarting-Ranger-PAM-files-are-o.patch > > > AMBARI-18425 add PAM support for ranger authentication in Ambari, but every > time restart ranger-admin it will generate the files again, which will > overwrite the user change. Need to check first if these files already exist, > do not generate again. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Status: Patch Available (was: Open) > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-20329-After-restarting-Ranger-PAM-files-are-o.patch > > > AMBARI-18425 add PAM support for ranger authentication in Ambari, but every > time restart ranger-admin it will generate the files again, which will > overwrite the user change. Need to check first if these files already exist, > do not generate again. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Fix Version/s: trunk Status: Patch Available (was: Open) > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-20329-After-restarting-Ranger-PAM-files-are-o.patch > > > AMBARI-18425 add PAM support for ranger authentication in Ambari, but every > time restart ranger-admin it will generate the files again, which will > overwrite the user change. Need to check first if these files already exist, > do not generate again. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Attachment: (was: 0001-AMBARI-20329-After-restarting-Ranger-PAM-files-are-o.patch) > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > > AMBARI-18425 add PAM support for ranger authentication in Ambari, but every > time restart ranger-admin it will generate the files again, which will > overwrite the user change. Need to check first if these files already exist, > do not generate again. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (AMBARI-20329) After restarting Ranger, PAM files are overwritten by default template
[ https://issues.apache.org/jira/browse/AMBARI-20329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Shi Wang updated AMBARI-20329: -- Attachment: 0001-AMBARI-20329-After-restarting-Ranger-PAM-files-are-o.patch > After restarting Ranger, PAM files are overwritten by default template > -- > > Key: AMBARI-20329 > URL: https://issues.apache.org/jira/browse/AMBARI-20329 > Project: Ambari > Issue Type: Bug >Affects Versions: 2.5.0 >Reporter: Shi Wang >Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-20329-After-restarting-Ranger-PAM-files-are-o.patch > > > AMBARI-18425 add PAM support for ranger authentication in Ambari, but every > time restart ranger-admin it will generate the files again, which will > overwrite the user change. Need to check first if these files already exist, > do not generate again. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
