Yesha Vora created AMBARI-22956: ----------------------------------- Summary: Fix hadoop-policy.xml and YARN_OPTS property values for secure yarn cluster Key: AMBARI-22956 URL: https://issues.apache.org/jira/browse/AMBARI-22956 Project: Ambari Issue Type: Bug Affects Versions: 2.7.0 Reporter: Yesha Vora
Few misconfigurations were found in secure Hadoop cluster * Hadoop-policy.xml is configured to allow hadoop user to use security.refresh.policy.protocol.acl, security.refresh.usertogroups.mappings.protocol.acl, security.admin.operations.protocol.acl. However, the proper syntax should be users blank groups. For example: hdfs,yarn hadoop Ambari side is misconfiguring the hadoop-policy * In addition, we also found the cluster is configured with yarn-env.sh which contains: {code} YARN_OPTS="-Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper -Djava.security.auth.login.config=/etc/hadoop/xxx/0/yarn_jaas.conf -Dzookeeper.sasl.clientconfig=Client $YARN_OPTS{code} This does not look correct because YARN does not have zookeeper principal. The sasl client username should be either rm or yarn. Ideally, this is set in yarn_jaas.conf to use client supplied name instead of trying to be zookeeper globally. -- This message was sent by Atlassian JIRA (v7.6.3#76005)