Yesha Vora created AMBARI-22956:
-----------------------------------
Summary: Fix hadoop-policy.xml and YARN_OPTS property values for
secure yarn cluster
Key: AMBARI-22956
URL: https://issues.apache.org/jira/browse/AMBARI-22956
Project: Ambari
Issue Type: Bug
Affects Versions: 2.7.0
Reporter: Yesha Vora
Few misconfigurations were found in secure Hadoop cluster
* Hadoop-policy.xml is configured to allow hadoop user to use
security.refresh.policy.protocol.acl,
security.refresh.usertogroups.mappings.protocol.acl,
security.admin.operations.protocol.acl. However, the proper syntax should be
users blank groups. For example:
hdfs,yarn hadoop
Ambari side is misconfiguring the hadoop-policy
* In addition, we also found the cluster is configured with yarn-env.sh which
contains:
{code}
YARN_OPTS="-Dzookeeper.sasl.client=true
-Dzookeeper.sasl.client.username=zookeeper
-Djava.security.auth.login.config=/etc/hadoop/xxx/0/yarn_jaas.conf
-Dzookeeper.sasl.clientconfig=Client $YARN_OPTS{code}
This does not look correct because YARN does not have zookeeper principal. The
sasl client username should be either rm or yarn. Ideally, this is set in
yarn_jaas.conf to use client supplied name instead of trying to be zookeeper
globally.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
