You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Yesha Vora (JIRA)" <ji...@apache.org> on 2018/02/09 22:27:00 UTC

[jira] [Created] (AMBARI-22956) Fix hadoop-policy.xml and YARN_OPTS property values for secure yarn cluster

Yesha Vora created AMBARI-22956:
-----------------------------------

             Summary: Fix hadoop-policy.xml and YARN_OPTS property values for secure yarn cluster	
                 Key: AMBARI-22956
                 URL: https://issues.apache.org/jira/browse/AMBARI-22956
             Project: Ambari
          Issue Type: Bug
    Affects Versions: 2.7.0
            Reporter: Yesha Vora


Few misconfigurations were found in secure Hadoop cluster

* Hadoop-policy.xml is configured to allow hadoop user to use security.refresh.policy.protocol.acl, security.refresh.usertogroups.mappings.protocol.acl, security.admin.operations.protocol.acl. However, the proper syntax should be users blank groups. For example:
hdfs,yarn hadoop
Ambari side is misconfiguring the hadoop-policy 

* In addition, we also found the cluster is configured with yarn-env.sh which contains:
{code}
YARN_OPTS="-Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper -Djava.security.auth.login.config=/etc/hadoop/xxx/0/yarn_jaas.conf -Dzookeeper.sasl.clientconfig=Client $YARN_OPTS{code}
This does not look correct because YARN does not have zookeeper principal. The sasl client username should be either rm or yarn. Ideally, this is set in yarn_jaas.conf to use client supplied name instead of trying to be zookeeper globally.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)