You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Doroszlai, Attila (JIRA)" <ji...@apache.org> on 2016/11/23 08:30:59 UTC

[jira] [Reopened] (AMBARI-18836) Remove group readable from hdfs headless keytab

     [ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Doroszlai, Attila reopened AMBARI-18836:
----------------------------------------

This causes python unit test failure.

{noformat}
Failed tests:
FAIL: test_start_secured (test_webhcat_server.TestWebHCatServer)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/jenkins/jenkins-slave/workspace/Ambari-trunk-test-patch/ambari/ambari-common/src/test/python/mock/mock.py", line 1199, in patched
    return func(*args, **keywargs)
  File "/home/jenkins/jenkins-slave/workspace/Ambari-trunk-test-patch/ambari/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py", line 134, in test_start_secured
    self.assert_configure_secured()
  File "/home/jenkins/jenkins-slave/workspace/Ambari-trunk-test-patch/ambari/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py", line 257, in assert_configure_secured
    user = 'hcat',
  File "/home/jenkins/jenkins-slave/workspace/Ambari-trunk-test-patch/ambari/ambari-server/src/test/python/stacks/utils/RMFTestCase.py", line 280, in assertResourceCalled
    self.assertEquals(resource_type, resource.__class__.__name__)
AssertionError: 'Execute' != 'XmlConfig'

----------------------------------------------------------------------
Total run:1166
Total errors:0
Total failures:1
{noformat}

> Remove group readable from hdfs headless keytab
> -----------------------------------------------
>
>                 Key: AMBARI-18836
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18836
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: trunk
>            Reporter: Shi Wang
>            Assignee: Shi Wang
>             Fix For: trunk
>
>         Attachments: 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch
>
>
> The Smoke and “Headless” Service users are used by Ambari to perform service “smoke” checks and run alert health checks. 
> The permission for hdfs.headless.keytab is 440. But it will cause security concern to allow other service user in hadoop group to kinit hdfs headless principal using hdfs.headless.keytab. In this way, other service user could "pretend" to be hdfs user and be granted hdfs user's authorities.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)