AMBARI-18836. Remove group readable from hdfs headless keytab (Shi Wang via rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/cad0130d Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/cad0130d Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/cad0130d Branch: refs/heads/branch-feature-AMBARI-18634 Commit: cad0130d9d4a64a6bda1992758c5c7c05e06b39e Parents: 255725d Author: Shi Wang <cntj...@gmail.com> Authored: Mon Nov 28 12:39:05 2016 -0500 Committer: Robert Levas <rle...@hortonworks.com> Committed: Mon Nov 28 12:39:10 2016 -0500 ---------------------------------------------------------------------- .../common-services/HDFS/2.1.0.2.0/kerberos.json | 2 +- .../HIVE/0.12.0.2.0/package/scripts/webhcat.py | 10 ---------- .../resources/stacks/HDP/2.5/services/HDFS/kerberos.json | 2 +- .../test/python/stacks/2.0.6/HIVE/test_webhcat_server.py | 4 ---- 4 files changed, 2 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/cad0130d/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json index e8c96cb..f30c9e4 100644 --- a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json @@ -56,7 +56,7 @@ }, "group": { "name": "${cluster-env/user_group}", - "access": "r" + "access": "" }, "configuration": "hadoop-env/hdfs_user_keytab" } http://git-wip-us.apache.org/repos/asf/ambari/blob/cad0130d/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py index a7feb60..00b057c 100644 --- a/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py +++ b/ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py @@ -70,16 +70,6 @@ def webhcat(): group=params.user_group, cd_access="a") - if params.security_enabled: - kinit_if_needed = format("{kinit_path_local} -kt {hdfs_user_keytab} {hdfs_principal_name};") - else: - kinit_if_needed = "" - - if kinit_if_needed: - Execute(kinit_if_needed, - user=params.webhcat_user, - path='/bin' - ) # Replace _HOST with hostname in relevant principal-related properties webhcat_site = params.config['configurations']['webhcat-site'].copy() http://git-wip-us.apache.org/repos/asf/ambari/blob/cad0130d/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json index 974a69c..9000e95 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json @@ -66,7 +66,7 @@ }, "group": { "name": "${cluster-env/user_group}", - "access": "r" + "access": "" }, "configuration": "hadoop-env/hdfs_user_keytab" } http://git-wip-us.apache.org/repos/asf/ambari/blob/cad0130d/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py b/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py index 2b26dd8..8df6295 100644 --- a/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py +++ b/ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py @@ -252,10 +252,6 @@ class TestWebHCatServer(RMFTestCase): create_parents = True, cd_access = 'a' ) - self.assertResourceCalled('Execute', '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs;', - path = ['/bin'], - user = 'hcat', - ) self.assertResourceCalled('XmlConfig', 'webhcat-site.xml', owner = 'hcat', group = 'hadoop',