[ https://issues.apache.org/jira/browse/AMBARI-18836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15702718#comment-15702718 ]
Hudson commented on AMBARI-18836: --------------------------------- SUCCESS: Integrated in Jenkins build Ambari-trunk-Commit #6092 (See [https://builds.apache.org/job/Ambari-trunk-Commit/6092/]) AMBARI-18836. Remove group readable from hdfs headless keytab (Shi Wang (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=cad0130d9d4a64a6bda1992758c5c7c05e06b39e]) * (edit) ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat.py * (edit) ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json * (edit) ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json * (edit) ambari-server/src/test/python/stacks/2.0.6/HIVE/test_webhcat_server.py > Remove group readable from hdfs headless keytab > ----------------------------------------------- > > Key: AMBARI-18836 > URL: https://issues.apache.org/jira/browse/AMBARI-18836 > Project: Ambari > Issue Type: Bug > Affects Versions: trunk > Reporter: Shi Wang > Assignee: Shi Wang > Fix For: trunk > > Attachments: > 0001-AMBARI-18836-Remove-group-readable-from-hdfs-headles.patch, > AMBARI-18836-test_failure.patch > > > The Smoke and “Headless” Service users are used by Ambari to perform service > “smoke” checks and run alert health checks. > The permission for hdfs.headless.keytab is 440. But it will cause security > concern to allow other service user in hadoop group to kinit hdfs headless > principal using hdfs.headless.keytab. In this way, other service user could > "pretend" to be hdfs user and be granted hdfs user's authorities. -- This message was sent by Atlassian JIRA (v6.3.4#6332)