Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-13695

Minimize HDFS and other headless keytab distribution (security concerns)

    XMLWordPrintableJSON

    Details

      Description

      Currently, we distribute the hdfs headless principal to pretty much every single host in the cluster.
      Since hdfs is a super user in HDFS, if any one of the hdfs keytabs are compromised on any host, the user can do anything on HDFS.
      We need to revisit and see if we can restrict the number of hosts to which we distribute the hdfs headless keytab.
      For example, we can perform necessary HDFS operations on one of the master hosts available, rather than picking an arbitrary client / slave hosts as we do today.
      Also, we should look into not only hdfs headless keytabs but all other headless ones like hbase, storm, etc.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rlevas Robert Levas
                Reporter:
                rlevas Robert Levas
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: