[AMBARI-18632] Security flaw with adding dr.who into yarn.admin.acl while enabling kerberos - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Later
Affects Version/s: 2.3.0, 2.2.0, 2.4.0
Fix Version/s: None
Component/s: security
Labels:
None

Description

~~AMBARI-12415~~ introduces a major security hole to a secure cluster, it adds dr.who into yarn.admin.acl, which grants yarn admin permission to an anonymous user. It should be reverted.

There is an alternative way of fixing this, see more in ~~HADOOP-13707~~. Http service could be non-secure in a kerberized environment, when hadoop.http.authentication.type=simple, under this situation, the fix of ~~HADOOP-13707~~ skips admin checks for static user dr.who.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Weiwei Yang

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 19/Oct/16 03:59

Updated:: 11/Jul/18 08:39

Resolved:: 11/Jul/18 08:39