[39407] in Kerberos
Impersonate Kerberos user on HDFS
daemon@ATHENA.MIT.EDU (Philippe de Rochambeau)
Thu Apr 11 02:42:29 2024
From: Philippe de Rochambeau <phiroc@free.fr>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Message-Id: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
Date: Thu, 11 Apr 2024 08:40:40 +0200
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
Let's say a user has the following rights on HDFS (which are constrained Apache Ranger):
/prd/a/b/c <- read right
/prd/a/b/d <- read/write right
I would like to get a broad picture of his/her complete access rights.
I could look at the general policies in Apache Ranger and try to figure out which apply to my user, but that's complicated.
I wonder if there is another way (which ideally could be automated with a script) roughly:
- impersonate the user as, say, admin, with kinit; e.g. kinit <user>
- scan all HDFS directories and try to read or write
Does anyone have suggestions?
PS I've asked similar questions on the Apache Ranger mailing list, but with no success.
Many thanks.
Philippe
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos