[39408] in Kerberos
Re: Impersonate Kerberos user on HDFS
daemon@ATHENA.MIT.EDU (ronnie sahlberg)
Thu Apr 11 03:22:45 2024
MIME-Version: 1.0
In-Reply-To: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
From: ronnie sahlberg <ronniesahlberg@gmail.com>
Date: Thu, 11 Apr 2024 17:21:02 +1000
Message-ID: <CAN05THTY3ZfM657u2t7uJnocZWhFo-PvUTMfYwM6_eyBk1Js_w@mail.gmail.com>
To: Philippe de Rochambeau <phiroc@free.fr>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 11 Apr 2024 at 16:43, Philippe de Rochambeau <phiroc@free.fr> wrote:
>
> Hello,
>
> Let's say a user has the following rights on HDFS (which are constrained Apache Ranger):
>
> /prd/a/b/c <- read right
> /prd/a/b/d <- read/write right
>
> I would like to get a broad picture of his/her complete access rights.
>
> I could look at the general policies in Apache Ranger and try to figure out which apply to my user, but that's complicated.
>
> I wonder if there is another way (which ideally could be automated with a script) roughly:
>
> - impersonate the user as, say, admin, with kinit; e.g. kinit <user>
I don't think this is what is considered "impersonating" the user.
If you authenticate with kinit <user> you are not impersonating that
user, you ARE/BECOME that user.
> - scan all HDFS directories and try to read or write
>
> Does anyone have suggestions?
>
> PS I've asked similar questions on the Apache Ranger mailing list, but with no success.
>
> Many thanks.
>
> Philippe
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
