[39409] in Kerberos
Re: Impersonate Kerberos user on HDFS
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Thu Apr 11 08:24:50 2024
Message-Id: <202404111224.43BCOTL9014923@hedwig.cmf.nrl.navy.mil>
To: Philippe de Rochambeau <phiroc@free.fr>
cc: kerberos@mit.edu
In-Reply-To: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
MIME-Version: 1.0
Date: Thu, 11 Apr 2024 08:24:29 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>- impersonate the user as, say, admin, with kinit; e.g. kinit <user>
>- scan all HDFS directories and try to read or write
>
>Does anyone have suggestions?
In general, your options are:
- Have access to to user's key/password and generate a ticket for that
user using kinit. As someone else already noted, this isn't really
impersonating a user.
- Have access to the TGS key and generate a TGT for that user (or any user).
This is generally referred to as "ticket printing". I don't _think_
the Kerberos distributions come with a utility to do that, but I
believe there are example programs floating around that do that. I
have to say that doing so would require access to the TGS key and
having that outside of your Kerberos database would be extremely
dangerous as if it was compromised your entire realm would be
compromised.
- Have access to the HDFS service key and print a service ticket for that
user. Again, I don't know if the Kerberos distributions have such
a utility, but this would be less dangerous (you already have to have
the HDFS key on disk somewhere). I don't know how Kerberos works with
HDFS, but if there are multiple service tickets for a HDFS filesystem
spread across multiple servers that might be complicated.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
