>- impersonate the user as, say, admin, with kinit; e.g. kinit <user> >- scan all HDFS directories and try to read or write > >Does anyone have suggestions?
In general, your options are: - Have access to to user's key/password and generate a ticket for that user using kinit. As someone else already noted, this isn't really impersonating a user. - Have access to the TGS key and generate a TGT for that user (or any user). This is generally referred to as "ticket printing". I don't _think_ the Kerberos distributions come with a utility to do that, but I believe there are example programs floating around that do that. I have to say that doing so would require access to the TGS key and having that outside of your Kerberos database would be extremely dangerous as if it was compromised your entire realm would be compromised. - Have access to the HDFS service key and print a service ticket for that user. Again, I don't know if the Kerberos distributions have such a utility, but this would be less dangerous (you already have to have the HDFS key on disk somewhere). I don't know how Kerberos works with HDFS, but if there are multiple service tickets for a HDFS filesystem spread across multiple servers that might be complicated. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos