Re: Impersonate Kerberos user on HDFS

2024-04-11 Thread Simo Sorce
On Thu, 2024-04-11 at 08:24 -0400, Ken Hornstein via Kerberos wrote: > > - impersonate the user as, say, admin, with kinit; e.g. kinit > > - scan all HDFS directories and try to read or write > > > > Does anyone have suggestions? > > In general, your options are: > > - Have access to to user's

Re: Impersonate Kerberos user on HDFS

2024-04-11 Thread Russ Allbery
Ken Hornstein via Kerberos writes: > - Have access to to user's key/password and generate a ticket for that > user using kinit. As someone else already noted, this isn't really > impersonating a user. > - Have access to the TGS key and generate a TGT for that user (or any user). > This is

Re: Impersonate Kerberos user on HDFS

2024-04-11 Thread Ken Hornstein via Kerberos
>- impersonate the user as, say, admin, with kinit; e.g. kinit >- scan all HDFS directories and try to read or write > >Does anyone have suggestions? In general, your options are: - Have access to to user's key/password and generate a ticket for that user using kinit. As someone else already

Re: Impersonate Kerberos user on HDFS

2024-04-11 Thread ronnie sahlberg
On Thu, 11 Apr 2024 at 16:43, Philippe de Rochambeau wrote: > > Hello, > > Let's say a user has the following rights on HDFS (which are constrained > Apache Ranger): > > /prd/a/b/c <- read right > /prd/a/b/d <- read/write right > > I would like to get a broad picture of his/her complete access r

Impersonate Kerberos user on HDFS

2024-04-10 Thread Philippe de Rochambeau
Hello, Let's say a user has the following rights on HDFS (which are constrained Apache Ranger): /prd/a/b/c <- read right /prd/a/b/d <- read/write right I would like to get a broad picture of his/her complete access rights. I could look at the general policies in Apache Ranger and try to figu