https://community.cloudera.com/t5/Support-Questions/Does-Ranger-authenticate-HDFS-users/m-p/101340#M64305 <P>Ranger is just for authorization.</P><P>For central authentication, you can authenticate against an LDAP or AD. For local authentication, you can authenticate as a local unix user.</P><P>For true secure authentication, you need Kerberos with either a MIT KDC or AD as your KDC.</P><P>Yes it is possible without Kerberos to spoof a user.</P><P>See also this HCC post <A target="_blank" href="https://community.hortonworks.com/questions/2982/kerberos-adldap-and-ranger.html" rel="nofollow noopener noreferrer">Kerberos, AD, Range</A>r</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1191-screen-shot-2016-01-04-at-70916-pm.png" style="width: 772px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/23751i389BDA82DDAC5BF7/image-size/medium?v=v2&amp;px=400" role="button" title="1191-screen-shot-2016-01-04-at-70916-pm.png" alt="1191-screen-shot-2016-01-04-at-70916-pm.png" /></span></P> Mon, 19 Aug 2019 12:20:52 GMT amcbarnett 2019-08-19T12:20:52Z https://community.cloudera.com/t5/Support-Questions/Does-Ranger-authenticate-HDFS-users/m-p/101339#M64304 <P>Ok. I am very confused with this Ranger product. There is no proper documentation on this aspect. </P><P>Dose Ranger authenticate a user before accessing HDFS content?</P><P>Is it just for authorization purpose only?</P><P>I got some consultant say, if you just use Ranger for Hdfs, you can fake as someone else and connect to the HDFS.</P><P>For example, you have a user called phil and john. They have /tenent/users/phil and /users/john respectively. Both directories has directory level permission to only that particular user and for group owner hdfs.</P><P>Is it possible for Phil to create a unix account as john on a linux box. Sudo as john on that machine and access hdfs as john. There by faking himself as john. </P><P>Appreciate any insights on this</P> Tue, 05 Jan 2016 08:02:05 GMT https://community.cloudera.com/t5/Support-Questions/Does-Ranger-authenticate-HDFS-users/m-p/101339#M64304 arun9a 2016-01-05T08:02:05Z https://community.cloudera.com/t5/Support-Questions/Does-Ranger-authenticate-HDFS-users/m-p/101340#M64305 <P>Ranger is just for authorization.</P><P>For central authentication, you can authenticate against an LDAP or AD. For local authentication, you can authenticate as a local unix user.</P><P>For true secure authentication, you need Kerberos with either a MIT KDC or AD as your KDC.</P><P>Yes it is possible without Kerberos to spoof a user.</P><P>See also this HCC post <A target="_blank" href="https://community.hortonworks.com/questions/2982/kerberos-adldap-and-ranger.html" rel="nofollow noopener noreferrer">Kerberos, AD, Range</A>r</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1191-screen-shot-2016-01-04-at-70916-pm.png" style="width: 772px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/23751i389BDA82DDAC5BF7/image-size/medium?v=v2&amp;px=400" role="button" title="1191-screen-shot-2016-01-04-at-70916-pm.png" alt="1191-screen-shot-2016-01-04-at-70916-pm.png" /></span></P> Mon, 19 Aug 2019 12:20:52 GMT https://community.cloudera.com/t5/Support-Questions/Does-Ranger-authenticate-HDFS-users/m-p/101340#M64305 amcbarnett 2019-08-19T12:20:52Z https://community.cloudera.com/t5/Support-Questions/Does-Ranger-authenticate-HDFS-users/m-p/101341#M64306 <P>Ranger provides authorization and audit functionalities. You should use KERBEROS authentication to secure the Hadoop clusters along with Ranger. If you use SIMPLE authentication, the users can impersonate as other users by setting appropriate ENV variable before invoking hdfs commands. </P> Tue, 05 Jan 2016 08:07:04 GMT https://community.cloudera.com/t5/Support-Questions/Does-Ranger-authenticate-HDFS-users/m-p/101341#M64306 sneethiraj 2016-01-05T08:07:04Z