Reply
Contributor
Posts: 69
Registered: ‎01-24-2017

How to impersonate another user without Kerberos?

Hi All,

When talking to Cloudera, they mentioned that without Kerberos any user can impersonate any other user and get access to his files.

How exactly is it done?

I'd like to have a simple test. I am not sure if one of our Hadoop cluster is properly protected with Kerberos.

Thank you,

Igor

 

Posts: 1,039
Kudos: 129
Solutions: 62
Registered: ‎04-06-2015

Re: How to impersonate another user without Kerberos?

Since your real concern seems to be about security rather than impersonating another user, here is a link to a recent blog post that you may find helpful.

 

How to secure ‘Internet exposed’ Apache Hadoop

 

Don't let the title stop you from reading it as the article goes beyond what the title describes and provides other links on security. 



Cy Jervis, Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Community Guidelines

How to use the forum

Posts: 642
Topics: 3
Kudos: 121
Solutions: 67
Registered: ‎08-16-2016

Re: How to impersonate another user without Kerberos?

I won't post a 'how to' but it is a simple as setting variables to the user's username as all Hadoop is doing is check that and then looking up the user and groups on the OS.

Expert Contributor
Posts: 131
Registered: ‎08-08-2013

Re: How to impersonate another user without Kerberos?

Hi Igor, to quickly test if your cluster is kerberized, just ssh to a node from which you can access the cluster, then execute "kdestroy" to ensure you have no valid kerberos tickets, followed by "hdfs dfs -ls /" If you receive a directory listing as output, then your cluster is NOT kerberized, otherwise you'll receive a GSS exception. HTH