Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Does Ranger authenticate HDFS users

Labels:
avatar
author-rank arun9a
New Contributor

Created ‎01-05-2016 12:02 AM

Ok. I am very confused with this Ranger product. There is no proper documentation on this aspect.

Dose Ranger authenticate a user before accessing HDFS content?

Is it just for authorization purpose only?

I got some consultant say, if you just use Ranger for Hdfs, you can fake as someone else and connect to the HDFS.

For example, you have a user called phil and john. They have /tenent/users/phil and /users/john respectively. Both directories has directory level permission to only that particular user and for group owner hdfs.

Is it possible for Phil to create a unix account as john on a linux box. Sudo as john on that machine and access hdfs as john. There by faking himself as john.

Appreciate any insights on this

1,027 Views
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created on ‎01-05-2016 12:05 AM - edited ‎08-19-2019 05:20 AM

Ranger is just for authorization.

For central authentication, you can authenticate against an LDAP or AD. For local authentication, you can authenticate as a local unix user.

For true secure authentication, you need Kerberos with either a MIT KDC or AD as your KDC.

Yes it is possible without Kerberos to spoof a user.

See also this HCC post Kerberos, AD, Ranger

1191-screen-shot-2016-01-04-at-70916-pm.png

View solution in original post

842 Views
2 REPLIES 2

avatar
author-rank amcbarnett
Guru

Created on ‎01-05-2016 12:05 AM - edited ‎08-19-2019 05:20 AM

Ranger is just for authorization.

For central authentication, you can authenticate against an LDAP or AD. For local authentication, you can authenticate as a local unix user.

For true secure authentication, you need Kerberos with either a MIT KDC or AD as your KDC.

Yes it is possible without Kerberos to spoof a user.

See also this HCC post Kerberos, AD, Ranger

1191-screen-shot-2016-01-04-at-70916-pm.png

843 Views

avatar
author-rank sneethiraj
Contributor

Created ‎01-05-2016 12:07 AM

Ranger provides authorization and audit functionalities. You should use KERBEROS authentication to secure the Hadoop clusters along with Ranger. If you use SIMPLE authentication, the users can impersonate as other users by setting appropriate ENV variable before invoking hdfs commands.

842 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements