Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Does Ranger authenticate HDFS users

Labels:
avatar
author-rank arun9a
New Contributor

Created ‎01-05-2016 12:02 AM

Ok. I am very confused with this Ranger product. There is no proper documentation on this aspect.

Dose Ranger authenticate a user before accessing HDFS content?

Is it just for authorization purpose only?

I got some consultant say, if you just use Ranger for Hdfs, you can fake as someone else and connect to the HDFS.

For example, you have a user called phil and john. They have /tenent/users/phil and /users/john respectively. Both directories has directory level permission to only that particular user and for group owner hdfs.

Is it possible for Phil to create a unix account as john on a linux box. Sudo as john on that machine and access hdfs as john. There by faking himself as john.

Appreciate any insights on this

1,323 Views
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created on ‎01-05-2016 12:05 AM - edited ‎08-19-2019 05:20 AM

Ranger is just for authorization.

For central authentication, you can authenticate against an LDAP or AD. For local authentication, you can authenticate as a local unix user.

For true secure authentication, you need Kerberos with either a MIT KDC or AD as your KDC.

Yes it is possible without Kerberos to spoof a user.

See also this HCC post Kerberos, AD, Ranger

1191-screen-shot-2016-01-04-at-70916-pm.png

View solution in original post

1,138 Views
2 REPLIES 2

avatar
author-rank amcbarnett
Guru

Created on ‎01-05-2016 12:05 AM - edited ‎08-19-2019 05:20 AM

Ranger is just for authorization.

For central authentication, you can authenticate against an LDAP or AD. For local authentication, you can authenticate as a local unix user.

For true secure authentication, you need Kerberos with either a MIT KDC or AD as your KDC.

Yes it is possible without Kerberos to spoof a user.

See also this HCC post Kerberos, AD, Ranger

1191-screen-shot-2016-01-04-at-70916-pm.png

1,139 Views

avatar
author-rank sneethiraj
Contributor

Created ‎01-05-2016 12:07 AM

Ranger provides authorization and audit functionalities. You should use KERBEROS authentication to secure the Hadoop clusters along with Ranger. If you use SIMPLE authentication, the users can impersonate as other users by setting appropriate ENV variable before invoking hdfs commands.

1,138 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements