I have an issue: any user in my cluster can run: export HADOOP_USER_NAME=hdfs (hdfs is the superuser), and become hdfs superuser.
How I can restrict the user to become superuser and have all permission that hdfs user has?
Note: Our cluster users are getting authenticated with unix accounts which aare directly synchronizing Active Directory (LDAP). We don't have local user account in Unix Box. We are also using Ranger to authorize resources on HDFS and Hive.
Once have have access to local unix box, you need kerberos to get security. Once you have kerberos enabled, they can't just send a request as any user unless they have ticket for it
Hadoop is by default not secure and doesn't provide authentication service. Hence it believes what users are saying and the behaviour you are seeing is normal. To avoid this problem you need strong authentication where each user/service needs to prove that he is who he pretends. Hadoop uses Kerberos as the basis for strong authentication and identity propagation for both user and services. The system is based on tokens and a KDC server (Key Distribution Center) that can be your entreprise Active Directory or a local KDC with one way trust to you entreprise AD or LDAP
You can have more information on this in our doc page : http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/configuring_amb_hd...
hope this helps