Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HDFS superuser security

Highlighted

HDFS superuser security

Contributor

I have an issue: any user in my cluster can run: export HADOOP_USER_NAME=hdfs (hdfs is the superuser), and become hdfs superuser.

How I can restrict the user to become superuser and have all permission that hdfs user has?

Note: Our cluster users are getting authenticated with unix accounts which aare directly synchronizing Active Directory (LDAP). We don't have local user account in Unix Box. We are also using Ranger to authorize resources on HDFS and Hive.

2 REPLIES 2

Re: HDFS superuser security

Guru

Once have have access to local unix box, you need kerberos to get security. Once you have kerberos enabled, they can't just send a request as any user unless they have ticket for it

Re: HDFS superuser security

@Sushil Saxena

Hadoop is by default not secure and doesn't provide authentication service. Hence it believes what users are saying and the behaviour you are seeing is normal. To avoid this problem you need strong authentication where each user/service needs to prove that he is who he pretends. Hadoop uses Kerberos as the basis for strong authentication and identity propagation for both user and services. The system is based on tokens and a KDC server (Key Distribution Center) that can be your entreprise Active Directory or a local KDC with one way trust to you entreprise AD or LDAP

You can have more information on this in our doc page : http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/configuring_amb_hd...

hope this helps