Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to impersonate another user without Kerberos?

How to impersonate another user without Kerberos?

Hi All,

When talking to Cloudera, they mentioned that without Kerberos any user can impersonate any other user and get access to his files.

How exactly is it done?

I'd like to have a simple test. I am not sure if one of our Hadoop cluster is properly protected with Kerberos.

Thank you,

Igor

 

3 REPLIES 3

Re: How to impersonate another user without Kerberos?

Community Manager

Since your real concern seems to be about security rather than impersonating another user, here is a link to a recent blog post that you may find helpful.

 

How to secure ‘Internet exposed’ Apache Hadoop

 

Don't let the title stop you from reading it as the article goes beyond what the title describes and provides other links on security. 



Cy Jervis, Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:
Community Guidelines
How to use the forum
Highlighted

Re: How to impersonate another user without Kerberos?

Champion

I won't post a 'how to' but it is a simple as setting variables to the user's username as all Hadoop is doing is check that and then looking up the user and groups on the OS.

Re: How to impersonate another user without Kerberos?

Guru
Hi Igor, to quickly test if your cluster is kerberized, just ssh to a node from which you can access the cluster, then execute "kdestroy" to ensure you have no valid kerberos tickets, followed by "hdfs dfs -ls /" If you receive a directory listing as output, then your cluster is NOT kerberized, otherwise you'll receive a GSS exception. HTH