Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberos HDFS security issue

Solved Go to solution

Kerberos HDFS security issue

Master Collaborator

I have ranger plugin enabled for HDFS and the policy is in place and I am not in the list of users that have access to the policy (see picture) but I can still access all the HDFS directories ?

-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_600
Default principal: sami@MY.COM
Valid starting     Expires            Service principal
11/30/16 23:22:44  12/01/16 23:22:44  krbtgt/MY.COM@MY.COM
        renew until 11/30/16 23:22:44
-bash-4.1$
-bash-4.1$
-bash-4.1$ hdfs dfs -ls /user/flume/
Found 4 items
drwx------   - flume hdfs          0 2016-11-28 19:00 /user/flume/.Trash
drwxr-xr-x   - flume hdfs          0 2016-10-12 16:50 /user/flume/.hiveJars
drwxrwxr-x   - flume hdfs          0 2016-11-23 10:03 /user/flume/tweets
drwxr-xr-x   - flume hdfs          0 2016-11-03 10:54 /user/flume/tweets2
-bash-4.1$
<a href="/storage/attachments/10019-capture.jpg">capture.jpg</a>

if I destroy the ticket then I don't get access .

-bash-4.1$ kdestroy
-bash-4.1$
-bash-4.1$
-bash-4.1$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_600)
-bash-4.1$
-bash-4.1$ hdfs dfs -ls /user/flume/
16/12/01 13:19:08 WARN ipc.Client: Exception encountered while connecting to the server :
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Kerberos HDFS security issue

see ranger audit logs to figure out whether ranger-acl or hadoop-acl is granting access to the user.

7 REPLIES 7

Re: Kerberos HDFS security issue

Guru

Can you snapshot the page where you have the policies ? If the profile is public, I believe it overrides any other permissions. How about you introducing your user and denying any privileges from him over HDFS.

Re: Kerberos HDFS security issue

Master Collaborator

on profile it doesn't say its a public profile ? please see the picture below of the policy

Re: Kerberos HDFS security issue

Access will be granted with native HDFS permissions if there is no ranger policy. You can check ranger audit to confirm.

Re: Kerberos HDFS security issue

Master Collaborator

but there is ranger policy in place please see the picture below

10025-c5oq0.png

Re: Kerberos HDFS security issue

Master Collaborator

can anyone answer this please ?

Re: Kerberos HDFS security issue

see ranger audit logs to figure out whether ranger-acl or hadoop-acl is granting access to the user.

Highlighted

Re: Kerberos HDFS security issue

Contributor

@Sami Ahmad: You have an HDFS policy which does not grant permissions to your user for viewing resources. In most of the components, this would boil down to access request being denied. However, in HDFS, if a Ranger policy does not grant access to a resource, native Hadoop privileges are checked as well. If HDFS grants user 'SAMI' access to resources, 'SAMI' will be able to access the same (inspite of Ranger policy not granting permission).

You can check whether its Ranger policy responsible for your user being able to view resources or its native Hadoop ACLs through Audit page->Access tab.

In screenshot, Policy ID is -- and also, Access Enforcer=hadoop-acl which means the user had access through native Hadoop ACL. None of the Ranger Hadoop policies are responsible for the Access/ Deny. Hope this helps.

screen-shot-2017-02-08-at-104435-am.png