I have ended up in quite an interesting scenario where a non - AD user (or any KDC) user can access anything, anywhere on a kerberized HDP 2.4 cluster.
Prerequisites: You have a user on Ambari with name "xvy", Kerberised cluster
Step 1. In Ranger, create a new (local) user "xyz" with administrative rights
Step 2. Logged on as "xyz", add yourself ("xyz") to a policy on HDFS, on all folders /*
Step 3. You will now have all out access to hdfs, through Ambari Files view
I would have expected that the Ranger local user base would be separate from the KDC users. This local "xyz" user is asked for a ticket, wouldn't see how he got one in this case
If you are logging into ambari and cluster as user "xyz" and have explicitly granted HDFS permissions for this user, then it works as expected.
So this user "xyz" is now on the ambari servers ticket to access HDFS resources?