Support Questions
Find answers, ask questions, and share your expertise

Local admin Ranger user: feature or bug?

Super Collaborator

Hi,

I have ended up in quite an interesting scenario where a non - AD user (or any KDC) user can access anything, anywhere on a kerberized HDP 2.4 cluster.

Prerequisites: You have a user on Ambari with name "xvy", Kerberised cluster

Step 1. In Ranger, create a new (local) user "xyz" with administrative rights

Step 2. Logged on as "xyz", add yourself ("xyz") to a policy on HDFS, on all folders /*

Step 3. You will now have all out access to hdfs, through Ambari Files view

I would have expected that the Ranger local user base would be separate from the KDC users. This local "xyz" user is asked for a ticket, wouldn't see how he got one in this case

2 REPLIES 2

If you are logging into ambari and cluster as user "xyz" and have explicitly granted HDFS permissions for this user, then it works as expected.

Super Collaborator

@vperiasamy

So this user "xyz" is now on the ambari servers ticket to access HDFS resources?