We have a security problem with hadoop access.
[root@server]$ hadoop fs -ls hdfs://datalake/data ls: Permission denied: user=root, access=READ_EXECUTE, inode="/data":ldap_user:ldap_group:drwxr-x---
This is correct because root does not have access. The access is for ldap_users y ldap_group.
If user1ldap is part of group ldap_group (an authorized user), we only need to create the user.
[root@server]$ useradd user1ldap [root@server]$ su - user1ldap [user1ldap@server]$ hadoop fs -ls hdfs://datalake/data Found 3 items [..]
How can it be? Without asking password? For us it is a security problem!
Through NFS connection does ask the correct ldap user and password.
Thanks in advance.
That is because root is a superuser with access to everything across linux - so no password is needed to relog from root account. If you try to log on user1ldap from anyother account, you will need to type a password for user1ldap. Root account should be used only for administrators.
It is not a solution because an user can create his own virtual machine with root access and create the user, and have access to data that should not. I think I should request the password when trying to connect.
The use of normal POSIX based authentication in Hadoop has weak user authentication. Hadoop provides a strong user authentication method through integration with Kerberos. When a cluster is secured, in other words Kerberos is used to provide user authentication, you will execute a kinit command to request a Kerberos ticket for a user principal from the Kerberos Key Distribution Center (KDC). A password is required by the kinit command and a ticket is delivered upon kinit completion which lets you execute commands from your CLI, etc.. If the kinit command fails, you will not have a valid ticket and your identify will not be established and your 'Hadoop' commands will fail.
More information on setting up Kerberos in an HDP cluster can be found here: https://docs.hortonworks.com/HDPDocuments/Ambari-188.8.131.52/bk_Ambari_Security_Guide/content/ch_amb_sec...