Support Questions
Find answers, ask questions, and share your expertise

Problem with hadoop access permissions

Highlighted

Problem with hadoop access permissions

Explorer

Hello,

We have a security problem with hadoop access.

[root@server]$ hadoop fs -ls hdfs://datalake/data
ls: Permission denied: user=root, access=READ_EXECUTE, inode="/data":ldap_user:ldap_group:drwxr-x---

This is correct because root does not have access. The access is for ldap_users y ldap_group.

If user1ldap is part of group ldap_group (an authorized user), we only need to create the user.

[root@server]$ useradd user1ldap
[root@server]$ su - user1ldap
[user1ldap@server]$  hadoop fs -ls hdfs://datalake/data
  Found 3 items
  [..]

How can it be? Without asking password? For us it is a security problem!

Through NFS connection does ask the correct ldap user and password.

Thanks in advance.

3 REPLIES 3
Highlighted

Re: Problem with hadoop access permissions

Expert Contributor

That is because root is a superuser with access to everything across linux - so no password is needed to relog from root account. If you try to log on user1ldap from anyother account, you will need to type a password for user1ldap. Root account should be used only for administrators.

Re: Problem with hadoop access permissions

Explorer

It is not a solution because an user can create his own virtual machine with root access and create the user, and have access to data that should not. I think I should request the password when trying to connect.

Highlighted

Re: Problem with hadoop access permissions

Expert Contributor
@Blanca Sanz

The use of normal POSIX based authentication in Hadoop has weak user authentication. Hadoop provides a strong user authentication method through integration with Kerberos. When a cluster is secured, in other words Kerberos is used to provide user authentication, you will execute a kinit command to request a Kerberos ticket for a user principal from the Kerberos Key Distribution Center (KDC). A password is required by the kinit command and a ticket is delivered upon kinit completion which lets you execute commands from your CLI, etc.. If the kinit command fails, you will not have a valid ticket and your identify will not be established and your 'Hadoop' commands will fail.

More information on setting up Kerberos in an HDP cluster can be found here: https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.1/bk_Ambari_Security_Guide/content/ch_amb_sec...