We have a CDH 5.16 cluster with:- two way Active Directory kerberos & sentry enabled, also Hue backend authentication enabled with AD...
We have a "user1" added in AD.... user1 can do kinit & get the tgt. & "user1" is not added in linux user /etc/passwd
Problem statment:- user1 logs in to Hue, it clicks to the database icon & since no privileges are given to user1, so it can not see any hive tables...that is expected with sentry authorization.....
But...the problem is:- if the user1 clicks HDFS icon in Hue, then user1 is able to see all the data present in hdfs including /user/hive/warehouse/
Why in Hue GUI, user1 is able to read all the data from hdfs including hive warehouse directory...even though sentry is enabled...
Isn't the purpose of authorization defeated the moment the "user1" is able to access the data using Hue GUI by clicking HDFS icon, even though we have not provided any privileges to it & also user1 is not added in Linux user in /etc/passwd.
