I have kerbertized our environtment with default priveleges. I created another user called tom, but haven't given any provileges, but user can execute all the commands in our cluster such as hdfs, etc.. Do I need to prevent in acl ?
@Mokkan Mok Assuming you created a new principal (not user) called tom@REALM and performed a kinit tom, then all commands run like hdfs, yarn, spark-submit or others will authenticate using tom@REALM - Then as you mentioned you need acl / authorization to restrict access. You can use Ranger to this end, or else work with the posix with hdfs or acls for yarn and other services.
*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.