Support Questions
Find answers, ask questions, and share your expertise
Alert: Please see the Cloudera blog for information on the Cloudera Response to CVE-2021-4428

Local admin Ranger user: feature or bug?

Super Collaborator


I have ended up in quite an interesting scenario where a non - AD user (or any KDC) user can access anything, anywhere on a kerberized HDP 2.4 cluster.

Prerequisites: You have a user on Ambari with name "xvy", Kerberised cluster

Step 1. In Ranger, create a new (local) user "xyz" with administrative rights

Step 2. Logged on as "xyz", add yourself ("xyz") to a policy on HDFS, on all folders /*

Step 3. You will now have all out access to hdfs, through Ambari Files view

I would have expected that the Ranger local user base would be separate from the KDC users. This local "xyz" user is asked for a ticket, wouldn't see how he got one in this case


If you are logging into ambari and cluster as user "xyz" and have explicitly granted HDFS permissions for this user, then it works as expected.

Super Collaborator


So this user "xyz" is now on the ambari servers ticket to access HDFS resources?