Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Killing is wrong. -- Losira, "That Which Survives", stardate unknown

devel / comp.protocols.kerberos / Re: Impersonate Kerberos user on HDFS

SubjectAuthor
o Re: Impersonate Kerberos user on HDFSronnie sahlberg

1
Re: Impersonate Kerberos user on HDFS

<mailman.81.1712820078.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=533&group=comp.protocols.kerberos#533

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ronniesa...@gmail.com (ronnie sahlberg)
Newsgroups: comp.protocols.kerberos
Subject: Re: Impersonate Kerberos user on HDFS
Date: Thu, 11 Apr 2024 17:21:02 +1000
Organization: TNet Consulting
Lines: 37
Message-ID: <mailman.81.1712820078.2322.kerberos@mit.edu>
References: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
<CAN05THTY3ZfM657u2t7uJnocZWhFo-PvUTMfYwM6_eyBk1Js_w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="4394"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Philippe de Rochambeau <phiroc@free.fr>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=jlo7VvHf;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=Y+graKa6
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=kORZWCUvSrGlQ5DhFnMxyaKjc9fp/gOiZL2zHd8kA9CmC1W0BsQDpM/q+mswkEsPt9MZWPdvcP+zuEuwbrvZW4jOjtGwZ2c3E8B3qDUQ1GnLbN4e3IstJRI6CTmHV2iMPn83cFtaqt2VEshyoGsYyfGmT71Zd1/mquVOJUAg2cW/WMVLPkb/rc76z9Lsp0B4X4czsiMg6Tio/Ruq5qnCS5JhEzTX12ps7xJ3IkBGZQUgFBIRYC7OuqO8skzmeiycL92oj78eeJuyw+URFljYaG24koHyUSjxa4lNHvvQj9BrFOks0/A9lt0J8cRgGDH140wAuHp1emYSDxV97Eadhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=cTLlBKfD380jUbOOy/mI6iYpgjCZkUrbKahp072XopE=;
b=PlTrZ+rI1Yj9enorRGpv+6oUQw86Prm53SlqQEyUuZnrgjIzqe72zcgOuxE3tEQn/DzdNMfdvXOrbh6S/GE0pvgH1ojwF2b/8oiMskXEesXUSVKD8MCe8DvQOT3UbOJHSM0zd0t12b82ni3gyt+zcOZFAbQNy1B/VcH4rnS5aF9Jw2QX7DD4bWvTTuXNgsfgXA2lWg+9Ra7e1QWFQyvWrpmhVIr/+3NhwOvX6OBOFtbS4yCd87X9IJw/UQP6p3FEtmbUSc6axKY9lUTCUDy84GFR3yhcWqLsmXlq/TseweUGAHoDmdDfKl9qM21l9rlJFtOKoigZZ+m5nbFNTC4B0A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.215.173) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=cTLlBKfD380jUbOOy/mI6iYpgjCZkUrbKahp072XopE=;
b=jlo7VvHfyUV0Cqg3nrLo1Dp0UzNp1bvuzBe/b7wbVCmJWsVqLBiDvfpIHHiP9g/kqam55R94CbVFbUGQuF/FvDKJ4Y0FzUQXfJrbtxXxsGQk3kOLGSO3VQl+w6ysb6tzbzRr6NogeYEmokfF6PstdRfN/z6DZFdjdvj/hXKEWGc=
Authentication-Results: spf=pass (sender IP is 209.85.215.173)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.215.173 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.215.173; helo=mail-pg1-f173.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1712820074; x=1713424874; darn=mit.edu;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=cTLlBKfD380jUbOOy/mI6iYpgjCZkUrbKahp072XopE=;
b=Y+graKa6YTYe3QaLxztw2/nkMMjO36Tv72pENJyh0qCUCW0B4UHGbfQPyO1/WE6FEF
/QamTopRasuP07upMkC3beSgxSs+y8ZBxKK8QigxYSaSKZXlDeClARi6hYeU17k2/uQ9
r0jpC6Dx12Dyo61jZbtfyt1wC6iFrjdflwO2Y7snR0sXko46dVOln4DOitAClqWvdLgA
TyXCU+VslbWMXGvELrTsFNDrrNxozsUKFCfsHf//BhbjexbBeuLiokrI/jA6H2xGx9Gh
Qg83Ds1MB6GTYDwMAf/XshHnfAzlEMPQ/UCf3X3TIy474vD88ldUXRd/5o+pF0AmsNFO
xSyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1712820074; x=1713424874;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=cTLlBKfD380jUbOOy/mI6iYpgjCZkUrbKahp072XopE=;
b=cA9jQzevhfMeHOVHYf9+MtTRk+BQ6PJ9JqF6qLhFNOaH+q06ja0jTZSY0pON+aJLHM
Kn34+8/brx7JmjdXQ1FbPApDXCKlkQie+gw/xpPWcqn/pfTJ/KRBQ6nKMnlNvQx05XZX
3F0IgOhJWGPM+1quYSPGfi70BJqughdR76yZoV70wQMP+MM9c58jOr6QTdOpIC7V0fVx
6i2d72PRdYyyUUhf70eqk4loteRk6BTFtyq+xscBHZ9GoAEXakYyXhMvApCbtrqJNzLo
RkytEuCrL74O3PF6KH4dbRAGeRd1orjovkQieFkhEQ78tm5u2JAAO3pJsmZ0h+VRlboS
4Q7Q==
X-Gm-Message-State: AOJu0YxtOIYXGI3oT79XeJwxF10VHFHs9gGzk/O28GkWJYiIrIiIKA52
xW0sO9YOb7p2bl/ydPSpUMfvcqaOYcB7Q4UQXtTOsa11eWyd93LsqCWk3M+BKuZN8J+ro1X105b
ceJn3uwr6ZXvM+FfRPjNy6sqOiGU=
X-Google-Smtp-Source: AGHT+IGjPqydI3TbYpq/278neFeYIO/PpIgUc5Fk88zxYHN846POBBnPa9+MyAL86I5ETsUPYfXw/wwOb1Ohmjuqqzk=
X-Received: by 2002:a05:6a21:2b13:b0:1a7:5a84:98f3 with SMTP id
ss19-20020a056a212b1300b001a75a8498f3mr4201477pzb.54.1712820074105; Thu, 11
Apr 2024 00:21:14 -0700 (PDT)
In-Reply-To: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MWH0EPF000989E8:EE_|SJ2PR01MB8401:EE_
X-MS-Office365-Filtering-Correlation-Id: 9080e5d0-b862-4b26-ab57-08dc59f7f8ef
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: /jRgd/qH9hn6uEE7sj1e53KSChFL1svrqAhv9pGdXMm4wGqLxOcBTHApjZLPwIAZE7RoE1ml+cVQ8Dhbjv96bj0EdZyJPeuWe7q+95CGT1UpcdJcBzbTYJagQ3tGg/weXUBB/3/IZSyHN23rCBar2eDYz0fFt/uUrZhEVuYLNFFBKzHkyop4vqRkVX2iUc0cuLbpbYGzsn0ilB74z2zCzQQFaxHPybj/ih1H3n2Msve3N4LN9JLhpo4CC6ObksuQcKFsfGz9rumpt64l7tuDhtVuSEu9xWR2riqbSvbouIJ68OTP3j4yce7lVnXQTMsdSv2hsrVClpXpOzEUO6mpOEc6jMqU5lTZXKu66z/2pMFvb5BTv7aNl3uTTy388X4dJ6vAWVajzL1CQr328mEE1Ybtyr8GgF8/xHlMVfecaTWtx/K/MghBWYRgLCFeXPlv2wHqpqN3Swvx1jtcSHWLOTFRGCDcT7vense5EhUFT6rR96Sykj9+VoBmaOd8hjWVHM708SL+1hJmzoPWjWwtN0Hr42rkYKMgj0eVXryJRw0vIDN4tId7nIEkusKS4VbVSrsls0LREklttLlEX4EgKlNTaBR9f3iZZRILo8GjQpMcinzZorOW5Z9J+EucU16JYqaiJBpKYsT+4wT0rvckEtCD2XrY6P6EPgLx8er8sekPJUgmYTrS8MPMiAimryrMScBHQNFYYYEl2mxHQX38GCSAVbfQrflLo6Rf8+kWR2v3IR0b2NFkC612E7dvp2p1F/L/lnjNmisz1tS4tqKjQXcYTSQNN9wIJQd1WzNMqpp3iTwk6YjTsd6C3P/iIgMSMPvjyE7vuiTflXq66CNAdA==
X-Forefront-Antispam-Report: CIP:209.85.215.173; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-pg1-f173.google.com; PTR:mail-pg1-f173.google.com;
CAT:NONE;
SFS:(13230031)(376005)(7093399003)(48200799009)(61400799018)(15866825006);
DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Apr 2024 07:21:14.7862 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9080e5d0-b862-4b26-ab57-08dc59f7f8ef
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MWH0EPF000989E8.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR01MB8401
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAN05THTY3ZfM657u2t7uJnocZWhFo-PvUTMfYwM6_eyBk1Js_w@mail.gmail.com>
X-Mailman-Original-References: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
 by: ronnie sahlberg - Thu, 11 Apr 2024 07:21 UTC

On Thu, 11 Apr 2024 at 16:43, Philippe de Rochambeau <phiroc@free.fr> wrote:
>
> Hello,
>
> Let's say a user has the following rights on HDFS (which are constrained Apache Ranger):
>
> /prd/a/b/c <- read right
> /prd/a/b/d <- read/write right
>
> I would like to get a broad picture of his/her complete access rights.
>
> I could look at the general policies in Apache Ranger and try to figure out which apply to my user, but that's complicated.
>
> I wonder if there is another way (which ideally could be automated with a script) roughly:
>
> - impersonate the user as, say, admin, with kinit; e.g. kinit <user>

I don't think this is what is considered "impersonating" the user.
If you authenticate with kinit <user> you are not impersonating that
user, you ARE/BECOME that user.

> - scan all HDFS directories and try to read or write
>
> Does anyone have suggestions?
>
> PS I've asked similar questions on the Apache Ranger mailing list, but with no success.
>
> Many thanks.
>
> Philippe
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor