Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Pournelle must die!

devel / comp.protocols.kerberos / Impersonate Kerberos user on HDFS

SubjectAuthor
o Impersonate Kerberos user on HDFSPhilippe de Rochambeau

1
Impersonate Kerberos user on HDFS

<mailman.80.1712817660.2322.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=532&group=comp.protocols.kerberos#532

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!news.quux.org!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: phiroc@free.fr (Philippe de Rochambeau)
Newsgroups: comp.protocols.kerberos
Subject: Impersonate Kerberos user on HDFS
Date: Thu, 11 Apr 2024 08:40:40 +0200
Organization: TNet Consulting
Lines: 27
Message-ID: <mailman.80.1712817660.2322.kerberos@mit.edu>
References: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="29921"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=fVA1hTPf;
dkim=pass (2048-bit key,
unprotected) header.d=free.fr header.i=@free.fr header.a=rsa-sha256
header.s=smtp-20201208 header.b=inaMD8PE
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=nopc7IeqO1x9FtCiF6Bv7MdL/lMVYIQfcDN4vT4RPmFKvIPYGZlB+R35ccQZJEfn9bd8J6+YD+t5NoTUvgPydg2hLVeR/Uo4RwjjNCxNYGI4VD1VzCyipD0+HJS5ekn7HHn5HEy56tERcDfk3KyCEY7a2wJ2kmV/RMgTduEfcvxvsI/HTFBsmgd6Lvb1sgHSX6mo7VyWaJYfd+SRAdZaurLPU13UwFQyRoVr5g3q7DAlaan6MHPHWGRfwfjWHSCm7QpRDQ60ZgUCozRov53yG/HzhD2RSdU21JAG3vMQgkoO8CE8dXNgrglDotloVwY3yA0xbYUVMH9oaYV0HSCQvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=zBMbKdgcHaXdE/nYFwPttsOyY9+tWP976xODHeEa6jg=;
b=ZJGavfz8Ra9UTo7tFPk/Pujg9690AO/AIPksy+NRnCD+AKKrgnOooAKLJU/bfgB/jm+X321r8OzQ3gxFbrfal962hZKAe73olLsKV+KlpBls+9Be8IB+Y7DN1vlMqZ1rq2NddGfJC8yw7AxOQ340KzmRD+KBmNpTDiK3L85fdgwdsECoAsSDSGbcP/Bema4sN0niCWna/O11/JMUxhTS6RowoM7jg6Shm0uejyR9rdZD4yuBMgIe49VqpjyfN3qIYExnzKdnqi5LC2Ya8Kzwyp6LxdttZ0IyrxhdcBt+rbfH2hbN+Mm6h5sEu6uubtPei6YRjWbsjW/za2ihros+Lg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
212.27.42.6) smtp.rcpttodomain=mit.edu smtp.mailfrom=free.fr; dmarc=pass
(p=none sp=none pct=100) action=none header.from=free.fr; dkim=pass
(signature was verified) header.d=free.fr; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=zBMbKdgcHaXdE/nYFwPttsOyY9+tWP976xODHeEa6jg=;
b=fVA1hTPfkAaUH30JNesWXL1b9QhdW672e4GrumNL7ALrmxsQjsHh1Ereosco/bKRkpFVQiwotBdP754X/dV+VItyRp0eFKOlE1K4SyIynrAgtuNLowXjA++n5vEdy+U6JG4yprEHhuMLJVtkZ7kNi3b9QZ2VKG2zPTMeJK664GQ=
Authentication-Results: spf=pass (sender IP is 212.27.42.6)
smtp.mailfrom=free.fr; dkim=pass (signature was verified)
header.d=free.fr;dmarc=pass action=none header.from=free.fr;
Received-SPF: Pass (protection.outlook.com: domain of free.fr designates
212.27.42.6 as permitted sender) receiver=protection.outlook.com;
client-ip=212.27.42.6; helo=smtp6-g21.free.fr; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr;
s=smtp-20201208; t=1712817650;
bh=365xo7QunEex83e1dEJviTSQHDI1Id3IV+a1ueolRTc=;
h=From:Subject:Date:To:From;
b=inaMD8PEBukY8RsKYF+RutGvKyZtR2CIPt+0X/ZzcBqr8nKciJiIIYoZBUDPQ8CJ+
WtGHoh/hojwgtKHjiBDaZX97kzoVFYjBS/7mC1VoNGGrU5MIqKfBHfakj5bruLnNeV
9zo+O7xr14JwtDnKlJ8HsmMLr6gLPW5IU5FKfNz8mtgKQxMGaRUc4NKqINphofQswW
II+wE5y0Ykkq10PU9O/VxCDl9XKcWw7/msTlvlrANNqmwBqcjekMglOnZmwmUI/Ox5
F6YmhevkfAyfPhTx2rDum6otixTYLVp8tfR1I7/zxR07wC+oMoeZQ2iJPKxdrbuxYr
yZ8v83bG+mt6A==
X-Mailer: Apple Mail (2.3774.400.31)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE33:EE_|MW4PR01MB6211:EE_
X-MS-Office365-Filtering-Correlation-Id: 8b72457f-4cd9-4cd1-d5a2-08dc59f2550f
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 6Z17PhzCxUIj8Fom30fATjDhf16BwwhcWpkvGFpsIM3yaGXejU4WSX00v7lRyS4wfZTjGKNkazSrBhEDxG+1112jwcmP1ySG/1RhghSaJNNEvBHqcZTcG185hEN6YJDtsC97111cW2R3sPBAfAlsxcUu5EOoCR8eISxwenNivS8uy1OUpePHVXj40ZyJTDHj0vTn5ZUu0ytEvhmUS5vpVgM7eflR0qcZSYgBq8s5HSvqMwdxJpcJkNihSH9SSiqJgAAN4IzVMt6b3ON2aP9pVMrkFj6tk1mzuZpptu6ZiByvzQx9M1zu9J1Dr7zxm1SDkeItxu/xxIz++qxa/U6uFajZyiBh5RKjWFInEGwiV9P5G211JJxkmBr2fP4MWpQ/vBJIbwk9PlP1FXMASpAzZFrntGVUvC3HFt+6+buw1oGNtjyCUJ1ksJLsEY9w5H6WmWQSe3Ujq1nQBXgAbGtt/KNmoWD5VluvwGo4mdUdIYkURKROrcBxuQ8SICRPQF+EZMN6HLLr0eZDc/95ZKQvHY58NwVj434KjoUf39atTIcm9duZv+SDa2wq3wjNFJNHqTeNo6qV4qbruFMVezdIzXD+j/gS7jrrKWFwetxyX1cOtghHCyXMfZcuw7Gb9OdWhPMNso6rugTII4q0sclRnfZXS0Oy7WEZ40/vlOEGB2Yx5otHX/Kr4RwlodWPRpCUnNEmCxfTnb31OoYFk5roW0bir77IZpZSct9yMA/CQdkm27MNvzc2Tsl8eM5UnTGQkF+BRQv2itdbsNen77dnV8ZHn4zGmXE0yy0wUwVRoM8=
X-Forefront-Antispam-Report: CIP:212.27.42.6; CTRY:FR; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:smtp6-g21.free.fr; PTR:smtp6-g21.free.fr; CAT:NONE;
SFS:(13230031)(61400799018)(376005)(7093399003)(48200799009); DIR:OUT;
SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Apr 2024 06:40:52.0856 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b72457f-4cd9-4cd1-d5a2-08dc59f2550f
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE33.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR01MB6211
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
43B6evkC3119018
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
 by: Philippe de Rochambe - Thu, 11 Apr 2024 06:40 UTC

Hello,

Let's say a user has the following rights on HDFS (which are constrained Apache Ranger):

/prd/a/b/c <- read right
/prd/a/b/d <- read/write right

I would like to get a broad picture of his/her complete access rights.

I could look at the general policies in Apache Ranger and try to figure out which apply to my user, but that's complicated.

I wonder if there is another way (which ideally could be automated with a script) roughly:

- impersonate the user as, say, admin, with kinit; e.g. kinit <user>
- scan all HDFS directories and try to read or write

Does anyone have suggestions?

PS I've asked similar questions on the Apache Ranger mailing list, but with no success.

Many thanks.

Philippe

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor