[KYUUBI #7265] Recommend to configure kyuubi.session.local.dir.allowlist for multi-tenant clusters

docs/security/kinit.md

@@ -101,6 +101,9 @@ hadoop.proxyuser.<user name in principal>.groups *
 hadoop.proxyuser.<user name in principal>.hosts *
 ```
 
+Also, you must configure `kyuubi.session.local.dir.allow.list` to exclude your Kyuubi server's keytab and any other credential from the local directories.
+Otherwise, any user who can login to the Kyuubi server via Kyuubi frontend protocols is possible to obtain the keytab and to impersonate the users configured by Hadoop proxy user settings.
+
 ## Further Readings
 
 - [Hadoop in Secure Mode](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html)

kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala

@@ -44,6 +44,12 @@ class KinitAuxiliaryService() extends AbstractService("KinitAuxiliaryService") {
       kinitMaxAttempts = conf.get(KyuubiConf.KINIT_MAX_ATTEMPTS)
 
       require(keytab.nonEmpty && principal.nonEmpty, "principal or keytab is missing")
+      if (conf.get(KyuubiConf.ENGINE_DO_AS_ENABLED) &&
+        conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST).isEmpty) {
+        warn(s"User impersonation is enabled, but ${KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST}" +
+          " is unset. We strongly recommend to configure the allowed local dir list" +
+          " to exclude any credential including keytab.")
+      }
       UserGroupInformation.loginUserFromKeytab(principal.get, keytab.get)
       val krb5Conf = Option(System.getProperty("java.security.krb5.conf"))
         .orElse(Option(System.getenv("KRB5_CONFIG")))