on 05-18-2018 08:27 PM
OS: Centos 7.3
# cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)
During installation -> "Configuring Single User Mode" is not checked but all Hadoop service user ids are set to /sbin/nologin in /etc/passwd:
on 05-21-2018 09:42 AM
This was supposed to be a feature, not a bug. These are service accounts and should not be used by humans, hence the 'nologin' shells. This addresses feedback from some large customers: it limits the attack surface presented by our software.
I'm curious - how did you come across this, and what impact does it have for you? Thanks for the report.
PS: you might note that the 'impala' user is the only one in the list below that uses /bin/bash. In our GA release, Impala will also have /sbin/nologin as its shell.
on 05-22-2018 12:52 AM
Just wanted to also note that the "Single User Mode" has no direct relation to the service account login shells, and selecting/deselecting that option does not affect the outcome observed here.
The "Single User Mode" is a feature designed to help install in environments where access to the "root" account is disallowed: https://www.cloudera.com/documentation/enterprise/latest/topics/install_singleuser_reqts.html
Note that even without a shell, you should still be able to run commands as the user via the 'sudo -u USERNAME' command, if that was the intention behind needing a login shell. For example for 'hdfs' user with the new /sbin/nologin state:
# Will still work:
~> sudo -u hdfs hdfs dfsadmin -report
# Will not work:
~> su hdfs