Answer
New Contributor
Posts: 2
Registered: ‎04-03-2014
Accepted Solution
/etc/passwd for hadoop service users /sbin/nologin

OS: Centos 7.3

# cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)

 

During installation -> "Configuring Single User Mode" is not checked but all Hadoop service user ids are set to /sbin/nologin in /etc/passwd:

 

hdfs:x:985:979:Hadoop HDFS:/var/lib/hadoop-hdfs:/sbin/nologin
solr:x:984:978:Solr:/var/lib/solr:/sbin/nologin
sentry:x:983:977:Sentry:/var/lib/sentry:/sbin/nologin
hue:x:982:976:Hue:/usr/lib/hue:/sbin/nologin
zookeeper:x:981:975:ZooKeeper:/var/lib/zookeeper:/sbin/nologin
mapred:x:980:974:Hadoop MapReduce:/var/lib/hadoop-mapreduce:/sbin/nologin
httpfs:x:979:973:Hadoop HTTPFS:/var/lib/hadoop-httpfs:/sbin/nologin
sqoop:x:978:972:Sqoop:/var/lib/sqoop:/sbin/nologin
hive:x:977:971:Hive:/var/lib/hive:/sbin/nologin
kafka:x:976:970:Kafka:/var/lib/kafka:/sbin/nologin
kms:x:975:969:Hadoop KMS:/var/lib/hadoop-kms:/sbin/nologin
yarn:x:974:968:Hadoop Yarn:/var/lib/hadoop-yarn:/sbin/nologin
oozie:x:973:967:Oozie User:/var/lib/oozie:/sbin/nologin
kudu:x:972:966:Kudu:/var/lib/kudu:/sbin/nologin
hbase:x:971:965:HBase:/var/lib/hbase:/sbin/nologin
impala:x:970:964:Impala:/var/lib/impala:/bin/bash
spark:x:969:963:Spark:/var/lib/spark:/sbin/nologin

 

Accepted Solution
Cloudera Employee
Posts: 1
Registered: ‎01-18-2017
Answered

This was supposed to be a feature, not a bug. These are service accounts and should not be used by humans, hence the 'nologin' shells. This addresses feedback from some large customers: it limits the attack surface presented by our software.

 

I'm curious - how did you come across this, and what impact does it have for you?  Thanks for the report.

 

PS: you might note that the 'impala' user is the only one in the list below that uses /bin/bash. In our GA release, Impala will also have /sbin/nologin as its shell.

 

Other Answers: 2
Posts: 1,664
Kudos: 325
Solutions: 262
Registered: ‎07-31-2013
Answered

Just wanted to also note that the "Single User Mode" has no direct relation to the service account login shells, and selecting/deselecting that option does not affect the outcome observed here.

 

The "Single User Mode" is a feature designed to help install in environments where access to the "root" account is disallowed: https://www.cloudera.com/documentation/enterprise/latest/topics/install_singleuser_reqts.html

 

Note that even without a shell, you should still be able to run commands as the user via the 'sudo -u USERNAME' command, if that was the intention behind needing a login shell. For example for 'hdfs' user with the new /sbin/nologin state:

 

# Will still work:

~> sudo -u hdfs hdfs dfsadmin -report

 

# Will not work:

~> su hdfs

Cloudera Employee
Posts: 11
Registered: ‎11-17-2017
Answered

Just to compliment the other answers here:

 

If you want to become the user who has "/sbin/nologin" set then as root specify a shell: "su hdfs -s /bin/bash"