Posts: 48
Registered: ‎09-20-2017
Accepted Solution

Configuring the HDFS superuser in Kerberos



One question regqrding the documentation of Kerberos, and more specifically "Step 5: Create the HDFS superuser". As the document states:


Cloudera recommends you use a different user account as the superuser, not the default hdfs account.


However, later on the steps described, the description mixes the notion of group and user and it is not quite clear what should be configured:


5. Locate the Superuser Group property and change the value to the appropriate group name for your environment. For example, <superuser>.


Assuming that group is what should be configured here (it's can't be user in that property), the rest of the configuration does not make sense, as it says that we need to "create a Kerberos principal called <superuser>". But Kerberos principals refers to users and services and not groups.


In any case, the above configuration does not work. Can someone clarify the documentation?


Thank you!

Posts: 642
Topics: 3
Kudos: 121
Solutions: 67
Registered: ‎08-16-2016

Re: Configuring the HDFS superuser in Kerberos

It is a group. By default Hadoop create the user hdfs in the group hdfs. The first statement does make it confusing but assumes the defaults as that is the only user in the group. You could add users to the group as well (not recommended).

The last portion referencing the Kerberos principal is just pointing out that it isn't enough to have a user in the superusergroup/supergroup they also need a valid Kerberos principal.

In reality, the users in the group you assign to that property will have Kerberos principals already.

I also recommend, as Cloudera does, to not use the default hdfs group.

Our community is getting a little larger. And a lot better.

Learn More about the Cloudera and Hortonworks community merger planned for late July and early August.