07-06-2018 11:59 AM
@bgooley hdfs is not picking up the users from firstname.lastname@example.org, does auth to local rule works for groups?
[email@example.com@hostname ~]$ hadoop fs -chown hdfs:supergroup /user/test
chown: changing ownership of '/user/test': Non-super user cannot change owner
[firstname.lastname@example.org@hostname ~]$ getent group email@example.com
I tried both group short name as well as group fqdn:
dfs.permissions.supergroup, dfs.permissions.superusergroup firstname.lastname@example.org
dfs.permissions.supergroup, dfs.permissions.superusergroup supergroup
07-06-2018 12:07 PM
auth_to_local is used to map a user's principal to a unix name only. It is not used for anything group-oriented.
By default, only the "hdfs" user is a superuser so it is the only user who can perform "chown" operations.
If you want to make other users superusers, you can do so by defining which group will be the "supergroup" and which users belong to it.
The group must be accessible via the OS (getent group supergroup). The default name for the supergroup is "supergroup"
In cloudera Manager you can see this configuration in HDFS --> Configuration --> Superuser Group
is there a reason you are trying to attach the "@domain" onto the group name?
I would recommend adding a group named "supergroup" if you don't need to change the default. Then add sbalusu as a member.
Note this has nothing to do with Kerberos at all at this point... this is all group mapping for hadoop.
07-06-2018 12:22 PM - edited 07-06-2018 12:34 PM
I appolgise for the confusion, The supergroup I mentioned is email@example.com
In cloudera Manager i changed this configuration in HDFS --> Configuration --> Superuser Group
and tried setting it to
firstname.lastname@example.org and then hadoopadmingroup, both of them did not worked.
sssd is set up to have a domain name at the end of Unix group and Unix user, Somehow hdfs is not able to map user to group with the domain name at the end.
True, I agree this is not a Kerberos issue. My intention is to find if Hadoop can work having a domain name at the end of the group so that I can have a conversation with Unix team to trim domain name at the end of the group.
07-06-2018 12:38 PM
Yeah, I'm not sure if supergroup mapping will work if the group has the domain on it. I can't confirm it won't, but if you changed the group name, restarted HFDS, and still didn't have group access, that does indicate the config may not work.
You may try running "hdfs groups <user>" to see if that command "sees" your groups....
07-06-2018 12:52 PM
Ya, it does not seem to be working.
HDFS --> Configuration --> Superuser Group = email@example.com and then hadoopadmingroup, both of them yielded zero groups.
[firstname.lastname@example.org@hostname ~]$ hdfs groups email@example.com
[firstname.lastname@example.org@hostname ~]$ hdfs groups sbalusu_c
Thanks & Regards,