Support Questions

Find answers, ask questions, and share your expertise

Backing up Namenode FSImage

avatar
New Contributor

Hi all,

 

I'm trying to backup fsimage on a secure cluster with the -fetchImage command.

I want to execute it without using hdfs user, but with an administrative user(adminUser) which belongs to hdfs' supergroup (dfs.permissions.supergroup, dfs.permissions.superusergroup = supergroup)

adminUser is local to the machine.

 

When I try the command:

kinit adminUser

hdfs dfsadmin -fetchImage /backup_folder

 

I obtain the following error:

 

15/05/11 16:38:42 WARN security.UserGroupInformation: PriviledgedActionException as:adminUser@<DOMAIN.LOCAL> (auth:KERBEROS) cause:org.apache.hadoop.hdfs.server.namenode.TransferFsImage$HttpGetFailedException: Image transfer servlet at http://<namenode>:50070/imagetransfer?getimage=1&txid=latest failed with status code 403
Response message:
Only Namenode, Secondary Namenode, and administrators may access this servlet
fetchImage: Image transfer servlet at http://<namenode>:50070/imagetransfer?getimage=1&txid=latest failed with status code 403
Response message:
Only Namenode, Secondary Namenode, and administrators may access this servlet

 

However, others dfsadmin commands (like -report) work fine with adminUser.

 

Thanks in advance

1 ACCEPTED SOLUTION

avatar
The list of users who are allowed to run this command are dictated by the list in the property dfs.cluster.administrators. In clusters managed by Cloudera Manager 4.x, the property is not set by default. In clusters managed by Cloudera Manager 5.x, the property is set to "hdfs" by default. So if this command is run as the hdfs user on any node on the cluster, the command will succeed.

You can try setting dfs.cluster.administrators to the list of users and groups who are allowed to perform this operation and then try again. It will require a restart of the Namenode(s) to take effect.

<property>
<name>dfs.cluster.administrators</name>
<value>user1,user2,user3 group1,group2,group3</value>
</property>
Regards,
Gautam Gopalakrishnan

View solution in original post

2 REPLIES 2

avatar
The list of users who are allowed to run this command are dictated by the list in the property dfs.cluster.administrators. In clusters managed by Cloudera Manager 4.x, the property is not set by default. In clusters managed by Cloudera Manager 5.x, the property is set to "hdfs" by default. So if this command is run as the hdfs user on any node on the cluster, the command will succeed.

You can try setting dfs.cluster.administrators to the list of users and groups who are allowed to perform this operation and then try again. It will require a restart of the Namenode(s) to take effect.

<property>
<name>dfs.cluster.administrators</name>
<value>user1,user2,user3 group1,group2,group3</value>
</property>
Regards,
Gautam Gopalakrishnan

avatar
New Contributor

It works!

 

Thanks!