Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can proxyuser group be redefined as something else?

Solved Go to solution
Highlighted

Can proxyuser group be redefined as something else?

Contributor

Dumped the current listing (Ambari > Admin > Service Accounts; in prep for physical deployment, and need to register these with a central service (but not AD/LDAP). Currently on HDP 2.3.0 and Ambari 2.1.1, but will be deploying to latest & greatest.

Questions: 1) Can "Proxyuser Group" be redefined to something other than "users?" 2) We have all of our 'human' users in group 'hadoop' on the PoC cluster. Is this a requirement? I'd prefer to have only service accounts in the hadoop group if possible. 3) We do not currently have Ranger installed, but plan to deploy. What service account(s) and/or group(s) will this service require?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Can proxyuser group be redefined as something else?

@Cassandra Spencer, the answers are simple: (1) No, it can be any other group. Actually, I don't use this setting, rather set groups per proxy-user (to "*" or particular groups). (2) Human users: No, human users can be in any group. I usually keep service accounts in the hadoop group, like what you plan to do. (3) Ranger will require its own service account, by default called "ranger". It can be in its own group, I use the "hadoop" group. If your cluster is kerberized you'll need one more account usually called "rangerlookup" to facilitate autocompletion of databases, tables etc, with a headless principal and a password (keytab unsupported). The docs talk about a rangerlookup account per service (hdfs, hbase, etc.) but I use only one.

View solution in original post

2 REPLIES 2
Highlighted

Re: Can proxyuser group be redefined as something else?

@Cassandra Spencer, the answers are simple: (1) No, it can be any other group. Actually, I don't use this setting, rather set groups per proxy-user (to "*" or particular groups). (2) Human users: No, human users can be in any group. I usually keep service accounts in the hadoop group, like what you plan to do. (3) Ranger will require its own service account, by default called "ranger". It can be in its own group, I use the "hadoop" group. If your cluster is kerberized you'll need one more account usually called "rangerlookup" to facilitate autocompletion of databases, tables etc, with a headless principal and a password (keytab unsupported). The docs talk about a rangerlookup account per service (hdfs, hbase, etc.) but I use only one.

View solution in original post

Highlighted

Re: Can proxyuser group be redefined as something else?

Contributor
Don't have an account?
Coming from Hortonworks? Activate your account here