Support Questions

Find answers, ask questions, and share your expertise

Configuring the HDFS superuser in Kerberos

avatar
Rising Star

Hello,

 

One question regqrding the documentation of Kerberos, and more specifically "Step 5: Create the HDFS superuser". As the document states:

 

Cloudera recommends you use a different user account as the superuser, not the default hdfs account.

 

However, later on the steps described, the description mixes the notion of group and user and it is not quite clear what should be configured:

 

5. Locate the Superuser Group property and change the value to the appropriate group name for your environment. For example, <superuser>.

 

Assuming that group is what should be configured here (it's can't be user in that property), the rest of the configuration does not make sense, as it says that we need to "create a Kerberos principal called <superuser>". But Kerberos principals refers to users and services and not groups.

 

In any case, the above configuration does not work. Can someone clarify the documentation?

 

Thank you!

1 ACCEPTED SOLUTION

avatar
Champion
It is a group. By default Hadoop create the user hdfs in the group hdfs. The first statement does make it confusing but assumes the defaults as that is the only user in the group. You could add users to the group as well (not recommended).

The last portion referencing the Kerberos principal is just pointing out that it isn't enough to have a user in the superusergroup/supergroup they also need a valid Kerberos principal.

In reality, the users in the group you assign to that property will have Kerberos principals already.

I also recommend, as Cloudera does, to not use the default hdfs group.

View solution in original post

1 REPLY 1

avatar
Champion
It is a group. By default Hadoop create the user hdfs in the group hdfs. The first statement does make it confusing but assumes the defaults as that is the only user in the group. You could add users to the group as well (not recommended).

The last portion referencing the Kerberos principal is just pointing out that it isn't enough to have a user in the superusergroup/supergroup they also need a valid Kerberos principal.

In reality, the users in the group you assign to that property will have Kerberos principals already.

I also recommend, as Cloudera does, to not use the default hdfs group.