Support Questions

Find answers, ask questions, and share your expertise
Welcome to the upgraded Community! Read this blog to see What’s New!

Create users in hadoop/HDP 2.5


I just created users in /home in edge node for users to work on hadoop. But users not able to run hive/Yarn jobs. My cluster is already kerberized. Is there any way to assign users to submit their jobs in edge node.

Do we need to these users in hadoop/hdfs ?

If cluster has kerberos and ranger is there any different way to do it ?

Please suggest me.



@Sam Red

When your a cluster integrated with Kerberos security then authenticated user must exist in the every node where the task runs. So create the berlin user on all the hosts and add user berlin to the hadoop group that should resolve the problem.

Please revert

View solution in original post



@Sam Red

For a user to submit successfully or even connect to hive in a kerberized environment the user MUST first get a valid Kerberos ticket.

Can you users list the principals attached to their keytabs eg for user opera1

# su - opera1$ 
$ klist 
klist: No credentials cache found (filename: /tmp/krb5cc_1001)

Above output show no valid kerberos ticket ,then follow the below steps as user opera1 assuming your keytabs are in that directory and the REALM is DEV.COM

$ klist -kt /etc/security/keytabs/opera1.keytab
Keytab name: FILE:/etc/security/keytabs/opera1.keytab
KVNO              Timestamp                    Principal
---- ------------------- ------------------------------------------------------
 1              08/24/2017 18:28:26            opera1@DEV.COM
$ kinit -kt /etc/security/keytabs/opera1.keytab opera1@UGANDA.COM
$ hive

The user should be able now to run a job on the cluster !

Please let me know


@Geoffrey Shelton Okot

Thank you again. these is the issue i am getting from beeline.

beeline> !connect jdbc:hive2://,,;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2 username password
Connected to: Apache Hive (version 1.2.1000.
Driver: Hive JDBC (version 1.2.1000.
0: jdbc:hive2://host> select max(_TIMESTAMP(ts)) ;
INFO  : Tez session hasn't been created yet. Opening session
ERROR : Failed to execute tez graph.
org.apache.tez.dag.api.SessionNotRunning: TezSession has already shutdown. Application application_ failed 2 times due to AM Container for appattempt_ exited with  exitCode: -1000

Diagnostics: Application application_ID initialization failed (exitCode=255) with output: main : command provided 0
main : run as user is berlin
main : requested yarn user is berlin
User berlin not found

Failing this attempt. Failing the application.
        at org.apache.tez.client.TezClient.waitTillReady(
        at org.apache.hadoop.hive.ql.exec.tez.TezTask.updateSession(
        at org.apache.hadoop.hive.ql.exec.tez.TezTask.execute(
        at org.apache.hadoop.hive.ql.exec.Task.executeTask(
        at org.apache.hadoop.hive.ql.exec.TaskRunner.runSequential(
        at org.apache.hadoop.hive.ql.Driver.launchTask(
        at org.apache.hadoop.hive.ql.Driver.execute(
        at org.apache.hadoop.hive.ql.Driver.runInternal(
        at org.apache.hive.service.cli.operation.SQLOperation.runQuery(
        at org.apache.hive.service.cli.operation.SQLOperation.access$300(
        at org.apache.hive.service.cli.operation.SQLOperation$2$
        at Method)
        at org.apache.hive.service.cli.operation.SQLOperation$
        at java.util.concurrent.Executors$
        at java.util.concurrent.Executors$
        at java.util.concurrent.ThreadPoolExecutor.runWorker(
        at java.util.concurrent.ThreadPoolExecutor$
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.tez.TezTask (state=08S01,code=1)

Rising Star


Could you please execute your query with beeline --verbose=true.

What happens if the query is run from Hive Cli?


@Sam Red

When your a cluster integrated with Kerberos security then authenticated user must exist in the every node where the task runs. So create the berlin user on all the hosts and add user berlin to the hadoop group that should resolve the problem.

Please revert


@Geoffrey Shelton Okot

Is there any way to add user in all hosts ? Please let me know

Expert Contributor

@Geoffrey Shelton Okot

What about if the cluster is not using kerberos (eg.


Hello 🙂 I have the same issue!

I have integrated the edge node with Active directory users could connect and submit theirs jobs to yarn before enabling Kerberos on the cluster.

Actually I have used samba on edge node to create users folders and get information about users 


Now I configured the Kerberos and so I am getting the same error user1 not found , user1 is in AD 

should I now add this user with normal command add user on alll nodes ? How could it be as AD user and not local one ? I did not configured samba on others nodes may I do it ? 

thanks a lot in advance 



As this is an older thread which was previously marked 'Solved', you would have a better chance of receiving a resolution by starting a new thread. This will also provide the opportunity to provide details specific to your environment (for example, what happened once you added the affected user accounts with "normal" command add user on all nodes)  that could aid others in providing a more relevant, accurate answer to your question.



Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.


@Sam Red

Unfortunately, you will have to use the classic way 🙂 depending on your OS adapt appropriate commands as root, below example is on centos6

# useradd user15
# passwd user15

And repeat that on all the hosts in the cluster, from the Ambari server if you created a passwordless ssh then it's easier!

# ssh root@host5
[root@host5 ~]# useradd user15 
[root@host5 ~]# passwd user15

Tedious work ..... if you have a cluster with 100 nodes!

New Contributor

You need to create user directories on HDFS for each user.

$ su - hdfs

Because your cluster is kerberized you need to get a token for the hdfs user. Something like this

$ kinit -k -t /etc/security/keytabs/hdfs.service.keytab hdfs/

Now you can create an HDFS directory for your user.

$ hadoop fs -mkdir /user/berlin
$ hadoop fs -chown berlin /user/berlin

If you're querying Hive, you could use a desktop tool like Aginity Workbench, which supports Kerberos connections.