Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

For Kerberos enable HDP Cluster does all the UID in /etc/passwd should be > 1000? . How instal hpd with Ambari will address this UID

Labels:
avatar
author-rank Jacqueline
Contributor

Created ‎04-30-2017 07:32 AM

Hi ,

When we are installing hpd using Ambari Blue Print, how can we make sure all service a/c get created with UID > 1000? .

I see below error in Hive beeline Kerberos enable hdp

Requested user hive is not whitelisted and has id 500,which is below the minimum allowed 1000

Thanks

JJ

2,770 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank eddie2
Contributor

Created ‎05-02-2017 06:08 PM

Hi @Jacqualin jasmin - looking at the /etc/passwd in my lab, I see a mixture of service logins with ids of around 500 and others are over 1000. Hive specifically is less than 1000. I also looked at a larger secured production cluster, and all the service logins were over 1000. Looks like you have several options: (1) set min.user.id=500, but not sure this is advisable from security perspective, (2) create new accounts over 1000 and use those to launch your jobs, (3) white list the user somehow (not entirely sure how to do that), or (4) update the service accounts with higher numbers.

View solution in original post

2,511 Views
0 Kudos
4 REPLIES 4

avatar
author-rank abokor2 author-rank
Contributor

Created ‎05-01-2017 10:51 PM

I cannot get your question.

Why do you think you need to update the group file?

2,511 Views
0 Kudos

avatar
author-rank eddie2
Contributor

Created ‎05-02-2017 01:01 PM

Hi @Jacqualin jasmin - Ambari generally takes care of this during installation. I just looked at a lab environment that was Ambari installed, and see the group numbers are all < 1000. I've worked with many customers, and never seen a case where this needed to be changed. As a result, I don't think you need to change this.

2,511 Views
0 Kudos

avatar
author-rank Jacqueline
Contributor

Created ‎05-02-2017 04:45 PM

Hi Eddie,

Sorry about the misleading. I mean uid in /etc/passwd file. Does all the service a/c should have uid > 1000.

After enabling Kerberos, i see the error message as below

user hive is not whitelisted and has id 500,which is below the minimum allowed 1000

Does Ambari does not take care of this , when we mention min.user.id=1000 in the file : /etc/hadoop/conf/container-executor.cfg.

http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.2.0/bk_ambari_reference_guide/content/_defining_...

: All new service user accounts, and any existing user accounts used as service users, must have a UID >= 1000

Thanks

JJ

2,511 Views
0 Kudos

avatar
author-rank eddie2
Contributor

Created ‎05-02-2017 06:08 PM

Hi @Jacqualin jasmin - looking at the /etc/passwd in my lab, I see a mixture of service logins with ids of around 500 and others are over 1000. Hive specifically is less than 1000. I also looked at a larger secured production cluster, and all the service logins were over 1000. Looks like you have several options: (1) set min.user.id=500, but not sure this is advisable from security perspective, (2) create new accounts over 1000 and use those to launch your jobs, (3) white list the user somehow (not entirely sure how to do that), or (4) update the service accounts with higher numbers.

2,512 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements