Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

For Kerberos enable HDP Cluster does all the UID in /etc/passwd should be > 1000? . How instal hpd with Ambari will address this UID

Labels:
avatar
author-rank Jacqueline
Contributor

Created ‎04-30-2017 07:32 AM

Hi ,

When we are installing hpd using Ambari Blue Print, how can we make sure all service a/c get created with UID > 1000? .

I see below error in Hive beeline Kerberos enable hdp

Requested user hive is not whitelisted and has id 500,which is below the minimum allowed 1000

Thanks

JJ

2,175 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank eddie2
Contributor

Created ‎05-02-2017 06:08 PM

Hi @Jacqualin jasmin - looking at the /etc/passwd in my lab, I see a mixture of service logins with ids of around 500 and others are over 1000. Hive specifically is less than 1000. I also looked at a larger secured production cluster, and all the service logins were over 1000. Looks like you have several options: (1) set min.user.id=500, but not sure this is advisable from security perspective, (2) create new accounts over 1000 and use those to launch your jobs, (3) white list the user somehow (not entirely sure how to do that), or (4) update the service accounts with higher numbers.

View solution in original post

1,916 Views
0 Kudos
4 REPLIES 4

avatar
author-rank abokor2 author-rank
Contributor

Created ‎05-01-2017 10:51 PM

I cannot get your question.

Why do you think you need to update the group file?

1,916 Views
0 Kudos

avatar
author-rank eddie2
Contributor

Created ‎05-02-2017 01:01 PM

Hi @Jacqualin jasmin - Ambari generally takes care of this during installation. I just looked at a lab environment that was Ambari installed, and see the group numbers are all < 1000. I've worked with many customers, and never seen a case where this needed to be changed. As a result, I don't think you need to change this.

1,916 Views
0 Kudos

avatar
author-rank Jacqueline
Contributor

Created ‎05-02-2017 04:45 PM

Hi Eddie,

Sorry about the misleading. I mean uid in /etc/passwd file. Does all the service a/c should have uid > 1000.

After enabling Kerberos, i see the error message as below

user hive is not whitelisted and has id 500,which is below the minimum allowed 1000

Does Ambari does not take care of this , when we mention min.user.id=1000 in the file : /etc/hadoop/conf/container-executor.cfg.

http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.2.0/bk_ambari_reference_guide/content/_defining_...

: All new service user accounts, and any existing user accounts used as service users, must have a UID >= 1000

Thanks

JJ

1,916 Views
0 Kudos

avatar
author-rank eddie2
Contributor

Created ‎05-02-2017 06:08 PM

Hi @Jacqualin jasmin - looking at the /etc/passwd in my lab, I see a mixture of service logins with ids of around 500 and others are over 1000. Hive specifically is less than 1000. I also looked at a larger secured production cluster, and all the service logins were over 1000. Looks like you have several options: (1) set min.user.id=500, but not sure this is advisable from security perspective, (2) create new accounts over 1000 and use those to launch your jobs, (3) white list the user somehow (not entirely sure how to do that), or (4) update the service accounts with higher numbers.

1,917 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements