Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HDP cluster with no security - how are users authenticated?

HDP cluster with no security - how are users authenticated?

Contributor

I am running an HDP cluster without Knox, Ranger, or Keberos enabled. All Ambari users need to log in with a password and each node has local user accounts with a password.

Question #1: what level of security does this cluster have, - no security or basic security?

Question #2: Because there is no centralized security management, how does HDP manage the HDFS permissions?  The user/group accounts used in HDFS permissions are actually local users and authenticated by the local Linux OS, right?

Question #3: I used the command below to change the owner of an HDFS folder to the ambari user admin. I understand that hadoop is a group name, but it is not an ambari group. So how does this work - a combination of ambari user account and an linux group?

 

 hdfs dfs -chown admin:hadoop /user/admin

 

 

2 REPLIES 2
Highlighted

Re: HDP cluster with no security - how are users authenticated?

Rising Star

@Seaport - Please find the answers for all your questions:

 

Question #1: what level of security does this cluster have, - no security or basic security?

If Kerberos or Ranger is not enabled, then cluster will be non-secure.

Question #2: Because there is no centralized security management, how does HDP manage the HDFS permissions? The user/group accounts used in HDFS permissions are actually local users and authenticated by the local Linux OS, right?

HDFS file and directories are created based on the umask set in the HDFS configurations. Yes your understanding is correct about the user/groups.

The permissions of file and directories are controlles based on the ACL set on these files and directories.

Question #3: I used the command below to change the owner of an HDFS folder to the ambari user admin. I understand that hadoop is a group name, but it is not an ambari group. So how does this work - a combination of ambari user account and an linux group?

====
hdfs dfs -chown admin:hadoop /user/admin
====

I didn't get your last question completely. All the service users are part of the Hadoop Group.

Highlighted

Re: HDP cluster with no security - how are users authenticated?

Contributor

@ngarg Thanks for the quick reply. 

Regarding question #3, the hdfs chown command changes a directory's owner to admin and group owner to hadoop.  As we established in Question #2, all users or groups used in my cluster are local. However, admin is not a user account on any of my node Linux box. I confirmed that with the comamnd "cat /etc/passwd". In other words, admin is an account only exists in Ambari, and hadoop is a group account only exsts in local Linux. (I have not created any group in Ambari.)

So how does NDFS differentiate local Linux accounts/groups vs Ambari accounts/groups?

 

 

hdfs dfs -chown admin:hadoop /user/admin

 

 

The following link confirmed that the user identity mechanism is extrinsic to HDFS. So my understanding is that, my non-security cluster can identify users via two mechanisms, local Linux OS or Ambari. HDFS simply takes the established identify as is. To answer my own question, NDFS does not differentiate between local Linux accounts/groups and Ambari accounts/groups. If I create a local user account "admin" on the namenode, HDFS will consider this local admin the same identity as the "admin" established by Ambari. Am I on the right path?

https://hadoop.apache.org/docs/r3.1.1/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html

Don't have an account?
Coming from Hortonworks? Activate your account here