Hive user has id below 1000, when deploying kerberized cluster with CloudBreak 2.7

jakub_igla1 · ‎06-28-2018

Hi

I'm using CloudBreak 2.7 for deploying my clusters. For the record: I didn't have that issue with CBD 2.6

Issue:
In my kerberized cluster, when trying to start Hive Interactive I get this error:

Requested user hive is not whitelisted and has id 982,which is below the minimum allowed 1000

When I check /etc/passwd I can see that half of HDP services are below 1000 and some are above, so this error message is valid. For security I don't wont to decrease a minimal value for this. Is there a fix for that?

Many thanks in advance.

jsensharma · ‎06-28-2018

@Jakub Igla

Kerberized Clusters uses "LinuxContainerExecutor" which can be tuned based on our requirement to set the min.user.id setting insie the /etc/hadoop/conf/container-executor.cfg or via Ambari as

Services > YARN > Configs tab > Advanced tab > Advanced yarn-env > "Minimum user ID for submitting job"

Please refer to the following link [1] to know more about the following message:

Requested user XXXXX is not whitelisted and has id 507,which is below the minimum allowed 1000

[1] https://community.hortonworks.com/articles/2439/linuxcontainerexecutor-security-best-practices.html

jakub_igla1 · ‎06-28-2018

Hi @Jay Kumar SenSharma

Yes, I'm aware of those settings and as I said (the link above also is mentioning this) I would like to avoid changing the default value. My question is more about, why Cloudbreak 2.7 creates service principles with low IDs when I enable kerberos?

ahorvath · ‎06-28-2018

Hi @Jakub Igla,

We're investigating this issue.

Could you share with us, which Ambari blueprint are you using?

Cloudbreak doesn't manage these IDs and it seems they are generated randomly between a range.

I suggest to try cluster creation again, sometimes hive user gets ID higher than 1000.

Regards,

Adam