Support Questions
Find answers, ask questions, and share your expertise

Hive user has id below 1000, when deploying kerberized cluster with CloudBreak 2.7

Explorer

Hi

I'm using CloudBreak 2.7 for deploying my clusters. For the record: I didn't have that issue with CBD 2.6

Issue:
In my kerberized cluster, when trying to start Hive Interactive I get this error:

Requested user hive is not whitelisted and has id 982,which is below the minimum allowed 1000

When I check /etc/passwd I can see that half of HDP services are below 1000 and some are above, so this error message is valid. For security I don't wont to decrease a minimal value for this. Is there a fix for that?

Many thanks in advance.

3 REPLIES 3

Super Mentor

@Jakub Igla

Kerberized Clusters uses "LinuxContainerExecutor" which can be tuned based on our requirement to set the min.user.id setting insie the /etc/hadoop/conf/container-executor.cfg or via Ambari as

Services > YARN > Configs tab > Advanced tab > Advanced yarn-env > "Minimum user ID for submitting job" 

Please refer to the following link [1] to know more about the following message:

Requested user XXXXX is not whitelisted and has id 507,which is below the minimum allowed 1000

[1] https://community.hortonworks.com/articles/2439/linuxcontainerexecutor-security-best-practices.html

Explorer

Hi @Jay Kumar SenSharma

Yes, I'm aware of those settings and as I said (the link above also is mentioning this) I would like to avoid changing the default value. My question is more about, why Cloudbreak 2.7 creates service principles with low IDs when I enable kerberos?

Cloudera Employee

Hi @Jakub Igla,

We're investigating this issue.

Could you share with us, which Ambari blueprint are you using?

Cloudbreak doesn't manage these IDs and it seems they are generated randomly between a range.

I suggest to try cluster creation again, sometimes hive user gets ID higher than 1000.

Regards,

Adam

; ;