Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How do HDFS Permissions work after Kerberos is enabled

Labels:
avatar
author-rank Seaport
Expert Contributor

Created ‎01-13-2025 11:07 AM

I use CDP Private Cloud Base 7.1.7 and just enabled Kerberos security. I followed the setup documentation but could not proceed further than this step <https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-kerberos-authentication/topics/cm-se...>.

In short, I lost "supergroup" access to hdfs. Here are details.

* I created an AD account mysuperuser@example.com and an AD group mysupergroup@example.com.
* After Kerberos is enabled, I changed dfs.permissions.superusergroup=mysupergroup, and restarted the cluster. Certainly,  "mysupergroup" and "mysuperuser" do not exist anywhere in Hdfs POSIX permission settings.
* I kinited mysuperuser@example.com, but got hdfs permission denied error. It looks like that Kerberos could not understand AD groups associated with the kinited account.
* Then I changed dfs.permissions.superusergroup=mysuperuser, restarted all services, but still got permission denied error.

I intended to use Ranger to manage HDFS resource permissions. I could not get Ranger properly installed due to the HDFS permission error. Ranger depends on Solr and Solr uses HDFS. Right now Solr gave me an HDFS access error (Java error) - Caused by: org.apache.hadoop.ipc.RemoteException: Permission denied: user=solr, access=WRITE, inode="/":hdfs:supergroup:drwxr-xr-x.

I am trying to understand how HDFS permission works after enabling Kerberos but before Ranger is operational. Right now I can only access hdfs via kiniting the hdfs keytab file, which should only be used as a last resort.

Thank you.

Best regards,

68 Views
0 Kudos
2 REPLIES 2

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎01-14-2025 05:46 PM

@james_jones @pajoshi Do you have some insights here? Thanks!

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
30 Views
0 Kudos

avatar
author-rank james_jones author-rank
Super Collaborator

Created ‎01-14-2025 06:30 PM

@Seaport,  Let's address the kerberos issue before Ranger.

  1. Can you kinit as hdfs user?  (on the NN with the hdfs keytab /var/run/cloudera-scm-agent/process/<a_number>-hdfs-NAMENODE/hdfs.keytab) 
  2. Once you have a hdfs kerberos ticket, can you list directories?
  3. Did you properly configure sssd, integrated with AD in example.com realm on ALL cluster nodes? For the HDFS issue you're seeing, the group mapping, via sssd, to user is required on the active NN, but eventually you need it working on all nodes.
  4. If you run the command "id mysuperuser", is he in mysupergroup?

For the Solr issue, check the CM -> Solr -> Configurations -> HDFS Data Directory. It should be something like /solr. If it's correct, you need to selecting CM -> Solr -> Actions -> Create HDS Home Dir. Then restart Solr. Note that after you install Ranger, the service name, znode and HDFS Home Dir will change to something like /solr-infra. If you need Solr for your own data (not service infrastructure like Solr and Atlas), install a separate Solr instance after installing Ranger.

Good luck.

20 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements