Support Questions

Find answers, ask questions, and share your expertise

How to create superuser same as hdfs ?

avatar
Super Guru

Tried creating superuser same as hdfs as given in link - https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#The... , but its not working.

I tried setting property "dfs.permissions.superusergroup = <newgroup>" but its not working.

Can anyone please let me know if this was tested working successfully ?

1 ACCEPTED SOLUTION

avatar

Hello @Sagar Shimpi.

Yes, this has been tested successfully. After changing dfs.permissions.superusergroup in hdfs-site.xml, it would require a NameNode restart for the change to take effect. If this cluster uses NameNode HA with QuorumJournalManager, then both NameNodes need to be restarted.

If that still doesn't work, then a helpful troubleshooting step would be to try running "hdfs groups <username>", where <username> is the user that you have added to the group that you want to be the HDFS supergroup. This command will print out a list of that user's group memberships, as perceived by the NameNode. If the list does not show your configured supergroup, then this indicates there is some kind of misconfiguration. Perhaps the user has not really been added to the group, or perhaps there is some custom group mapping in effect for your cluster that is not behaving as expected. More information on how group mapping works is available here:

http://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#Group...

View solution in original post

7 REPLIES 7

avatar

avatar
Super Guru

@Jonas Straub I tried the link too, but didn't it still no luck.

avatar

Hello @Sagar Shimpi.

Yes, this has been tested successfully. After changing dfs.permissions.superusergroup in hdfs-site.xml, it would require a NameNode restart for the change to take effect. If this cluster uses NameNode HA with QuorumJournalManager, then both NameNodes need to be restarted.

If that still doesn't work, then a helpful troubleshooting step would be to try running "hdfs groups <username>", where <username> is the user that you have added to the group that you want to be the HDFS supergroup. This command will print out a list of that user's group memberships, as perceived by the NameNode. If the list does not show your configured supergroup, then this indicates there is some kind of misconfiguration. Perhaps the user has not really been added to the group, or perhaps there is some custom group mapping in effect for your cluster that is not behaving as expected. More information on how group mapping works is available here:

http://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#Group...

avatar
Expert Contributor

Hi @Chris Nauroth.

I changed the dfs.permissions.superusergroup in /etc/hadoop/2.3.2.0-2950/0/hdfs-site.xml .

Then i restarted all components for HDFS from the Ambari view. It appears that the change i had made in hdfs-site.xml has vanished. Am i doing it wrong or something?

avatar

Hi @Lubin Lemarchand

Try to change the parameter through Ambari. Go to HDFS -> Config and search for dfs.permissions.superusergroup

Ambari stores the configuration in a database which is the truth of configuration. If you directly modify configuration files that are managed by Ambari, it will update the file and delete your modification at service restart. See this link doc

avatar
Super Guru

Hi @Chris Nauroth

It worked for me. My mistake was i was putting the value of dfs.permissions.superusergroup as comma separated values.

Now i remove the default value "hdfs" and replaced with my new group and it worked.

1 final question - I see every time i replace new group to property "dfs.permissions.superusergroup" , who ever are the users within that groups are superusers now. For example -

group1- hdfs1 (user - test1)

group2- hdfs2 (user - test2)

group3- hdfs3 (user - test3)

1st time i had the value of "dfs.permissions.superusergroup=hdfs1", and restarted hdfs. User "test1" was assigned/given rights as superuser.

2nd time i had the value of "dfs.permissions.superusergroup=hdfs2", and restarted hdfs. User "test2" was assigned/given rights as superuser.

3rd time i had the value of "dfs.permissions.superusergroup=hdfs3", and restarted hdfs. User "test3" was assigned/given rights as superuser.

Thus users(test1, test2, and test3) are now acting as my superusers and has same privileges as hdfs.

So now if i want to revoke the rights what is the way for that ?

avatar

@Sagar Shimpi, the NameNode will not persist or otherwise remember who is a super-user or a member of the super-group across process restarts. In your example, after setting dfs.permissions.superusergroup=hdfs3 and restarting the NameNode, only members of the hdfs3 group (i.e. user test3) would have super-user rights. (Also, the user ID that launched the NameNode process is always the super-user. That part is not changed by configuration.)