Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to get the list of users

Labels:
avatar
author-rank kums
Expert Contributor

Created ‎08-19-2016 03:13 PM

Recently I was given an Hadoop Eco system to support. In this system, there is no Ranger, LDAP..etc etc..and the access was given directly to the boxes. Could you please suggest me some ways to get the list of users who uses our Hadoop System ?

32,436 Views
6 REPLIES 6

avatar
author-rank mqureshi
Super Guru

Created ‎08-19-2016 03:54 PM

@Kumar Veerappan

First the easy part. Let's assume Kerberos is enabled. Run "listprincs" using "kadmin" to find the service principals. Without LDAP and Kerberos enabled these are the users who have access to your cluster.

If Kerberos is not enabled, then pretty much all users on your cluster machines should be able to access your cluster.

19,624 Views

avatar
author-rank kums
Expert Contributor

Created ‎08-23-2016 03:53 PM

@mqureshi Kerberos is not enabled.

Is it enough if I pull the users from the name node and admin node ?

19,624 Views
0 Kudos

avatar
author-rank mqureshi
Super Guru

Created ‎08-23-2016 03:53 PM

@Kumar Veerappan

Without Kerberos, pretty much anyone can access your cluster. Your list of users who can access cluster is anyone who has access to the linux machines where cluster is running.

19,624 Views
0 Kudos

avatar
author-rank divakarreddy_a
Guru

Created ‎08-23-2016 04:15 PM

@Kumar Veerappan

We can find the list of users in linux and Hadoop as well:

1) List of users in Linux:

awk -F':' '{ print $1}' /etc/passwd

2) List of user in hadoop:

Go to Hue:

Look for user admin tab like hive & pig tabs in Hue

3) Check the users in HDFS:

ideally we can find user directory in hdfs as well /usr/<userID>/

19,624 Views

avatar
author-rank christopher_w_m
Expert Contributor

Created ‎08-23-2016 04:53 PM

+1, small correction that the HDFS directories will be under "/user" not "/usr":

hdfs dfs -ls /user
19,624 Views
0 Kudos

avatar
author-rank cstanca
Super Guru

Created ‎08-23-2016 10:28 PM

@Kumar Veerappana

Assuming that you are only interested who has access to Hadoop services, extract all OS users from all nodes by checking /etc/passwd file content. Some of them are legitimate users needed by Hadoop tools, e.g. hive, hdfs, etc.For hdfs, they will have a /user/username folder in hdfs. You can see that with hadoop -fs ls -l /user executed as a user member of the hadoop group. If they have access to hive client, they are able to also perform DDL and DML actions in Hive.

The above will allow you to understand the current state, however, this is your opportunity to improve security even without the bells and whistles of Kerberos/LDAP/Ranger. You can force the users to access Hadoop ecosystem client services via a few client/edge nodes, where only client services are running, e.g. Hive client. Users, other than power users, should not have accounts on name node, admin node or data nodes. Any user that can access those nodes where client services are running can access those services, e.g. hdfs or Hive.

19,624 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements