Support Questions

Find answers, ask questions, and share your expertise

How to install Hawq without using "gpadmin" as a user?

avatar
Contributor

Hi,

My company's policy is to have all service accounts follow certain standards. A user named "gpadmin", does not meet our standards. Is there a way to have a different system user? I looked at the code and it looks like it could be modified, but generally that would eliminate the option of support.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Ian Maloney this is from Pivotal

"It's not possible to have a customized user/role for Pivotal HDB.

However, if one goes to Open Source Apache HAWQ, downloads the source code and compiles with whatever user, that username will become the gpadmin role."

View solution in original post

8 REPLIES 8

avatar
Master Mentor

avatar
Contributor

@Artem Ervits, that doc makes no reference to hawq or gp admin. When I install, I'm blocked because the Ambari Hawq installer tries to create a user gpadmin and /home/gpadmin. This is not allowed.

avatar
Master Mentor

@Ian Maloney looks like you're out of luck http://hdb.docs.pivotal.io/210/hawq/clientaccess/roles_privs.html

Apache HAWQ is offered by Hortonworks but support primarily is offered by Pivotal. We cannot speak for design decisions of our partners. I will see if I can escalate this to our partner relations group.

  • Secure the gpadmin system user. HAWQ requires a UNIX user id to install and initialize the HAWQ system. This system user is referred to as gpadmin in the HAWQ documentation. This gpadmin user is the default database superuser in HAWQ, as well as the file system owner of the HAWQ installation and its underlying data files. This default administrator account is fundamental to the design of HAWQ. The system cannot run without it, and there is no way to limit the access of this gpadmin user id. Use roles to manage who has access to the database for specific purposes. You should only use the gpadmin account for system maintenance tasks such as expansion and upgrade. Anyone who logs on to a HAWQ host as this user id can read, alter or delete any data; specifically system catalog data and database access rights. Therefore, it is very important to secure the gpadmin user id and only provide access to essential system administrators. Administrators should only log in to HAWQ as gpadmin when performing certain system maintenance tasks (such as upgrade or expansion). Database users should never log on as gpadmin, and ETL or production workloads should never run as gpadmin.

avatar
Master Mentor

@Ian Maloney re-read the note and it doesn't necessary say customization of the service account is not supported. I'm looking for more concrete statement though.

avatar
Master Mentor

@Ian Maloney best source of information will still be Pivotal but when I'm in doubt, I refer to manual installation guides (without Ambari) on how things are done. There's a manual guide for HAWQ, perhaps replacing gpadmin user with your naming convention will work, I just can't confirm it. http://hdb.docs.pivotal.io/210/hdb/install/install-cli.html

avatar
Contributor

Thanks

@Artem Ervits

, Ill update this once I figure out what we end up doing

avatar

I will test this also... As far I know, via Ambari, the user must be gpadmin. If you are installing manually, you can set the OS user to be anything you want. However the postgress user is gpadmin. I will get a Pivotal engineer to answer this also...hopefully in a day or so.

avatar
Master Mentor

@Ian Maloney this is from Pivotal

"It's not possible to have a customized user/role for Pivotal HDB.

However, if one goes to Open Source Apache HAWQ, downloads the source code and compiles with whatever user, that username will become the gpadmin role."