Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Superuser privilege for new HDFS Admin doesn't work

avatar
author-rank rgarcia
Expert Contributor

Created ‎09-20-2016 09:36 PM

Followed instructions here http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/hdfs-encr-appendix.html to create a new hdfs admin for the purpose of making TDE zones creation work. 

[opt1@tsys1 ~]$ groups
domain_users operator[opt1@tsys1 ~]$ hdfs dfsadmin -reportat org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
at org.apache.hadoop.hdfs.tools.DFSAdmin.main(DFSAdmin.java:2107)
report: Access denied for user opt1. Superuser privilege is required

Property values in Ambari shown below:

dfs.permissions.superusergroup=hdfs,operator

dfs.cluster.administrators=hdfs,opt1

hadoop.kms.blacklist.DECRYPT_EEK=opt1

8,634 Views
0
1 ACCEPTED SOLUTION

avatar
author-rank slachterman
Guru

Created ‎09-21-2016 01:48 AM

The change I am suggesting is dfs.permissions.superusergroup=operator

View solution in original post

4,978 Views
0 Kudos
0
5 REPLIES 5

avatar
author-rank slachterman
Guru

Created ‎09-20-2016 10:07 PM

I believe dfs.permissions.superusergroup can only contain a single value. If you change dfs.permissions.superusergroup to just 'operator' is the behavior as expected?

User hdfs will have still normal superuser access with this configuration change, since it starts the NameNode process.

4,978 Views
0 Kudos

avatar
author-rank rgarcia
Expert Contributor

Created ‎09-21-2016 01:47 AM

tried removing hdfs and just left opt1 in the administrator property but still getting the same issue.

4,978 Views
0 Kudos

avatar
author-rank slachterman
Guru

Created ‎09-21-2016 01:48 AM

The change I am suggesting is dfs.permissions.superusergroup=operator

4,979 Views
0 Kudos
0

avatar
author-rank rgarcia
Expert Contributor

Created ‎09-21-2016 02:07 AM

removed hdfs in the superusergroup as well and just left operator, and it worked.

4,978 Views

avatar
author-rank lvazquez
Expert Contributor

Created ‎10-29-2018 06:48 PM

This information (as many others) is wrong in the official HDP Security course from Hortonworks. In the HDFS Encryption presentations of the course it states that to create an HDFS admin user to manage EZ is enough with setting the following

(copy/paste here):

dfs.cluster.administrators=hdfs,encrypter
hadoop.kms.blacklist.DECRYPT_EEK=hdfs,encrypter
4,977 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements