Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Superuser privilege for new HDFS Admin doesn't work

avatar
author-rank rgarcia
Expert Contributor

Created ‎09-20-2016 09:36 PM

Followed instructions here http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/hdfs-encr-appendix.html to create a new hdfs admin for the purpose of making TDE zones creation work. 

[opt1@tsys1 ~]$ groups
domain_users operator[opt1@tsys1 ~]$ hdfs dfsadmin -reportat org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
at org.apache.hadoop.hdfs.tools.DFSAdmin.main(DFSAdmin.java:2107)
report: Access denied for user opt1. Superuser privilege is required

Property values in Ambari shown below:

dfs.permissions.superusergroup=hdfs,operator

dfs.cluster.administrators=hdfs,opt1

hadoop.kms.blacklist.DECRYPT_EEK=opt1

8,252 Views
1 ACCEPTED SOLUTION

avatar
author-rank slachterman
Guru

Created ‎09-21-2016 01:48 AM

The change I am suggesting is dfs.permissions.superusergroup=operator

View solution in original post

4,596 Views
0 Kudos
5 REPLIES 5

avatar
author-rank slachterman
Guru

Created ‎09-20-2016 10:07 PM

I believe dfs.permissions.superusergroup can only contain a single value. If you change dfs.permissions.superusergroup to just 'operator' is the behavior as expected?

User hdfs will have still normal superuser access with this configuration change, since it starts the NameNode process.

4,596 Views
0 Kudos

avatar
author-rank rgarcia
Expert Contributor

Created ‎09-21-2016 01:47 AM

tried removing hdfs and just left opt1 in the administrator property but still getting the same issue.

4,596 Views
0 Kudos

avatar
author-rank slachterman
Guru

Created ‎09-21-2016 01:48 AM

The change I am suggesting is dfs.permissions.superusergroup=operator

4,597 Views
0 Kudos

avatar
author-rank rgarcia
Expert Contributor

Created ‎09-21-2016 02:07 AM

removed hdfs in the superusergroup as well and just left operator, and it worked.

4,596 Views

avatar
author-rank lvazquez
Expert Contributor

Created ‎10-29-2018 06:48 PM

This information (as many others) is wrong in the official HDP Security course from Hortonworks. In the HDFS Encryption presentations of the course it states that to create an HDFS admin user to manage EZ is enough with setting the following

(copy/paste here):

dfs.cluster.administrators=hdfs,encrypter
hadoop.kms.blacklist.DECRYPT_EEK=hdfs,encrypter
4,595 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements