Support Questions

Find answers, ask questions, and share your expertise

cloudera service accounts

avatar

Hello, recently we installed cloudera 5.14 using cloudera manager and enabled kerberos(admin cloudera service account) with AD, Also integrated with safenet HSM. recently our audit team sent us the below service accounts saying these are Cloudera service accounts : Below accounts doesn't have any naming convention or description. I wonder does Cloudera has anything to do with these account creation?

svc_OZBuulcctJ

svc_PLYKXvyiqR

svc_CwvmEaMslN

svc_MphlvTooUe

svc_wCmRqxTCXP

svc_UrDrnzDMQj

svc_HtESHbVmye

svc_FmamEIrInH

svc_KqqklHtaWJ

svc_UnPXVrEwTV

svc_WWqTpUXLEh

svc_ZaOvXFkwXb

svc_fmDKHYZsCc

svc_oNDnQpatWa

svc_IHwJIQmPGF

svc_dohgzKTxyG

svc_ygyhjyKyPC

svc_ToGRzAiWnB

svc_rDsPZPAmVY

svc_rVKbPfiAMP

svc_ygQOSUMKxS

10 REPLIES 10

avatar
Master Guru

@BiggieSmalls 

During Kerberos setup with AD Cloudera creates some random accounts needed by some processes but that would be in the dedicated OU which you have mentioned while configuring Kerberos.

I am not sure if these accounts are staying in that OU. For more understanding how Active Directory Integration for Kerberos Authentication works in Cloudera you can refer below blog post, hope this will help you to identify the issue.


https://blog.cloudera.com/blog/2014/07/new-in-cloudera-manager-5-1-direct-active-directory-integrati...


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar

Hello, 

problem is that these service accounts needs to be denied interactive login according to our organization policies since they don't have any description or owner. these kind of accounts might come up in auditing so we need to make them non-interactive. Is it okay to make them non-interactive? Will the Kerberos/Cloudera setup still be fine without any issues in the future?

avatar
all the service accounts created are in dedicated cloudera OU.

avatar
Master Guru

@BiggieSmalls 

 

No, I am afraid you can not delete it as it is used by CM. 

 

@bgooley want to put more light into this?


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar

we donot want to delete them , as of now they are interactive AD accounts but we want to make non-interactive as per our organization compliance policies.

avatar
Master Guru

@BiggieSmalls ,

 

Interesting... I just replied to this thread, but I couldn't see the most recent comments.  Sorry if my previous comment seemed out of place.

 

I don't know what is meant by making the accounts "inactive" but I don't think that will work for Cloudera Manager.

The credential objects created are needed for Kerberos authentication, so, that means they must be function for Kerberos in general.  I'm guessing that if the account is inactive, that will disable Kerberos authentication, too, thus impacting the cluster.

 

Find out what your company's criteria is for accounts that can operate as needed by CM.

If it would help with the security audit compliance, it is possible to make the accounts "computer" accounts by having Cloudera Manager create the objects while including the "computer" objectclass.  Confirm with your Active Directory audit team to verify that that would help... if so, then the following might help:

 

For example:

 

(1)

 

In Cloudera Manager, navigate to:

Adminsitration --> Settings --> Kerberos

 

Review Active Directory Account Properties that defaults to:

 

accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user

 

(2)

 

Active Directory Account Properties let's you add objectclasses.  To do so, you can change the value to:

 

accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user,objectClass=computer

 

Save

 

(3)

*** NOTE:  If your AD account for CM to manage credentials does not have permission to delete objects in the base DN defined in Active Directory Suffix in your CM Kerberos configuration or Active Directory Delete Accounts on Credential Regeneration  is not enabled in the CM Kerberos configuration, then you will need to delete the objects manually in AD before continuing...

 

To have the change take effect:

 

- Shut down Cloudera Management Service and all your CDH services

- Regenerate Credentials by:

      - Navigating in CM to Administration --> Security --> Kerberos Credentials (subtab)

      - Checking the box next to the "Principals" column header (to select all credentials)

      - Click Regenerate Selected to regenerate all credentials.

 

- Verify that the objects were created with the "computer" objectclass (in Active Directory).

 

 

avatar

thanks for the insights @bgooley  @GangWar .

So making them non-interactive means we cannot login into a computer with the service account  but the account is  still be active in AD. So, what I want to know is Cloudera has created random accounts which are interactive i.e we can login to a machine using those accounts as a user, Can they be changed to non-interactive?

avatar
Master Guru

@BiggieSmalls ,

 

Oh man... guess I'm getting rusty with Windows concepts.

I agree that hadoop does not require the accounts to be interactive (be able to log into windows).  They are only necessary from the KDC (Kerberos) perspective so as long as they can still be used for Kerberos, that should work.

 

NOTE:  If you add new roles or new hosts, Cloudera will create new objects, so I'm not sure how you would want to anticipate that.

avatar
Explorer

i , did you find a solution for that , i have the same request by audit team.