Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

cloudera service accounts

cloudera service accounts

Hello, recently we installed cloudera 5.14 using cloudera manager and enabled kerberos(admin cloudera service account) with AD, Also integrated with safenet HSM. recently our audit team sent us the below service accounts saying these are Cloudera service accounts : Below accounts doesn't have any naming convention or description. I wonder does Cloudera has anything to do with these account creation?

svc_OZBuulcctJ

svc_PLYKXvyiqR

svc_CwvmEaMslN

svc_MphlvTooUe

svc_wCmRqxTCXP

svc_UrDrnzDMQj

svc_HtESHbVmye

svc_FmamEIrInH

svc_KqqklHtaWJ

svc_UnPXVrEwTV

svc_WWqTpUXLEh

svc_ZaOvXFkwXb

svc_fmDKHYZsCc

svc_oNDnQpatWa

svc_IHwJIQmPGF

svc_dohgzKTxyG

svc_ygyhjyKyPC

svc_ToGRzAiWnB

svc_rDsPZPAmVY

svc_rVKbPfiAMP

svc_ygQOSUMKxS

9 REPLIES 9

Re: cloudera service accounts

Rising Star

@BiggieSmalls 

During Kerberos setup with AD Cloudera creates some random accounts needed by some processes but that would be in the dedicated OU which you have mentioned while configuring Kerberos.

I am not sure if these accounts are staying in that OU. For more understanding how Active Directory Integration for Kerberos Authentication works in Cloudera you can refer below blog post, hope this will help you to identify the issue.


https://blog.cloudera.com/blog/2014/07/new-in-cloudera-manager-5-1-direct-active-directory-integrati...

Re: cloudera service accounts

Hello, 

problem is that these service accounts needs to be denied interactive login according to our organization policies since they don't have any description or owner. these kind of accounts might come up in auditing so we need to make them non-interactive. Is it okay to make them non-interactive? Will the Kerberos/Cloudera setup still be fine without any issues in the future?

Re: cloudera service accounts

all the service accounts created are in dedicated cloudera OU.
Highlighted

Re: cloudera service accounts

Rising Star

@BiggieSmalls 

 

No, I am afraid you can not delete it as it is used by CM. 

 

@bgooley want to put more light into this?

Re: cloudera service accounts

we donot want to delete them , as of now they are interactive AD accounts but we want to make non-interactive as per our organization compliance policies.

Re: cloudera service accounts

Super Guru

@BiggieSmalls ,

 

Interesting... I just replied to this thread, but I couldn't see the most recent comments.  Sorry if my previous comment seemed out of place.

 

I don't know what is meant by making the accounts "inactive" but I don't think that will work for Cloudera Manager.

The credential objects created are needed for Kerberos authentication, so, that means they must be function for Kerberos in general.  I'm guessing that if the account is inactive, that will disable Kerberos authentication, too, thus impacting the cluster.

 

Find out what your company's criteria is for accounts that can operate as needed by CM.

If it would help with the security audit compliance, it is possible to make the accounts "computer" accounts by having Cloudera Manager create the objects while including the "computer" objectclass.  Confirm with your Active Directory audit team to verify that that would help... if so, then the following might help:

 

For example:

 

(1)

 

In Cloudera Manager, navigate to:

Adminsitration --> Settings --> Kerberos

 

Review Active Directory Account Properties that defaults to:

 

accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user

 

(2)

 

Active Directory Account Properties let's you add objectclasses.  To do so, you can change the value to:

 

accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user,objectClass=computer

 

Save

 

(3)

*** NOTE:  If your AD account for CM to manage credentials does not have permission to delete objects in the base DN defined in Active Directory Suffix in your CM Kerberos configuration or Active Directory Delete Accounts on Credential Regeneration  is not enabled in the CM Kerberos configuration, then you will need to delete the objects manually in AD before continuing...

 

To have the change take effect:

 

- Shut down Cloudera Management Service and all your CDH services

- Regenerate Credentials by:

      - Navigating in CM to Administration --> Security --> Kerberos Credentials (subtab)

      - Checking the box next to the "Principals" column header (to select all credentials)

      - Click Regenerate Selected to regenerate all credentials.

 

- Verify that the objects were created with the "computer" objectclass (in Active Directory).

 

 

Re: cloudera service accounts

thanks for the insights @bgooley  @GangWar .

So making them non-interactive means we cannot login into a computer with the service account  but the account is  still be active in AD. So, what I want to know is Cloudera has created random accounts which are interactive i.e we can login to a machine using those accounts as a user, Can they be changed to non-interactive?

Re: cloudera service accounts

Super Guru

@BiggieSmalls ,

 

Oh man... guess I'm getting rusty with Windows concepts.

I agree that hadoop does not require the accounts to be interactive (be able to log into windows).  They are only necessary from the KDC (Kerberos) perspective so as long as they can still be used for Kerberos, that should work.

 

NOTE:  If you add new roles or new hosts, Cloudera will create new objects, so I'm not sure how you would want to anticipate that.

Re: cloudera service accounts

Super Guru

@BiggieSmalls ,

 

I think the real question here is why is your audit team talking with you.  Was there a concern regarding the accounts?

 

Without more information, it appears that these objects may have been created by Cloudera Manager that manages Kerberos Credentials in Active Directory.  Cloudera randomizes the CN value of the credentials object and then prefixes it with what is configured in Active Directory Account Prefix in the Cloudera Manager configuration (Administration --> Settings --> Kerberos).

 

You can look at the userPrincipalName or servicePrincipalName to see if they contain your cluster's hostnames as a way of seeing if they apply to your current CDH cluster.

 

NOTE:  If these are objects used by your current installation, removing them would cause your CDH roles to fail in various ways.  Also, changing the passwords on any would require Cloudera Manager regenerate the credentials.  Make sure you are clear about why they are approaching you about these objects.

 

Don't have an account?
Coming from Hortonworks? Activate your account here