Support Questions

Find answers, ask questions, and share your expertise

cloudera service accounts

avatar

Hello, recently we installed cloudera 5.14 using cloudera manager and enabled kerberos(admin cloudera service account) with AD, Also integrated with safenet HSM. recently our audit team sent us the below service accounts saying these are Cloudera service accounts : Below accounts doesn't have any naming convention or description. I wonder does Cloudera has anything to do with these account creation?

svc_OZBuulcctJ

svc_PLYKXvyiqR

svc_CwvmEaMslN

svc_MphlvTooUe

svc_wCmRqxTCXP

svc_UrDrnzDMQj

svc_HtESHbVmye

svc_FmamEIrInH

svc_KqqklHtaWJ

svc_UnPXVrEwTV

svc_WWqTpUXLEh

svc_ZaOvXFkwXb

svc_fmDKHYZsCc

svc_oNDnQpatWa

svc_IHwJIQmPGF

svc_dohgzKTxyG

svc_ygyhjyKyPC

svc_ToGRzAiWnB

svc_rDsPZPAmVY

svc_rVKbPfiAMP

svc_ygQOSUMKxS

10 REPLIES 10

avatar
Master Guru

@BiggieSmalls ,

 

I think the real question here is why is your audit team talking with you.  Was there a concern regarding the accounts?

 

Without more information, it appears that these objects may have been created by Cloudera Manager that manages Kerberos Credentials in Active Directory.  Cloudera randomizes the CN value of the credentials object and then prefixes it with what is configured in Active Directory Account Prefix in the Cloudera Manager configuration (Administration --> Settings --> Kerberos).

 

You can look at the userPrincipalName or servicePrincipalName to see if they contain your cluster's hostnames as a way of seeing if they apply to your current CDH cluster.

 

NOTE:  If these are objects used by your current installation, removing them would cause your CDH roles to fail in various ways.  Also, changing the passwords on any would require Cloudera Manager regenerate the credentials.  Make sure you are clear about why they are approaching you about these objects.