Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

rights for /etc/hadoop/2.4.2.0-258/0/hdfs-site.xml

Labels:
corina_nebela
Explorer

Created ‎02-08-2017 01:51 PM

Hello,

I have used ambari rest api to install only kerberos and hdfs clients on a machine from my cluster.

I am unable to access the hdfs (hadoop fs -ls / command)

with a user not belonging to hadoop group because there are no reading permission for /etc/hadoop/2.4.2.0-258/0/hdfs-site.xml.

My question is : if I manually give permissions to this file will ambari modify them if on cluster level there will be an update on the hdfs-site.xml ?

Are you aware of this issue ? Is there known workaround? I want to limit the packages installed on this node(i do not wish to install all the clients as done by ambari gui).

Thank you,

Corina

744 Views
0 Kudos
4 REPLIES 4

mqureshi
Super Guru

Created ‎02-08-2017 02:23 PM

@Corina Nebela

If you modify the file contents of a file managed by Ambari, it will overwrite the file, next time it is refreshed. Ambari database acts as a source of truth. Now, I am not sure it will modify permissions although I guess the permissions will remain the same. A quick way to test is to modify permissions -> change some content in the file -> save and see if file permissions also changed. Then go back and revert the change.

636 Views
0 Kudos

corina_nebela
Explorer

Created ‎02-08-2017 02:29 PM

I have already tested it , it seems that it does not change the permissions unless the file is deleted, if so when it recreates it (refresh config issued from ambari) it recreates it without reading permissions, i was hoping for a solution that would cover this case also

636 Views
0 Kudos

jsensharma
Super Mentor

Created ‎02-08-2017 02:25 PM

@Corina Nebela

I think that you will need to do the "kinit" first. Before running the "hdfs" commands you wil need to do the "kinit" to get the ticket. But the permission of the keytab also will be "hdfs:hadoop"

$ ls -lart /etc/security/keytabs/hdfs.headless.keytab
-r--r-----. 1 hdfs hadoop 343 Aug 10 13:43 /etc/security/keytabs/hdfs.headless.keytab

Similarly permission for "hdfs-site.xml" will be same "hdfs:hadoop". But at least you have the read permission so any user can read the file.

$ ls -lart /etc/hadoop/2.4.2.0-258/0/hdfs-site.xml 
-rw-r--r--. 1 hdfs hadoop 9371 Aug 19 10:03 /etc/hadoop/2.4.2.0-258/0/hdfs-site.xml

.

But somehow if the root user gives access to the keytab file to the newly created user (not in Hadoop group) then that user will be able to do "kinit" and then later will be able to run the "hdfs" commands.

636 Views
0 Kudos

corina_nebela
Explorer

Created ‎02-08-2017 02:32 PM

the kinit is not an issue, i know how to manage that, i am actually creating a new keytab for that user...and then I am able to access hdfs if I add read permissions on hdfs-site...

hdfs-site has no reading permissions by default if I only install the hdfs_client . I have tested adding new clients (yarn_client for example) and then the reading permissions are added to hdfs-site, I am not sure why ...

636 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements