Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

rights for /etc/hadoop/


I have used ambari rest api to install only kerberos and hdfs clients on a machine from my cluster.

I am unable to access the hdfs (hadoop fs -ls / command)

with a user not belonging to hadoop group because there are no reading permission for /etc/hadoop/

My question is : if I manually give permissions to this file will ambari modify them if on cluster level there will be an update on the hdfs-site.xml ?

Are you aware of this issue ? Is there known workaround? I want to limit the packages installed on this node(i do not wish to install all the clients as done by ambari gui).

Thank you,



Super Guru
@Corina Nebela

If you modify the file contents of a file managed by Ambari, it will overwrite the file, next time it is refreshed. Ambari database acts as a source of truth. Now, I am not sure it will modify permissions although I guess the permissions will remain the same. A quick way to test is to modify permissions -> change some content in the file -> save and see if file permissions also changed. Then go back and revert the change.

I have already tested it , it seems that it does not change the permissions unless the file is deleted, if so when it recreates it (refresh config issued from ambari) it recreates it without reading permissions, i was hoping for a solution that would cover this case also

Super Mentor

@Corina Nebela

I think that you will need to do the "kinit" first. Before running the "hdfs" commands you wil need to do the "kinit" to get the ticket. But the permission of the keytab also will be "hdfs:hadoop"

$ ls -lart /etc/security/keytabs/hdfs.headless.keytab
-r--r-----. 1 hdfs hadoop 343 Aug 10 13:43 /etc/security/keytabs/hdfs.headless.keytab

Similarly permission for "hdfs-site.xml" will be same "hdfs:hadoop". But at least you have the read permission so any user can read the file.

$ ls -lart /etc/hadoop/ 
-rw-r--r--. 1 hdfs hadoop 9371 Aug 19 10:03 /etc/hadoop/


But somehow if the root user gives access to the keytab file to the newly created user (not in Hadoop group) then that user will be able to do "kinit" and then later will be able to run the "hdfs" commands.

the kinit is not an issue, i know how to manage that, i am actually creating a new keytab for that user...and then I am able to access hdfs if I add read permissions on hdfs-site...

hdfs-site has no reading permissions by default if I only install the hdfs_client . I have tested adding new clients (yarn_client for example) and then the reading permissions are added to hdfs-site, I am not sure why ...

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.