Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

update all the files under /usr/hdp from root to non-root user

update all the files under /usr/hdp from root to non-root user

Rising Star

Hi,

I installed HDP 2.4 with root on the server, now I want to switch it to non-root. I replaced all the files from root to non-root but when I restart the components in Ambari , most of them fails,

I assume I need to change their configurations too. Can you please advise how should I processed?

Thanks,

SJ

1 REPLY 1
Highlighted

Re: update all the files under /usr/hdp from root to non-root user

I understand your concern for security,

Ambari Agent needs to be able to change symlinks, E.g., /usr/hdp/current/hadoop-client -> /usr/hdp/#.#.#.#-####/hadoop /usr/hdp/#.#.#.#-####/hadoop/conf -> /etc/hadoop/#.#.#.#-####/0

Also, some components end up modifying the contents inside /usr/hdp, such as Atlas. /usr/hdp/current/atlas-server/hook/{hook}/{hook}.jar -> /usr/hdp/current/sqoop-client/lib/{hook}.jar

So at a minimum, the user running Ambari Agent should also own /usr/hdp/ and you can configure Ambari Agent as non-root: https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.1/bk_Ambari_Security_Guide/content/_how_to_co...

You should certainly worry about permissions for paths/configs like,

/var/lib/knox/data storm.local.dir yarn.nodemanager.local-dirs etc

Don't have an account?
Coming from Hortonworks? Activate your account here