Support Questions
Find answers, ask questions, and share your expertise

what is the real hdfs user name?

Highlighted

what is the real hdfs user name?

Expert Contributor

HI All,

when I kinit for hdfs in my kerberized cluster securityLab

kinit -kt hdfs.headless.keytab hdfs-securityLab@MYDOMAIN.COM

what is the real user name

is it hdfs or hdfs-securityLab

some services are taking it as hdfs and some not.

please clarify.

Thanks,

Avijeet

4 REPLIES 4
Highlighted

Re: what is the real hdfs user name?

Super Guru

@Avijeet Dash

In this particular example that you shared, Kerberos principal is "hdfs-securityLab" and MyDomain" is your "kerberos realm".

Highlighted

Re: what is the real hdfs user name?

Expert Contributor

@mqureshi

Thanks, how about hdfs - is that a valid user? I am able to add hdfs in Ranger but after kinit it becomes hdfs-securityLab. And I can't get hdfs-securityLab in Ranger.

As Ranger usersync cannot get the hadoop service principals correctly, they get all jumbled.

Thanks,

Avijeet

Highlighted

Re: what is the real hdfs user name?

Super Guru

@Avijeet Dash

I am not sure I understand your comment. hdfs is the Hadoop superuser (think root in linux). So you are saying that you kinit hdfs@/_host@REALM.COM and it becomes hdfs-securityLab? How do you know that happens? Also, can you please check your auth_to_local rules in your core-site.xml?

https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html

Highlighted

Re: what is the real hdfs user name?

You are supposed to have hadoop.security.auth_to_local defined in your core-site.xml and that rule translates principals to local users. You can use

$ hadoop org.apache.hadoop.security.HadoopKerberosName hdfs-securityLab@MYDOMAIN.COM

to check does it work as expected. Some links:

Fine Tune Hadoop Security Settings

Auth-to-local Rules Syntax

Don't have an account?