Appendix: Creating an HDFS Admin User
To capitalize on the capabilities of HDFS data at rest encryption, you will need two separate types of HDFS administrative accounts:
HDFS administrative user: an account in the
hdfs
supergroup that is used to manage encryption keys and encryption zones. Examples in this chapter use an administrative user account namedencr
.HDFS service user: the system-level account traditionally associated with HDFS. By default this is user
hdfs
in HDP. This account owns the HDFS DataNode and NameNode processes.Important This is a system-only account. Physical users should not be given access to this account.
Complete the following steps to create a new HDFS administrative user.
Note: These steps use sample values for group
(operator
) and user account (opt1
).
Create a new group called
operator
.Add a new user (for example,
opt1
) to the group.Add principal
opt1@EXAMPLE.COM
and create a keytab.Login as
opt1
, and do akinit
operation.In Ambari, replace the current value of
dfs.permissions.superusergroup
with the group name “operator”.Note You can add only one administrator group to the
dfs.permissions.superusergroup
parameter.In Ambari, add
hdfs,operator
todfs.cluster.administrators
:Add
opt1
to the KMS blacklist. Set the corresponding property in Ambari:hadoop.kms.blacklist.DECRYPT_EEK=opt1
Restart HDFS.
Validation
Make sure the opt1
account has HDFS administrative access:
hdfs dfsadmin -report
Make sure the opt1
account cannot access encrypted files. For
example, if /data/test/file.txt
is in an encryption zone, the
following command should return an error:
hdfs dfs -cat /data/test/file.txt
Additional Administrative User Accounts
If you plan to use HDFS data at rest encryption with YARN, we recommend that you create a separate administrative user account for YARN administration.
If you plan to use HDFS data at rest encryption with Oozie, refer to the Oozie section of this chapter.