Create an HDFS Admin User

How to create an HDFS admin user.

To capitalize on the capabilities of HDFS data at rest encryption, you will need two separate types of HDFS administrative accounts:

• HDFS administrative user: an account in the hdfs supergroup that is used to manage encryption keys and encryption zones. Examples in this chapter use an administrative user account named encr.
• HDFS service user: the system-level account traditionally associated with HDFS. By default this is user hdfs in HDP. This account owns the HDFS DataNode and NameNode processes.

	Note
	This is a system-only account. Physical users should not be given access to this account.

Complete the following steps to create a new HDFS administrative user.

Note: These steps use sample values for group (operator) and user account (opt1).

1. Create a new group called operator.
2. Add a new user (for example, opt1) to the group.
3. Add principal opt1@EXAMPLE.COM and create a keytab.
4. Login as opt1, and do a kinit operation.
5. In Ambari, replace the current value of dfs.permissions.superusergroup with the group name “operator”.

   	Note
   	You can assign only one administrator group for the dfs.permissions.superusergroup parameter.

6. In Ambari, add hdfs,operator to dfs.cluster.administrators:
   
7. Add opt1 to the KMS blacklist. Set the corresponding property in Ambari: hadoop.kms.blacklist.DECRYPT_EEK=opt1.
8. Restart HDFS.