Cloudera Docs

Step 5: Create the HDFS superuser

To create home directories for users, you need access to the HDFS superuser account.

CDP automatically creates the HDFS superuser account on each cluster host during CDP installation. When you enable Kerberos for the HDFS service, you lose access to the default HDFS superuser account using sudo -u hdfs commands. Cloudera recommends that you use a different user account as the superuser, rather than the default hdfs account.

Designating a Non-default Superuser Group

To designate a different group of superusers instead of using the default hdfs account:

  1. Open the Cloudera Manager Admin console and navigate to the HDFS service.
  2. Click the Configuration tab.
  3. Select Scope > HDFS (Service-Wide).
  4. Select Category > Security.
  5. Locate the Superuser Group property and change the value to the appropriate group name for your environment. For example, <superuser>.
  6. Enter a Reason for change, then click Save Changes to commit the changes.
  7. Restart the HDFS service.

To enable your access to the superuser account now that Kerberos is enabled, you must now create a Kerberos principal or an Active Directory user whose first component is <superuser>:

If you are using Active Directory

Add a new user account to Active Directory, <superuser>@YOUR-REALM.COM. The password for this account should be set to never expire.

If you are using MIT KDC

  1. In the kadmin.local or kadmin shell, type the following command to create a Kerberos principal called <superuser>:
    kadmin:  addprinc <superuser>@YOUR-LOCAL-REALM.COM
    This command prompts you to create a password for the <superuser> principal. You should use a strong password because having access to this principal provides superuser access to all of the files in HDFS.
  2. To run commands as the HDFS superuser, you must obtain Kerberos credentials for the <superuser> principal. To do so, run the following command and provide the appropriate password when prompted.
    kinit <superuser>@YOUR-LOCAL-REALM.COM

If you are using Red Hat IdM/FreeIPA

  1. On the Identity > Users page, click the Add button.
  2. Specify the superuser principal name in the User login field, complete the remaining fields, then click Add.