Designating a Non-default Superuser Group
To designate a different group of superusers instead of using the default
hdfs
account:
- Open the Cloudera Manager Admin console and navigate to the HDFS service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Superuser Group property and change the value to the appropriate group name for your environment. For example, <superuser>.
- Enter a Reason for change, then click Save Changes to commit the changes.
- Restart the HDFS service.
To enable your access to the superuser account now that Kerberos is enabled, you must now create a Kerberos principal or an Active Directory user whose first component is <superuser>:
If you are using Active Directory
Add a new user account to Active Directory,
<superuser>@YOUR-REALM.COM
. The password for this account should be
set to never expire.
If you are using MIT KDC
- In the
kadmin.local
orkadmin
shell, type the following command to create a Kerberos principal called <superuser>:kadmin: addprinc <superuser>@YOUR-LOCAL-REALM.COM
This command prompts you to create a password for the <superuser> principal. You should use a strong password because having access to this principal provides superuser access to all of the files in HDFS. - To run commands as the HDFS superuser, you must obtain Kerberos credentials for the
<superuser> principal. To do so, run the following command and
provide the appropriate password when
prompted.
kinit <superuser>@YOUR-LOCAL-REALM.COM
If you are using Red Hat IdM/FreeIPA
- On the Add button. page, click the
- Specify the superuser principal name in the User login field, complete the remaining fields, then click Add.