FAQ
It isn't exactly like that, but I believe the specific situation
you're thinking about is of disallowing 'hdfs' as an authenticate-able
user at the LDAP/KDC level, such that no user can ever authenticate as
'hdfs@REALM'. This restriction is possible to do at your end of
things, yes.
On Sat, May 17, 2014 at 12:13 PM, Anurag Tangri wrote:
Thanks Harsh,

I remember if you have Kerberos with ldap, then HDFS is not super user even if you start namenode as hdfs.
Is it true ?

Thanks,
Anurag Tangri
On May 16, 2014, at 8:55 PM, Harsh J wrote:

Hi,
On Sat, May 17, 2014 at 9:15 AM, Anurag Tangri wrote:
Thanks Harsh.

Even if we define a super user group and HDFS account is not added to it ?
Yes, the owner of the NameNode process is automatically its foremost superuser.
Is there some way to not let hdfs be super user n only people in super user ldap group ?
There's no known way to prevent the owner of the process to not be the
superuser. This is per design.
If I start namenode with my id,hdfs won't be super user ?
Yes, it would not be a superuser anymore.
On May 16, 2014, at 8:29 PM, Harsh J wrote:

The user who runs the NameNode daemon is considered the de-facto
superuser. The 'hdfs' user runs the NameNode in an installation
typically, and is therefore automatically always a superuser.
On Sat, May 17, 2014 at 1:47 AM, Anurag Tangri wrote:
Hi,
I have integrated HDFS with ldap using :
org.apache.hadoop.security.LdapGroupsMapping

and have a superuser group for users who I want to act as super-users using
property:
dfs.permissions.superusergroup

Everything is working as expected, except that hdfs still acts as super-user
even though I don't have it in AD super-user group.

Does anyone know why ?


Thanks,
Anurag Tangri

--

---
You received this message because you are subscribed to the Google Groups
"CDH Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cdh-user+unsubscribe@cloudera.org.
For more options, visit https://groups.google.com/a/cloudera.org/d/optout.


--
Harsh J

--

---
You received this message because you are subscribed to the Google Groups "CDH Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cdh-user+unsubscribe@cloudera.org.
For more options, visit https://groups.google.com/a/cloudera.org/d/optout.
--

---
You received this message because you are subscribed to the Google Groups "CDH Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cdh-user+unsubscribe@cloudera.org.
For more options, visit https://groups.google.com/a/cloudera.org/d/optout.


--
Harsh J

--

---
You received this message because you are subscribed to the Google Groups "CDH Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cdh-user+unsubscribe@cloudera.org.
For more options, visit https://groups.google.com/a/cloudera.org/d/optout.
--

---
You received this message because you are subscribed to the Google Groups "CDH Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cdh-user+unsubscribe@cloudera.org.
For more options, visit https://groups.google.com/a/cloudera.org/d/optout.


--
Harsh J

--

---
You received this message because you are subscribed to the Google Groups "CDH Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cdh-user+unsubscribe@cloudera.org.
For more options, visit https://groups.google.com/a/cloudera.org/d/optout.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 6 of 12 | next ›
Discussion Overview
groupcdh-user @
categorieshadoop
postedMay 16, '14 at 8:17p
activeMay 18, '14 at 4:16a
posts12
users3
websitecloudera.com
irc#hadoop

People

Translate

site design / logo © 2021 Grokbase