Security
Also available as:
PDF
loading table of contents...

Appendix: Creating an HDFS Admin User

To capitalize on the capabilities of HDFS data at rest encryption, you will need two separate types of HDFS administrative accounts:

  • HDFS administrative user: an account in the hdfs supergroup that is used to manage encryption keys and encryption zones. Examples in this chapter use an administrative user account named encr.

  • HDFS service user: the system-level account traditionally associated with HDFS. By default this is user hdfs in HDP. This account owns the HDFS DataNode and NameNode processes.

    [Important]Important

    This is a system-only account. Physical users should not be given access to this account.

Complete the following steps to create a new HDFS administrative user.

Note: These steps use sample values for group (operator) and user account (opt1).

  1. Create a new group called operator.

  2. Add a new user (for example, opt1) to the group.

  3. Add principal opt1@EXAMPLE.COM and create a keytab.

  4. Login as opt1, and do a kinit operation.

  5. In Ambari, replace the current value of dfs.permissions.superusergroup with the group name operator.

  6. In Ambari, add hdfs,operator to dfs.cluster.administrators:

  7. Add opt1 to the KMS blacklist. Set the corresponding property in Ambari:

    hadoop.kms.blacklist.DECRYPT_EEK=opt1

  8. Restart HDFS.

Validation

Make sure the opt1 account has HDFS administrative access:

hdfs dfsadmin -report

Make sure the opt1 account cannot access encrypted files. For example, if /data/test/file.txt is in an encryption zone, the following command should return an error:

hdfs dfs -cat /data/test/file.txt

Additional Administrative User Accounts

If you plan to use HDFS data at rest encryption with YARN, we recommend that you create a separate administrative user account for YARN administration.

If you plan to use HDFS data at rest encryption with Oozie, refer to the Oozie section of this chapter.