Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[How-To] Use a zone enabled supergroup to manage HDFS for Cloudera

11 April,19 at 11:50 AM

After securing your Cloudera cluster, Cloudera leverages the Linux group “supergroup” to manage HDFS (Hadoop Distributed File System). The members of supergroup are able to provision users, de-provision users, set file-system permissions, etc. Supergroup is configured within the core-site.xml file on each node in the cluster.  

 

Typically the Linux admin creates a local group on each node and manually adjusts the membership. Centrify’s zone-enabled Active Directory (AD) group feature makes the set-up and membership of supergroup trivial. Furthermore, different clusters (project A vs. Project B, production vs. development) can have and should have a different AD linked to supergroup.

 

Instead of creating and maintaining a local supergroup, Centrify will demonstrate how-to configure and use a zone enabled supergroup.

 

In our example, we have three Cloudera clusters cdev1, cprd1 and cqa1 with three corresponding AD supergroups.

 

AD Super groups.jpg

 

 

For example, the zone and cluster cprd1 are linked to AD group unix-cprd1-unixgroup-supergroup. However, from a cluster perspective (node) unix-cprd1-unixgroup-supergroup is just supergroup with a GID of 2143290519.

 

 AD Enabled Supergroup.jpg

 

We can see the members of within AD and from the local Linux system, cprd1n1.

 

[ed@cprd1n1 ~]$ adquery group supergroup

supergroup:x:2143290519:ed,fel,qa.engineer,robertson,roger,satish.

 

 

User ed (a member of the supergroup) will create a new HDFS home directory for the user gary. Note: the first attempt failed, as the user ed did not have a valid Kerberos ticket so a kinit was required

 

[ed@cprd1n1 ~]$ adquery user gary

gary:x:2143290899:2143290899:Gary:/home/gary:/usr/bin/dzsh

[ed@cprd1n1 ~]$ hadoop fs -mkdir /user/gary

15/12/28 03:18:12 WARN security.UserGroupInformation: PriviledgedActionException as:ed (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

15/12/28 03:18:12 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

15/12/28 03:18:12 WARN security.UserGroupInformation: PriviledgedActionException as:ed (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

mkdir: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "cprd1n1.centrifybigdata.net/172.27.9.136"; destination host is: "cprd1n1.centrifybigdata.net":8020;

[ed@cprd1n1 ~]$ kinit

Password for ed@CENTRIFYBIGDATA.NET:

[ed@cprd1n1 ~]$ hadoop fs -mkdir /user/gary

[ed@cprd1n1 ~]$ hadoop fs -chown gary:gary /user/gary

 

For more information on supergroup: https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html

and:

http://www.cloudera.com/content/www/en-us/documentation/enterprise/latest/topics/cm_sg_hdfs_su_princ_s15.html

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.