Step 5: Create the HDFS Superuser

To be able to create home directories for users, you will need access to the HDFS superuser account. (CDH automatically created the HDFS superuser account on each cluster host during CDH installation.) When you enabled Kerberos for the HDFS service, you lost access to the default HDFS superuser account using sudo -u hdfs commands. Cloudera recommends you use a different user account as the superuser, not the default hdfs account.

Designating a Non-Default Superuser Group

To designate a different group of superusers instead of using the default hdfs account, follow these steps:

  1. Go to the Cloudera Manager Admin Console and navigate to the HDFS service.
  2. Click the Configuration tab.
  3. Select Scope > HDFS (Service-Wide).
  4. Select Category > Security.
  5. Locate the Superuser Group property and change the value to the appropriate group name for your environment. For example, <superuser>.
  6. Enter a Reason for change, and then click Save Changes to commit the changes.
  7. Restart the HDFS service.

    To enable your access to the superuser account now that Kerberos is enabled, you must now create a Kerberos principal or an Active Directory user whose first component is <superuser>:

If you are using Active Directory

Add a new user account to Active Directory, <superuser>@YOUR-REALM.COM. The password for this account should be set to never expire.

If you are using MIT KDC

  1. In the kadmin.local or kadmin shell, type the following command to create a Kerberos principal called <superuser>:
    kadmin:  addprinc <superuser>@YOUR-LOCAL-REALM.COM
    This command prompts you to create a password for the <superuser> principal. You should use a strong password because having access to this principal provides superuser access to all of the files in HDFS.
  2. To run commands as the HDFS superuser, you must obtain Kerberos credentials for the <superuser> principal. To do so, run the following command and provide the appropriate password when prompted.
    kinit <superuser>@YOUR-LOCAL-REALM.COM

If you are using Red Hat IdM/FreeIPA

  1. On the Identity > Users page, click the Add button.
  2. Specify the superuser principal name in the User login field, complete the remaining fields, and then click Add.