Permission Requirements for Package-based Installations and Upgrades of CDH

The following sections describe the permission requirements for package-based installation and upgrades of CDH with and without Cloudera Manager. The permission requirements are not controlled by Cloudera but result from standard UNIX system requirements for the installation and management of packages and running services.

Permission Requirements for Package-Based CDH Installation with Cloudera Manager

Permission Requirements with Cloudera Manager
Task Permissions Required
Install Cloudera Manager (using cloudera-manager-installer.bin) root or sudo access on a single host
Manually start/stop/restart the Cloudera Manager Server (that is, log onto the host running Cloudera Manager and execute: service cloudera-scm-server action) root or sudo
Run Cloudera Manager Server. cloudera-scm
Install CDH components through Cloudera Manager. One of the following, configured during initial installation of Cloudera Manager:
  • Direct access to root user using the root password.
  • Direct access to root user using a SSH key file.
  • Passwordless sudo access for a specific user. This is the same requirement as the installation of CDH components on individual hosts, which is a requirement of the UNIX system in general.
You cannot use another system (such as PowerBroker) that provides root/sudo privileges.
Install the Cloudera Manager Agent through Cloudera Manager. One of the following, configured during initial installation of Cloudera Manager:
  • Direct access to root user using the root password.
  • Direct access to root user using a SSH key file.
  • Passwordless sudo access for a specific user. This is the same requirement as the installation of CDH components on individual hosts, which is a requirement of the UNIX system in general.
You cannot use another system (such as PowerBroker) that provides root/sudo privileges.
Run the Cloudera Manager Agent. If single user mode is not enabled, access to the root account during runtime, through one of the following scenarios:
  • During Cloudera Manager and CDH installation, the Agent is automatically started if installation is successful. It is then started using one of the following, as configured during the initial installation of Cloudera Manager:
    • Direct access to root user using the root password
    • Direct access to root user using a SSH key file
    • Passwordless sudo access for a specific user
    Using another system (such as PowerBroker) that provides root/sudo privileges is not acceptable.
  • Through automatic startup during system boot, using init.
Manually start/stop/restart the Cloudera Manager Agent process. If single user mode is not enabled, root or sudo access.

This permission requirement ensures that services managed by the Cloudera Manager Agent assume the appropriate user (that is, the HDFS service assumes the hdfs user) for correct privileges. Any action request for a CDH service managed within Cloudera Manager does not require root or sudo access, because the action is handled by the Cloudera Manager Agent, which is already running under the root user.

Permission Requirements for Package-Based CDH Installation without Cloudera Manager

Permission Requirements without Cloudera Manager
Task Permissions Required
Install CDH products. root or sudo access for the installation of any RPM-based package during the time of installation and service startup/shut down. Passwordless SSH under the root user is not required for the installation (SSH root keys).
Upgrade a previously installed CDH package. root or sudo access. Passwordless SSH under the root user is not required for the upgrade process (SSH root keys).
Manually install or upgrade hosts in a CDH ready cluster. Passwordless SSH as root (SSH root keys), so that scripts can be used to help manage the CDH package and configuration across the cluster.
Change the CDH package (for example: RPM upgrades, configuration changes the require CDH service restarts, addition of CDH services). root or sudo access to restart any host impacted by this change, which could cause a restart of a given service on each host in the cluster.
Start/stop/restart a CDH service. root or sudo according to UNIX standards.

sudo Commands Run by Cloudera Manager

The sudo commands are:
  • yum (Red Hat/CentOS/Oracle)
  • zypper (SLES)
  • apt-get (Debian/Ubuntu)
  • apt-key (Debian/Ubuntu)
  • sed
  • service
  • /sbin/chkconfig (Red Hat/CentOS/Oracle)
  • /usr/sbin/update-rc.d (Debian/Ubuntu)
  • id
  • rm
  • mv
  • chown
  • install