Step 13: Create the HDFS Superuser Principal
To create home directories for users you require access to a superuser account. In HDFS, the user account running the NameNode process (hdfs by default) is a superuser. CDH automatically creates the hdfs superuser account on each cluster host during CDH installation. When you enable Kerberos for the HDFS service, you lose access to the hdfs superuser account via sudo -u hdfs commands. To enable access to the hdfs superuser account when Kerberos is enabled, you must create a Kerberos principal or an AD user whose first or only component is hdfs. Alternatively, you can designate a superuser group, whose members are superusers.
To create the hdfs superuser principal:
If you are using Active DirectoryAdd a new user account to Active Directory, hdfs@EXAMPLE.COM. The password for this account should be set to never expire.
If you are using MIT KDC
kadmin: addprinc hdfs@EXAMPLE.COM
This command prompts you to create a password for the hdfs principal. Use a strong password because this principal provides superuser access to all of the files in HDFS.
$ kinit hdfs@EXAMPLE.COM
Designating a Superuser Group
- Go to the tab.
- In the Search field, type Superuser to display the Superuser Group property.
- Change the value from the default supergroup to the appropriate group name for your environment.
- Click Save Changes.
For this change to take effect, you must restart the cluster.