Step 13: Create the HDFS Superuser Principal

To create home directories for users you require access to a superuser account. In HDFS, the user account running the NameNode process (hdfs by default) is a superuser. CDH automatically creates the hdfs superuser account on each cluster host during CDH installation. When you enable Kerberos for the HDFS service, you lose access to the hdfs superuser account via sudo -u hdfs commands. To enable access to the hdfs superuser account when Kerberos is enabled, you must create a Kerberos principal or an AD user whose first or only component is hdfs. Alternatively, you can designate a superuser group, whose members are superusers.

To create the hdfs superuser principal:

If you are using Active Directory

Add a new user account to Active Directory, hdfs@EXAMPLE.COM. The password for this account should be set to never expire.

If you are using MIT KDC

In the kadmin.local or kadmin shell, type the following command to create a Kerberos principal named hdfs:
kadmin:  addprinc hdfs@EXAMPLE.COM

This command prompts you to create a password for the hdfs principal. Use a strong password because this principal provides superuser access to all of the files in HDFS.

To run commands as the hdfs superuser, you must obtain Kerberos credentials for the hdfs principal. To do so, run the following command and provide the password:
$ kinit hdfs@EXAMPLE.COM

Designating a Superuser Group

To designate a group of superusers instead of using the default hdfs account, follow these steps:
  1. Go to the HDFS Service > Configuration tab.
  2. In the Search field, type Superuser to display the Superuser Group property.
  3. Change the value from the default supergroup to the appropriate group name for your environment.
  4. Click Save Changes.

For this change to take effect, you must restart the cluster.