No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Changing the Password for a System Internal User

Changing the Password for a System Internal User

Changing the Password for the Kerberos Administrator

Scenario

Periodically change the password for the Kerberos administrator kadmin to improve the system O&M security.

If the user password is changed, the OMS Kerberos administrator password is changed as well.

Prerequisites

You have installed the client on any node in the cluster and obtain the IP address of the node.

Procedure
  1. Use PuTTY to log in to the node where the client is installed as user root.
  2. Run the following command to go to the client directory, such as /opt/hadoopclient:

    cd /opt/hadoopclient

  3. Run the following command to configure environment variables:

    source bigdata_env

  4. Run the following command to change the password for kadmin/admin. The password changing takes effect on all servers.

    kpasswd kadmin/admin

    The password complexity requirements are as follows by default:

    • The parssword contains at least 8 characters.
    • The password must contain at least four types of the following: lowercase letters, uppercase letters, digits, spaces, and special characters which can only be ~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=.
    • The password cannot be the same as the username or reverse username.
    • The password cannot be the same as the password that used in latest N times. N indicates the value of Repetition Rule in Password Policy Configuration.
    NOTE:

Changing the Password for the OMS Kerberos Administrator

Scenario

Periodically change the password for the OMS Kerberos administrator kadmin to improve the system O&M security.

If the user password is changed, the Kerberos administrator password is changed as well.

Procedure
  1. Use PuTTY to log in to the management node using the management IP address as user omm.
  2. Run the following command to go to the related directory:

    cd ${BIGDATA_HOME}/om-server/om/meta-0.0.1-SNAPSHOT/kerberos/scripts

  3. Run the following command to configure environment variables:

    source component_env

  4. Run the following command to change the password for kadmin/admin. The password changing takes effect on all servers.

    kpasswd kadmin/admin

    The password complexity requirements are as follows by default:

    • The parssword contains at least 8 characters.
    • The password must contain at least four types of the following: lowercase letters, uppercase letters, digits, and special characters which can only be ~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=.
    • The password cannot be the same as the username or reverse username.
    • The password cannot be the same as the password that used in latest N times. N indicates the value of Repetition Rule in Password Policy Configuration.
    NOTE:

Changing the Password for the LDAP Administrator and the LDAP User (Including OMS LDAP)

Scenario

Periodically change the password for the LDAP administrator cn=root,dc=hadoop,dc=com and LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com to improve the system O&M security.

If the user password is changed, the password of OMS LDAP administrator and user is changed as well.

NOTE:

If the cluster is upgraded from an early version to a later version, the LDAP administrator password will inherit the password policy of the old cluster. To ensure system security, you are advised to change the password after the cluster upgrade.

Impact on the System
  • All services need to be restarted for the password changing to take effect. The services are unavailable during the restart.
  • After the password of LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com is changed, the user may be locked in the LDAP component. Therefore, you are advised to unlock the user after changing the password. For unlock methods, see sections Unlocking LDAP Users and Management Accounts.
Prerequisites
Before changing the password for the LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com, you have ensured that the user is not locked. You can run the following command on the active OMS node:
NOTE:

oldap port number obtaining method:

  1. Log in to the FusionInsight Manager, select System > OMS > oldap > Modify Configuration.
  2. The Ldap Server Port parameter value is oldap port.

ldapsearch -H ldaps://OMS_FLOAT_ IP address:OLdap port -LLL -x -D

cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -W -b

cn=pg_search_dn,ou=Users,dc=hadoop,dc=com -e ppolicy

Enter the password for the LDAP user pg_search_dn. If the following message is displayed, the user is locked and you need to unlock the user before changing its password. For details on how to unlock a user, see Unlocking LDAP Users and Management Accounts

ldap_bind: Invalid credentials (49); Account locked
Procedure
  1. Log in to FusionInsight Manager. Choose Cluster > Service > LdapServer.
  2. Click More > Changed Database Password. In the displayed window, enter the password of the current login administrator user and click OK.
  3. In the Change Password dialog box, select information about the user that you want to change the password from User Information.

  4. Enter the old password in Old Password and the new password in New Password and Confirm Password.

    The password complexity requirements are as follows:

    • The password ranges from 16 to 32 characters.
    • The password must contain at least three types of the following: lowercase letters, uppercase letters, digits, and special characters which can only be `~!@#$%^&*()-_=+|[{}];:,<.>/?
    • The password cannot be the same as the username or reverse username.
    • The password cannot be the same as the previous password.

  5. Select I have read the information and understood the impact., and click OK to confirm the password changing and restart the service.

Changing the Password for the LDAP Administrator

Scenario

Periodically change the passwords of LDAP administrator accounts cn=krbkdc,ou=Users,dc=hadoop,dc=com and cn=krbadmin,ou=Users,dc=hadoop,dc=com to improve the system O&M security.If the user password is changed, the OMS LDAP administrator password is changed as well.

Impact on the System
  1. You need to restart the KrbServer service after changing the password.
  2. After the password is changed, check whether the LDAP management accounts cn=krbkdc,ou=Users,dc=hadoop,dc=com and cn=krbkdc,ou=Users,dc=hadoop,dc=com are locked. Run the following command on the active OMS node to check whether krbkdc is locked (similar method for krbadmin):
    NOTE:

    oldap port number obtaining method:

    1. Log in to the FusionInsight Manager, select System > OMS > oldap > Modify Configuration.
    2. The LDAP Listening Port parameter value is oldap port.

    ldapsearch -H ldaps://OMS_FLOAT_ IP address:OLdap port -LLL -x -D

    cn=krbkdc,ou=Users,dc=hadoop,dc=com -W -b cn=

    krbkdc,ou=Users,dc=hadoop,dc=com -e ppolicy

    Enter the password for the LDAP management account krbkdc. If the following message is displayed, the account is locked. For details on how to unlock the account, see Unlocking LDAP Users and Management Accounts.

    ldap_bind: Invalid credentials (49); Account locked
Prerequisites

You have obtained the active management node IP address.

Procedure
  1. Use PuTTY to log in to the management node using the active management IP address as user omm.
  2. Run the following command to go to the related directory:

    cd ${BIGDATA_HOME}/om-server/om/meta-0.0.1-SNAPSHOT/kerberos/scripts

  3. Run the following command to change the password of the LDAP administrator accounts.

    ./okerberos_modpwd.sh

    Enter the old password and enter a new password twice.

    The password complexity requirements are as follows:

    • The password ranges from 16 to 32 characters.
    • The password must contain at least three types of the following: lowercase letters, uppercase letters, digits, and special characters which can only be `~!@#$%^&*()-_=+|[{}];:,<.>/?.
    • The password cannot be the same as the previous password.

    If the following information is displayed, the password is changed successfully.

    Modify kerberos server password successfully.

  4. Log in to FusionInsight Manager and choose Cluster > Service > KrbServer > More > Restart. Enter the password and do not select Restart upper-layer services. Click OK to restart the KrbServer service.

Changing the Password for a Component Running User

Scenario

Periodically change the password for each FusionInsight component running user to improve the system O&M security.

Component running users can be classified into the following two types depending on whether their initial passwords are randomly generated by the system:
  • If the initial password of a component running user is randomly generated by the system, the user is of the Machine-Machine type.
  • If the initial password of a component running user is not randomly generated by the system, the user is of the Human-machine type.
Impact on the System

All services need to be restarted for the password changing to take effect. The services are unavailable during the restart.

Prerequisites

You have installed the client on any node in the cluster and obtain the IP address of the node..

Procedure
  1. Use PuTTY to log in to the node where the client is installed as user root.
  2. Run the following command to go to the client directory, such as /opt/hadoopclient:

    cd /opt/hadoopclient

  3. Run the following command to configure environment variables:

    source bigdata_env

  4. Run the following command to log in to the console using kadmin/admin:

    kadmin -p kadmin/admin

  5. Run the following command to change the password of an internal system user. The password changing takes effect on all servers.

    cpw internal system username

    For example: cpw oms/manager

    The password complexity requirements are as follows by default:

    • The parssword contains at least 8 characters.
    • The password must contain at least four types of the following: lowercase letters, uppercase letters, digits, spaces, and special characters which can only be ~`!?,.:;-_'(){}[]/<>@#$%^&*+|\=.
    • The password cannot be the same as the username or reverse username.
    • The password cannot be the same as the password that used in latest N times. N indicates the value of Repetition Rule in Password Policy Configuration. The policy affects only users of the Human-machine type.
    NOTE:

    Run the following command to check user information:

    getprinc internal system username

    For example: getprinc oms/manager

  6. Determine the type of the user whose password needs to be changed.

    • If the user is a Machine-Machine user, perform Step 7.
    • If the user is a Human-machine user, the password is changed and no further action is required.

  7. Log in to FusionInsight Manager.
  8. On FusionInsight Manager, choose Homepage > More > Restart.
  9. In the displayed window, enter the password of the current login administrator user and click OK.
  10. In the displayed dialog box, click OK to restart the cluster.
  11. After the system displays "Operation succeeded", click Finish. The cluster is successfully started.
Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 6206

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next