No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Users

Managing Users

Creating a User

Scenarios

FusionInsight Manager supports 10000 users (including built-in users) at the maximum. By default, only user admin has the highest operation rights of FusionInsight Manager. You need to create users on FusionInsight Manager and assign operation rights to the user based on site requirements.

Prerequisites

You have learned service requirements and created roles required by service scenarios.

Procedure
  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > User.
  3. On the user list page, click Create User.
  4. Set Username. Enter 3 to 20 characters, including digits, letters, hyphens (-), and underlines (_). It is case insensitive. It cannot start with a hyphen (-) and cannot be the same as the username in the system or OS.
  5. Set User Type to either Human-Machine or Machine-Machine.

    • Human-Machine user: used in scenarios such as FusionInsight Manager O&M and component operations on a client. If you select this user type, you need to enter a password and confirm the password in Password and Confirm Password accordingly.
    • Machine-Machine user: used for component development. If you select this user type, you do not need to enter a password, because the password is randomly generated.

  6. In the User Group area, click Add to add one or more user groups to the list as required.

    NOTE:
    • If the selected user group is bound to a role, the user obtains the rights of the role.
    • After FusionInsight Manager is installed, some user groups generated by default have special permissions. Select a correct user group based on the user group description on the GUI.
    • If existing user groups cannot be used, click Create User Group to create a user group. For details, see Adding a User Group.

  7. In Primary Group drop-down list, select a group as the primary group for users to create directories and files as required.

    The drop-down list contains all the groups added to the User Group area.

  8. In the Role area, click Add to bind a role for each user.

    NOTE:
    • When you create a user, if permissions of a user group that is granted to the user cannot meet service requirements, you can assign other created roles to the user. The role and rights assignment takes effect about 3 minutes later. If the rights obtained from the user group meet the requirements, you do not need to add a role.
    • If the user is not added to a user group, or no role is configured for the user, no information is displayed after the user logs in to FusionInsight Manager.
    • Adding a role when you create a user can specify the user rights.
    • If an existing role cannot be used, click Create Role to create a role. For details, see Adding a Role.

  9. Enter information in the Description text box as required.
  10. Click OK.

    The user is created.

Modifying User Information

Scenarios

You can modify user information on FusionInsight Manager, including the user group, primary group, role permission assignment, and user description.

Procedure
  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > User.
  3. Locate the row where the user whose information needs to be modified, click Modify.

    Modify the parameters based on site-requirements.

    NOTE:

    Changing the user group of a user or modifying the role rights of a user takes effect 3 minutes at most after the operation is performed.

  4. Click OK.

Exporting User Information

Scenarios

You can export information about created users on FusionInsight Manager.

Procedure
  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > User.
  3. Click Export All to export all user information at a time.

    User information contains the following fields: Username, creation time, description, user type (0 indicates a Human-Machine account, 1 indicates a Machine-Machine account), primary group, user group list, and roles the user bound to.

  4. In the Save Type drop-down list, select TXT or CSV. Click Export.

Locking a User

Scenarios

Users may be suspended for a long time due to service changes. For security purposes, you can lock such users.

You can lock a user by using either of the following methods:

  • Automatic lock: You can set the number of consecutive incorrect password attempts in the password policy to lock the users who fail to log in to the system for a specified number of times. For details, see Configuring Password Policies.
  • Manual lock: You manually lock a user.

This section describes how to lock the account manually. Machine-Machine users cannot be locked.

Impact on the System

After a user is locked, you cannot log in to FusionInsight Manager again or perform identity authentication again in the cluster. The locked user can be used only after you manually unlock the user or wait for the lock time to expire.

Procedure
  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > User.
  3. Locate the row that contains the user to be locked, and click Lock.
  4. In the displayed dialog box, select I have read the information and understand the impact., and click OK.

Unlocking a User

Scenarios

You can unlock a user on FusionInsight Manager if the user is locked after the number of login attempts using incorrect passwords exceeds the threshold. Only users created on FusionInsight Manager can be unlocked.

Procedure
  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > User.
  3. Locate the row that contains the user to be unlocked, and click Unlock.
  4. In the displayed dialog box, select I have read the information and understand the impact., and click OK.

Deleting a User

Scenarios

Based on service requirements, you need to delete system users that are no longer used on FusionInsight Manager.

NOTE:
  • After a user is deleted, the provisioned ticket granting ticket (TGT) is still valid within 24 hours. The user can use the TGT for security authentication and access the system.
  • If the name of a new user is the same as that of a deleted user, all owner rights of the deleted user are inherited. You are advised to determine whether to delete the resources owned by the user based on site requirements, for example, files in the HDFS.
  • The default user admin cannot be deleted.
Procedure
  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > User.
  3. Locate the row that contains the user to be deleted, choose More > Delete.

    NOTE:

    To delete multiple users in batches, select the users to be deleted and click Delete.

  4. In the displayed dialog box, click OK.

Changing a User Password

Scenarios

For security purposes, the password of a Human-Machine user must be changed periodically.

If users have the permission to use FusionInsight Manager, they can change their password on FusionInsight Manager.

If users do not have the permission to use FusionInsight Manager, they can change their passwords on the client.

Prerequisites
  • Users have obtained the current password policies from the administrator.
  • Users have installed the client on any node in the cluster and obtain the IP address of the node. Contact the administrator to obtain the password of the client installation user.
Changing Passwords Using FusionInsight Manager
  1. Log in to FusionInsight Manager.
  2. Move the cursor to the username in the upper right corner of the page.

    In the displayed dialog box, click Password changed.

  3. On the displayed page, set Old Password, New Password, and Confirm Password, and click OK.

    By default, the password must meet the following complexity requirements:

    • It must contain at least eight characters.
    • The password must contain at least four types of the following characters: Uppercase letters, lowercase letters, digits, spaces, and special characters. The following special characters are supported: `~!@#$%^&*()-_=+|[{}];:',<.>/\?
    • It must be different from the username or its reverse.
    • It cannot be the same as the password used in the latest N times. N is the value of Repetition Rule in Configuring Password Policies.

Changing a Password on the Client
  1. Use PuTTY to log in to the node where the client is installed as the client installation user.
  2. Run the following command to switch to the client directory, for example, /opt/hadoopclient:

    cd /opt/hadoopclient

  3. Run the following command to configure environment variables:

    source bigdata_env

  4. Run the following command to change the password of a system user. This operation takes effect for all servers.

    kpasswd System user name

    For example, if you want to change the password of system user test1, run the kpasswd test1 command.

    By default, the password must meet the following complexity requirements:

    • It must contain at least eight characters.
    • The password must contain at least four types of the following characters: Uppercase letters, lowercase letters, digits, spaces, and special characters. The following special characters are supported: `~!@#$%^&*()-_=+|[{}];:',<.>/\?
    • It must be different from the username or its reverse.
    • It cannot be the same as the password used in the latest N times. N is the value of Repetition Rule in Configuring Password Policies.
    NOTE:

    If an error occurs during the running of the kpasswd command, try the following operations:

    • Stop the SSH session and start it again.
    • Run the kdestroy command and then run the kpasswd command again.

Initializing a Password

Scenarios

If a user forgets the password or the public account password needs to be changed periodically, you can initialize the password on FusionInsight Manager. After the password is initialized, the system user needs to change the password upon first login.

NOTE:

This operation applies only to Human-Machine users. For the Machine-Machine users initial passwords, see the description about Kerberos in FusionInsight HD Shell O&M Commands. Change the passwords according to the kadmin and cpw command description.

Procedure
  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > User.
  3. Locate the row that contains the user to be initialized, choose More > Initialize Password. In the displayed dialog box, enter the password of the current login administrator user and click OK. In the displayed confirmation dialog box, click OK.
  4. Enter a password and confirm the password in New Password and Confirm Password accordingly. Click OK.

    By default, the password must meet the following complexity requirements:

    • It must contain at least eight characters.
    • The password must contain at least four types of the following characters: Uppercase letters, lowercase letters, digits, spaces, and special characters. The following special characters are supported: `~!@#$%^&*()-_=+|[{}];:',<.>/\?
    • It must be different from the username or its reverse.
    • It cannot be the same as the password used in the latest N times. N is the value of Repetition Rule in Configuring Password Policies.

Exporting an Authentication Credential File

Scenarios

If a user uses a security mode cluster to develop applications, the keytab file of the user needs to be obtained for security authentication. You can export keytab files on FusionInsight Manager. For details about the security authentication for application development, see the Application Development Guide.

NOTE:

After a user password is changed, the exported keytab file becomes invalid, and you need to export a keytab file again.

Prerequisites

Before downloading the keytab file of a Human-Machine user, the password of the user must be changed at least once on the Manager portal or a client. Otherwise, the downloaded keytab file cannot be used. For details, see Changing a User Password.

Procedure
  1. Log in to FusionInsight Manager.
  2. Choose System > Permission > User.
  3. Locate the row that contains the user whose keytab file needs to be exported, choose More > Download Authentication Credential, specify the save path after the file is automatically generated, and keep the file properly.

    After the authentication credential file is decompressed, you can obtain the following two files:

    • The krb5.conf file contains the authentication service connection information.
    • The user.keytab file contains user authentication information.

Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 5875

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next