No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Account Security Settings

Account Security Settings

Adding a Component Super Administrator

Scenario

In the current version, the admin user no longer has the administrator rights for each component. To add an administrator with the administrator rights, the system administrator can manually create a role and authorize the role.

NOTE:
  • If you upgrade from the previous version of V100R002C60U20 to the current version, the admin user inherits the rights of the earlier version. That is, the user has the administrator rights for components.
  • Exercise caution when using the component sadministrator rights.
  • This section describes how to add roles with administrator rights for each component. To add roles with other rights for each component, see the Service Operation Guide.
Prerequisites
  • The service requirements have been specified to the system administrator.
  • A service user, for example, user1 has been created.
Procedure
  1. Log in to the FusionInsight Manager portal and choose System > Permission > Role.
  2. Click Create Role. In Role Name and Description, enter the role name and description, for example, role1.
  3. Assign Rights to the role in the Configure Resource Permission. For details, see Table 14-3.

    Table 14-3 Assigning rights to a role

    Rights

    Role Authorization

    HBase administrator rights

    In Configure Resource Permission, click HBase, and select SUPER_USER_GROUP.

    Hive administrator rights

    In Configure Resource Permission, click Hive, and select Hive Admin Privilege.

    Oozie administrator rights

    In Configure Resource Permission, click Oozie, and select Admin Privilege.

    Loader administrator rights

    In Configure Resource Permission, click Loader, and select Admin.

    Metadata administrator rights

    In Configure Resource Permission, click Metadata, and select Admin.

    Solr administrator rights

    In Configure Resource Permission, click Solr, and select SUPER_USER_GROUP.

    Redis resource management rights

    In Configure Resource Permission, choose Redis > Redis Access Manage. In the rights column of the specified Redis resource, select appropriate rights.

    Storage policy administrator rights.

    In Configure Resource Permission, click Hue, and select Storage Policy Admin.

    Read, write, and grant permission to access the HDFS directories or files

    In Configure Resource Permission, click HDFS > File System, locate the path where the specified directory or file is saved in the HDFS, and select the rights.

    Yarn administrator rights.

    In Configure Resource Permission, click Yarn, and select Cluster Admin Operations.

    NOTE:

    The Yarn service needs to be restarted to set the Yarn administrator rights so that the saved role configuration can take effect.

    HDFS administrator rights.

    In Configure Resource Permission, click HDFS, and select Cluster Admin Operations.

    NOTE:

    The setting takes effect after the HDFS service is restarted.

  4. Click OK. The Role page is displayed.
  5. Choose System > Permission > User. Click the modification button behind user1 and click Add behind Role to associate the user with role1.

    NOTE:
    • A user can obtain the administrator rights for all services in the cluster by binding the user to the System_administrator role.
    • After being bound to the role, the user has the management and control permissions for all services in the cluster. Exercise caution when binding the role.
    • Assigning a user the read, write, and execute permissions for HDFS directories and files does not mean that the user can access the following modules of the HDFS WebUI: Overview, DataNodes, Datanode Volume Failures, and Snapshot. To enable the user to access the modules, bind the user to the System_administrator role.

  6. Click OK.

Unlocking LDAP Users and Management Accounts

Scenario

If the LDAP user cn=pg_search_dn,ou=Users,dc=hadoop,dc=com and LDAP management accounts cn=krbkdc,ou=Users,dc=hadoop,dc=com and cn=krbadmin,ou=Users,dc=hadoop,dc=com are locked, the administrator must unlock these accounts.

NOTE:

If you input an incorrect password for the LDAP user or management account for five consecutive times, the LDAP user or management account is locked. The account is automatically unlocked after 5 minutes.

Procedure
  1. Use PuTTY to log in to the active management node as user omm using the management IP address.
  2. Run the following command to switch the specified directory:

    cd ${BIGDATA_HOME}/om-server/om/ldapserver/ldapserver/local/script

  3. Run the following command to unlock the LDAP user or management account:

    ./ldapserver_unlockUsers.sh USER_NAME ROOT_DN_PASSWORD USER_PASSWORD

    In the command, USER_NAME indicates the name of the user to be unlocked.ROOT_DN_PASSWORD indicates the password of LDAP user root,USER_PASSWORD indicates the password of the user to be unlocked. For example, to unlock the LDAP management account cn=krbkdc,ou=Users,dc=hadoop,dc=com, run the following command:

    ./ldapserver_unlockUsers.sh krbkdc LdapChangeMe@123 LdapChangeMe@123

    If the following information is displayed, the account is successfully unlocked.

    Unlock user krbkdc successfully.

Unlocking an Internal System User

Scenario

If the service is abnormal, the internal user of the system may be locked. Please unlock the user promptly. Otherwise, the proper running of the cluster will be affected. For the list of system internal users, see User Information Overview. The internal user of the system cannot be unlocked using FusionInsight Manager.

Prerequisites

Obtain the default passwords of LDAP administrators cn=root, dc=hadoop, and dc=com based on the User Information Overview information list.

Procedure
  1. Use the following method to confirm whether the internal system username is locked:

    1. oldap port number obtaining method:
      1. Log in to the FusionInsight Manager, select System > OMS > oldap > Modify Configuration.
      2. The LDAP Listening Port parameter value is oldap port.
    2. Query domain name obtaining method:
      1. Log in to the FusionInsight Manager, select Cluster > Service > KrbServer > Configuration.
      2. Click All Configurations.
      3. Select KerberosServer > Realm, the default_realm parameter value is the domain name.
    3. Run the following command to query the number of password authentication failures:

      ldapsearch -H ldaps://OMS_FLOAT_IP address:OLdap port -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=internal system username@domain name,cn=domain name,cn=krbcontainer,dc=hadoop,dc=com -w Password of LDAP administrator cn=root,dc=hadoop,dc=com -e ppolicy | grep krbLoginFailedCount

      For example, query the number of password authentication failures for user oms/manager.

      ldapsearch -H ldaps://10.5.146.118:21750 -LLL -x -D cn=root,dc=hadoop,dc=com -b krbPrincipalName=oms/manager@HADOOP.COM,cn=HADOOP.COM,cn=krbcontainer,dc=hadoop,dc=com -w LdapChangeMe@123 -e ppolicy | grep krbLoginFailedCount

      krbLoginFailedCount: 5
    4. Log in to the FusionInsight Manager, select System > Permission > Security Policy > Password Policy.
    5. View the Number of Password Retries parameter value, if the value is smaller than or equal to krbLoginFailedCount, the user is locked.
      NOTE:

      You can also check whether internal users are locked by viewing operations logs.

  2. Log in to active management node as user omm, run the following command to unlock the user.

    sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName internal system username

    For example,

    sh ${BIGDATA_HOME}/om-server/om/share/om/acs/config/unlockuser.sh --userName oms/manager

Enabling and Disabling Permission Verification on Cluster Components

Scenario

When the cluster is deployed in Security Mode or Normal Mode, HDFS and ZooKeeper verify the permission of users who attempt to access the services by default. Users without related permission cannot access resources in HDFS and ZooKeeper. When the cluster is deployed in Normal Mode, HBase and YARN do not verify the permission of users who attempt to access the services by default. All users can access resources in HBase and YARN.

Based on actual service requirements, the system administrator can enable permission verification on HBase and YARN in the cluster in Normal Mode or disable permission verification on HDFS and ZooKeeper.

Impact on the System

After the permission verification is modified, the service configuration will expire. You need to restart the corresponding service for the configuration to take effect.

Procedure

Enable permission verification on HBase.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Service > HBase > Configuration.
  3. Click All Configurations.
  4. Search for parameters hbase.coprocessor.region.classes, hbase.coprocessor.master.classes, and hbase.coprocessor.regionserver.classes.

    Add the coprocessor parameter value org.apache.hadoop.hbase.security.access.AccessController to the end of the values of the preceding parameters, and separate the value from the original coprocessor parameter values by using a comma (,).

  5. Click Save and click OK.

    When Operation succeeded is displayed, click Finish.

Disable permission verification on HBase.
NOTE:

After HBase permission verification is disabled, the existing permission data will be retained. If you want to delete permission information, disable permission verification, enter the HBase shell, and delete table hbase:acl.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Service > HBase > Configuration.
  3. Click All Configurations.
  4. Search for parameters hbase.coprocessor.region.classes, hbase.coprocessor.master.classes, and hbase.coprocessor.regionserver.classes.

    Delete the coprocessor parameter value org.apache.hadoop.hbase.security.access.AccessController.

  5. Click Save and click OK.

    When Operation succeeded is displayed, click Finish.

Disable permission verification on HDFS.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Service > HDFS > Configuration.
  3. Click All Configurations.
  1. Search for parameters dfs.namenode.acls.enabled and dfs.permissions.enabled.

    • dfs.namenode.acls.enabled specifies whether the HDFS ACL is enabled. The default value is true, which indicates that the ACL is enabled. Change the value to false.
    • dfs.permissions.enabled specifies whether the permission check is enabled on HDFS. The default value is true, which indicates that the permission check is enabled. Change the value to false. After the parameters are modified, the directories, owners and groups of files, and permission information in HDFS retain the same.

  2. Click Save Configuration and click OK.

    When Operation succeeded is displayed, click Finish.

Enable permission verification on Yarn.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Service > Yarn > Configuration.
  3. Click All Configurations.
  4. Search for the parameter yarn.acl.enable.

    yarn.acl.enable specifies whether the permission check is enabled on Yarn.

    • In normal mode, the value is set to false by default to disable permission check. To enable permission check, change the value to true.
    • In security mode, the value is set to true by default to enable authentication.

  5. Click Save and click OK.

    When Operation succeeded is displayed, click Finish.

Disable permission verification on ZooKeeper.

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Service > ZooKeeper > Configuration.
  3. Click All Configurations.
  4. Search for the parameter skipACL.

    skipACL specifies whether the ZooKeeper permission check is skipped. The default value is no, which indicates that the permission check is used. Change the value to yes.

  5. Click Save and click OK.

    When Operation succeeded is displayed, click Finish.

Logging In to a Non-Cluster Node Using a Cluster User in Normal Mode

Scenario

When the cluster is installed in Normal Mode. the component clients do not support Kerberos authentication and cannot use the kinit command. Therefore, nodes outside the cluster cannot use users in the cluster by default. This may result in an user authentication failure when one of these nodes access a component server.

The node administrator can configure a user who has the same name as that of a user for a node outside the cluster, allow the user to log in to the node using the SSH protocol, and connect to the servers of components in the cluster by using the user who logs in to the OS.

Prerequisites
  • The node outside the cluster can connect to the cluster service plane.
  • The KrbServer service of the cluster is running properly.
  • You have obtained the password of user root of the node outside the cluster.
  • A Human-machine user has been planned and added to the cluster, and you have obtained the authentication credential file. For details, see Creating a User and Exporting an Authentication Credential File.
Procedure
  1. Use PuTTY to log in to the node where a user is to be added as user root.
  2. Run the following commands:

    rpm -qa | grep pam and rpm -qa| grepkrb5-client

    The following RPM packages are displayed:

    pam_krb5-32bit-2.3.1-47.12.1 
    pam-modules-32bit-11-1.22.1 
    yast2-pam-2.17.3-0.5.211 
    pam-32bit-1.1.5-0.10.17 
    pam_mount-32bit-0.47-13.16.1 
    pam-config-0.79-2.5.58 
    pam_krb5-2.3.1-47.12.1 
    pam-doc-1.1.5-0.10.17 
    pam-modules-11-1.22.1 
    pam_mount-0.47-13.16.1 
    pam_ldap-184-147.20 
    pam-1.1.5-0.10.17 
    krb5-client-1.6.3     

  3. Check whether the RPM packages in the list are installed in the OS.

  4. Obtain the lacked RPM packages from the OS image, upload the files to the current directory, and run the following command to install the RPM packages:

    rpm -ivh *.rpm

    NOTE:

    The RPM packages to be installed may bring security risks. The risks that may be brought by the installation of these RPM packages must be taken into consideration during OS hardening.

    After the RPM packages are installed, go to Step 5.

  5. Run the following command to configure Kerberos authentication on PAM:

    pam-config --add --krb5

    NOTE:

    If you need to cancel Kerberos authentication and system user login on a non-cluster node, run the pam-config --delete --krb5 command as user root.

  6. Decompress the authentication credential file to obtain krb5.conf, use WinSCP to upload this configuration file to the /etc directory on the node outside the cluster, and run the following command to configure related permission to enable other users to access the file, such as permission 604:

    chmod 604 /etc/krb5.conf

  7. Run the following command in the connection session as user root to add the corresponding OS user to the Human-machine user, and specify root as the primary group.

    The OS user password is the same as the initial password when the Human-machine user is created on Manager.

    useradd Username -m-d /home/admin_test -g root -s /bin/bash

    For example. if the name of the Human-machine user is admin_test, run the following command:

    useradd admin_test -m -d /home/admin_test -g root -s /bin/bash

    NOTE:

    When you use the newly added OS user to log in to the node by using the SSH protocol for the first time, the system prompts that the password has expired after you enter the user password, and the system prompts that the password needs to be changed after you enter the user password again. You need to enter a new password that meets the password complexity requirements of both the node OS and the FusionInsight cluster.

Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 5859

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next