This is documentation for MapR Version 5.0. You can also refer to MapR documentation for the latest release.

Skip to end of metadata
Go to start of metadata

This procedure converts a MapR cluster running as root to run as a non-root user. Non-root operation is available from MapR version 2.0 and later. In addition to converting the MapR user to a non-root user, you can also disable superuser privileges to the cluster for the root user for additional security.

Icon

You must perform these steps on all nodes on a stable cluster. Do not perform this procedure concurrently while upgrading packages.

To convert a MapR cluster from running as root to running as a non-root user:

  1. Create a user with the same UID/GID across the cluster. Assign that user to the MAPR_USER environment variable.
  2. On each node:
    1. Stop the warden and the ZooKeeper (if present).

    2. Run the config-mapr-user.sh script to configure the cluster to start as the non-root user.

    3. Start the ZooKeeper (if present) and the warden.

  3. After the previous step is complete on all nodes in the cluster, run the upgrade2mapruser.sh script on all nodes.

    This command may take several minutes to return. The script waits ten minutes for the process to complete across the entire cluster. If the cluster-wide operation takes longer than ten minutes, the script fails. Re-run the script on all nodes where the script failed.

    Icon
    • The MAPR_UID_MISMATCH alarm may raise during this process. The alarm will clear when this process is complete on all nodes.

To disable superuser access for the root user

Icon

Enabling the cldb.squash.root or cldb.reject.root configuration values can cause instability with the Oozie open source component. If your cluster uses Oozie, do not set the cldb.squash.root or cldb.reject.root configuration values to 1.

 

To disable root user (UID 0) access to the MapR filesystem on a cluster that is running as a non-root user, use either of the following commands:

  • The squash root configuration value treats all requests from UID 0 as coming from UID -2 (nobody):

  • The reject root configuration value automatically fails all filesystem requests from UID 0:

You can verify that these commands worked, as shown in the example below.

  • No labels