Configuring Apache HDFS Encryption
Also available as:

Create an HDFS Admin User

How to create an HDFS admin user.

To capitalize on the capabilities of HDFS data at rest encryption, you will need two separate types of HDFS administrative accounts:

  • HDFS administrative user: an account in the hdfs supergroup that is used to manage encryption keys and encryption zones. Examples in this chapter use an administrative user account named encr.
  • HDFS service user: the system-level account traditionally associated with HDFS. By default this is user hdfs in HDP. This account owns the HDFS DataNode and NameNode processes.

This is a system-only account. Physical users should not be given access to this account.

Complete the following steps to create a new HDFS administrative user.

Note: These steps use sample values for group (operator) and user account (opt1).

  1. Create a new group called operator.
  2. Add a new user (for example, opt1) to the group.
  3. Add principal opt1@EXAMPLE.COM and create a keytab.
  4. Login as opt1, and do a kinit operation.
  5. In Ambari, replace the current value of dfs.permissions.superusergroup with the group name “operator”.

    You can assign only one administrator group for the dfs.permissions.superusergroup parameter.

  6. In Ambari, add hdfs,operator to dfs.cluster.administrators:
  7. Add opt1 to the KMS blacklist. Set the corresponding property in Ambari: hadoop.kms.blacklist.DECRYPT_EEK=opt1.
  8. Restart HDFS.


Make sure the opt1 account has HDFS administrative access:

hdfs dfsadmin -report

Make sure the opt1 account cannot access encrypted files. For example, if /data/test/file.txt is in an encryption zone, the following command should return an error:

hdfs dfs -cat /data/test/file.txt

Additional Administrative User Accounts

If you plan to use HDFS data at rest encryption with YARN, we recommend that you create a separate administrative user account for YARN administration.

If you plan to use HDFS data at rest encryption with Oozie, refer to the “Oozie” section of this chapter.