Help Center/ MapReduce Service/ User Guide (ME-Abu Dhabi Region)/ FusionInsight Manager Operation Guide (Applicable to 3.x)/ Security Management/ Security Overview/ User Information Overview
Updated on 2022-12-08 GMT+08:00
View PDF
Share

User Information Overview

User Classification

The MRS cluster provides the following three types of users. You needs to periodically change the passwords. It is not recommended to use the default passwords.

User Type

Description

System users
  • User created on FusionInsight Manager for O&M and service scenarios. There are two types of users:
    • Human-machine user: used in scenarios such as FusionInsight Manager O&M and operations on a component client. When creating a user of this type, you need to set password and confirm password by referring to Creating a User.
    • Machine-machine user: used for system application development.
  • User who runs OMS processes

Internal system users

Internal user to perform Kerberos authentication, process communications, save user group information, and associate user permissions. It is recommended that internal system users not be used in O&M scenarios. Operations can be performed as user admin or another user created by the MRS cluster administrator based on service requirements.

Database users
  • User who manages OMS database and accesses data
  • User who runs service components (Hue, Hive, Loader, Oozie, Ranger, and DBService) in the database.

System Users

  • User root of the OS is required, the password of user root on all nodes must be the same.
  • User Idap of the OS is required. Do not delete this account. Otherwise, the cluster may not work properly. The OS administrator maintains the password management policies.

User Type

Username

Initial Password

Description

Password Change Method

System administrator

admin

Admin@123

FusionInsight Manager administrator.

NOTE:

By default, user admin does not have the management permission on other components. For example, when accessing the native UI of a component, the user fails to access the complete component information due to insufficient management permission on the component.

For details, see Changing the Password for User admin.

Node OS user

ommdba

Random password

User that creates the system database. This user is an OS user generated on the management node and does not require a unified password. This account cannot be used for remote login.

For details, see Changing the Password for an OS User.

omm

Random password

Internal running user of the system. This user is an OS user generated on all node and does not require a unified password.

Internal System Users

User Type

Default User

Initial Password

Description

Password Change Method

Kerberos administrator

kadmin/admin

Admin@123

Used to add, delete, modify, and query user accounts on Kerberos.

For details, see Changing the Password for the Kerberos Administrator.

OMS Kerberos administrator

kadmin/admin

Admin@123

Used to add, delete, modify, and query user accounts on OMS Kerberos.

For details, see Changing the Password for the OMS Kerberos Administrator.

LDAP administrator

cn=root,dc=hadoop,dc=com

LdapChangeMe@123

Used to add, delete, modify, and query the user account information on LDAP.

For details, see Changing the Passwords of the LDAP Administrator and the LDAP User (Including OMS LDAP).

OMS LDAP administrator

cn=root,dc=hadoop,dc=com

LdapChangeMe@123

Used to add, delete, modify, and query the user account information on OMS LDAP.

LDAP user

cn=pg_search_dn,ou=Users,dc=hadoop,dc=com

Randomly generated by the system

Used to query information about users and user groups on LDAP.

OMS LDAP user

cn=pg_search_dn,ou=Users,dc=hadoop,dc=com

Randomly generated by the system

Used to query information about users and user groups on OMS LDAP.

LDAP administrator account

cn=krbkdc,ou=Users,dc=hadoop,dc=com

LdapChangeMe@123

Used to query Kerberos component authentication account information.

For details, see Changing the Password for the LDAP Administrator.

cn=krbadmin,ou=Users,dc=hadoop,dc=com

LdapChangeMe@123

Used to add, delete, modify, and query Kerberos component authentication account information.

Component running user

hdfs

Hdfs@123

This user is the HDFS system administrator and has the following permissions:

  1. File system operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
    • Views and sets disk quotas for users.
  2. HDFS management operation permissions:
    • Views the web UI status.
    • Views and sets the active and standby HDFS status.
    • Enters and exits the HDFS in security mode.
    • Checks the HDFS file system.
  3. Logs in to the FTP service page.

For details, see Changing the Password for a Component Running User.

hbase

Hbase@123

This user is the HBase and HBase1 to HBase4 system administrator and has the following permissions:

  • Cluster management permission: Performs Enable and Disable operations on tables to trigger MajorCompact and ACL operations.
  • Grants and revokes permissions, and shuts down the cluster.
  • Table management permission: Creates, modifies, and deletes tables.
  • Data management permission: Reads data in tables, column families, and columns.
  • Logs in to the HMaster web UI.
  • Logs in to the FTP service page.

mapred

Mapred@123

This user is the MapReduce system administrator and has the following permissions:

  • Submits, stops, and views the MapReduce tasks.
  • Modifies the Yarn configuration parameters.
  • Logs in to the FTP service page.
  • Logs in to the Yarn web UI.

zookeeper

ZooKeeper@123

This user is the ZooKeeper system administrator and has the following permissions:

  • Adds, deletes, modifies, and queries all nodes in ZooKeeper.
  • Modifies and queries quotas of all nodes in ZooKeeper.

rangeradmin

Rangeradmin@123

This user has the Ranger system management permissions and user permissions:

  • Ranger web UI management permission
  • Management permission of each component that uses Ranger authentication

rangerauditor

Rangerauditor@123

Default audit user of the Ranger system.

hive

Hive@123

This user is the Hive system administrator and has the following permissions:

  1. Hive administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

hive1

Hive1@123

This user is the Hive1 system administrator and has the following permissions:

  1. Hive1 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

hive2

Hive2@123

This user is the Hive2 system administrator and has the following permissions:

  1. Hive2 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

hive3

Hive3@123

This user is the Hive3 system administrator and has the following permissions:

  1. Hive3 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

hive4

Hive4@123

This user is the Hive4 system administrator and has the following permissions:

  1. Hive4 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

kafka

Kafka@123

This user is the Kafka system administrator and has the following permissions:

  • Creates, deletes, produces, and consumes the topic; modifies the topic configuration.
  • Controls the cluster metadata, modifies the configuration, migrates the replica, elects the leader, and manages ACL.
  • Submits, queries, and deletes the consumer group offset.
  • Queries the delegation token.
  • Queries and submits the transaction.

storm

Admin@123

Storm system administrator

User permission: Submits Storm tasks.

rangerusersync

Randomly generated by the system

Synchronizes users and internal users of user groups.

rangertagsync

Randomly generated by the system

Internal user for synchronizing tags.

oms/manager

Randomly generated by the system

Controller and NodeAgent authentication user. The user has the permission on the supergroup group.

backup/manager

Randomly generated by the system

User for running backup and restoration tasks. The user has the permission on the supergroup, wheel, and ficommon groups. After cross-system mutual trust is configured, the user has the permission to access data in the HDFS, HBase, Hive, and ZooKeeper systems.

hdfs/hadoop.<System domain name>

Randomly generated by the system

This user is used to start the HDFS and has the following permissions:

  1. File system operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
    • Views and sets disk quotas for users.
  2. HDFS management operation permissions:
    • Views the web UI status.
    • Views and sets the active and standby HDFS status.
    • Enters and exits the HDFS in security mode.
    • Checks the HDFS file system.
  3. Logs in to the FTP service page.

mapred/hadoop.<System domain name>

Randomly generated by the system

This user is used to start the MapReduce and has the following permissions:

  • Submits, stops, and views the MapReduce tasks.
  • Modifies the Yarn configuration parameters.
  • Logs in to the FTP service page.
  • Logs in to the Yarn web UI.

mr_zk/hadoop.<System domain name>

Randomly generated by the system

Used for MapReduce to access ZooKeeper.

hbase/hadoop.<System domain name>

Randomly generated by the system

User for the authentication between internal components during the HBase system startup.

hbase/zkclient.<System domain name>

Randomly generated by the system

User for HBase to perform ZooKeeper authentication in a security mode cluster.

thrift/hadoop.<System domain name>

Randomly generated by the system

ThriftServer system startup user.

thrift/<hostname>

Randomly generated by the system

User for the ThriftServer system to access HBase. This user has the read, write, execution, creation, and administration permission on all NameSpaces and tables of HBase. <hostname> indicates the name of the host where the ThriftServer node is installed in the cluster.

hive/hadoop.<System domain name>

Randomly generated by the system

User for the authentication between internal components during the Hive system startup. The user permissions are as follows:

  1. Hive administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

hive1/hadoop.<System domain name>

Randomly generated by the system

User for the authentication between internal components during the Hive1 system startup. The user has the following permissions:

  1. Hive1 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

hive2/hadoop.<System domain name>

Randomly generated by the system

User for the authentication between internal components during the Hive2 system startup. The user has the following permissions:

  1. Hive2 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

hive3/hadoop.<System domain name>

Randomly generated by the system

User for the authentication between internal components during the Hive3 system startup. The user permissions are as follows:

  1. Hive3 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

hive4/hadoop.<System domain name>

Randomly generated by the system

User for the authentication between internal components during the Hive4 system startup. The user permissions are as follows:

  1. Hive4 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

loader/hadoop.<System domain name>

Randomly generated by the system

User for Loader system startup and Kerberos authentication

HTTP/<hostname>

Randomly generated by the system

Used to connect to the HTTP interface of each component. <hostname> indicates the host name of a node in the cluster.

hue

Randomly generated by the system

User for Hue system startup, Kerberos authentication, and HDFS and Hive access

flume

Randomly generated by the system

User for Flume system startup and HDFS and Kafka access. The user has read and write permission of the HDFS directory /flume.

flume_server

Randomly generated by the system

User for Flume system startup and HDFS and Kafka access. The user has read and write permission of the HDFS directory /flume.

spark2x/hadoop.<System domain name>

Randomly generated by the system

This user is the Spark2x system administrator and has the following user permissions:

1. Starts the Spark2x service.

2. Submits Spark2x tasks.

spark_zk/hadoop.<System domain name>

Randomly generated by the system

Used for Spark2x to access ZooKeeper.

spark2x1/hadoop.<System domain name>

Randomly generated by the system

This user is the Spark2x1 system administrator and has the following user permissions:

  1. Starts the Spark2x1 service.
  2. Submits Spark2x tasks.

spark2x2/hadoop.<System domain name>

Randomly generated by the system

This user is the Spark2x2 system administrator and has the following user permissions:

  1. Starts the Spark2x2 service.
  2. Submits Spark2x tasks.

spark2x3/hadoop.<System domain name>

Randomly generated by the system

This user is the Spark2x3 system administrator and has the following user permissions:

  1. Starts the Spark2x3 service.
  2. Submits Spark2x tasks.

spark2x4/hadoop.<System domain name>

Randomly generated by the system

This user is the Spark2x4 system administrator and has the following user permissions:

  1. Starts the Spark2x4 service.
  2. Submits Spark2x tasks.

zookeeper/hadoop.<System domain name>

Randomly generated by the system

ZooKeeper system startup user.

zkcli/hadoop.<System domain name>

Randomly generated by the system

ZooKeeper server login user.

oozie

Randomly generated by the system

User for Oozie system startup and Kerberos authentication.

kafka/hadoop.<System domain name>

Randomly generated by the system

Used for security authentication of Kafka.

storm/hadoop.<System domain name>

Randomly generated by the system

Storm system startup user.

storm_zk/hadoop.<System domain name>

Randomly generated by the system

Used for the Worker process to access ZooKeeper.

flink/hadoop.<System domain name>

Randomly generated by the system

Internal user of the Flink service.

check_ker_M

Randomly generated by the system

User who performs a system internal test about whether the Kerberos service is normal.

tez

Randomly generated by the system

User for TezUI system startup, Kerberos authentication, and access to Yarn

K/M

Randomly generated by the system

Kerberos internal functional user. This user cannot be deleted, and its password cannot be changed. This internal account can only be used on nodes where Kerberos service is installed.

None

kadmin/changepw

Randomly generated by the system

kadmin/history

Randomly generated by the system

krbtgt<System domain name>

Randomly generated by the system

LDAP user

admin

None

FusionInsight Manager administrator.

The primary group is compcommon, which does not have the group permission but has the permission of the Manager_administrator role.

The LDAP user cannot log in to the system, and the password cannot be changed.

backup

The primary group is compcommon.

backup/manager

The primary group is compcommon.

oms

The primary group is compcommon.

oms/manager

The primary group is compcommon.

clientregister

The primary group is compcommon.

zookeeper

The primary group is hadoop.

zookeeper/hadoop.<System domain name>

The primary group is hadoop.

zkcli

The primary group is hadoop.

zkcli/hadoop.<System domain name>

The primary group is hadoop.

flume

The primary group is hadoop.

flume_server

The primary group is hadoop.

hdfs

The primary group is hadoop.

hdfs/hadoop.<System domain name>

The primary group is hadoop.

mapred

The primary group is hadoop.

mapred/hadoop.<System domain name>

The primary group is hadoop.

mr_zk

The primary group is hadoop.

mr_zk/hadoop.<System domain name>

The primary group is hadoop.

hue

The primary group is supergroup.

hive

The primary group is hive.

hive/hadoop.<System domain name>

The primary group is hive.

hive1

The primary group is hive1.

hive1/hadoop.<System domain name>

The primary group is hive1.

hive2

The primary group is hive2.

hive2/hadoop.<System domain name>

The primary group is hive2.

hive3

The primary group is hive3.

hive3/hadoop.<System domain name>

The primary group is hive3.

hive4

The primary group is hive4.

hive4/hadoop.<System domain name>

The primary group is hive4.

hbase

The primary group is hadoop.

hbase/hadoop.<System domain name>

The primary group is hadoop.

thrift

The primary group is hadoop.

thrift/hadoop.<System domain name>

The primary group is hadoop.

oozie

The primary group is hadoop.

hbase/zkclient.<System domain name>

The primary group is hadoop.

loader

The primary group is hadoop.

loader/hadoop.<System domain name>

The primary group is hadoop.

spark2x

The primary group is hadoop.

spark2x/hadoop.<System domain name>

The primary group is hadoop.

spark_zk

The primary group is hadoop.

spark2x1

The primary group is hadoop.

spark2x1/hadoop.<System domain name>

The primary group is hadoop.

spark2x2

The primary group is hadoop.

spark2x2/hadoop.<System domain name<

The primary group is hadoop.

spark2x3

The primary group is hadoop.

spark2x3/hadoop.<System domain name>

The primary group is hadoop.

spark2x4

The primary group is hadoop.

spark2x4/hadoop.<System domain name>

The primary group is hadoop.

kafka

The primary group is kafkaadmin.

kafka/hadoop.<System domain name>

The primary group is kafkaadmin.

storm

The primary group is stormadmin.

storm/hadoop.<System domain name>

The primary group is stormadmin.

storm_zk

The primary group is storm.

storm_zk/hadoop.<System domain name>

The primary group is storm.

kms/hadoop

The primary group is kmsadmin.

knox

The primary group is compcommon.

executor

The primary group is compcommon.

Log in to FusionInsight Manager, choose System > Permission > Domain and Mutual Trust, and check the value of Local Domain. In the preceding table, all letters in the system domain name contained in the username of the system internal user are lowercase letters.

For example, if Local Domain is set to 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM, the username of default HDFS startup user is hdfs/hadoop.9427068f-6efa-4833-b43e-60cb641e5b6c.com.

Database Users

The system database users include OMS database users and DBService database users.

Database Type

Default User

Initial Password

Description

Password Change Method

OMS database

ommdba

dbChangeMe@123456

OMS database administrator who performs maintenance operations, such as creating, starting, and stopping.

For details, see Changing the Password for the OMS Database Administrator.

omm

ChangeMe@123456

User for accessing OMS database data

For details, see Changing the Password for the OMS Database Data Access User.

DBService database

omm

dbserverAdmin@123

Administrator of the GaussDB database in the DBService component

For details, see Changing the Password for a Component Database User.

hive

HiveUser@

User for Hive to connect to the DBService database hivemeta.

hive1

HiveUser@

User for Hive1 to connect to the DBService database hivemeta1.

hive2

HiveUser@

User for Hive2 to connect to the DBService database hivemeta2.

hive3

HiveUser@

User for Hive3 to connect to the DBService database hivemeta3.

hive4

HiveUser@

User for Hive4 to connect to the DBService database hivemeta4.

hiveNN

HiveUser@

User for Hive-N to connect to the DBService database hiveNmeta when multiple services are installed.

For example, the user for Hive-1 to connect to the DBService database hive1meta is hive11.

hue

HueUser@123

User for Hue to connect to the DBService database hue.

sqoop

SqoopUser@

User for Loader to connect to the DBService database sqoop.

sqoopN

SqoopUser@

User for Loader-N to connect to the DBService database sqoopN when multiple services are installed.

For example, the user for Loader-1 to connect to the DBService database sqoop1 is sqoop1.

oozie

OozieUser@

User for Oozie to connect to the DBService database oozie.

oozieN

OozieUser@

User for Oozie-N to connect to the DBService database oozieN when multiple services are installed.

For example, the user for Oozie-1 to connect to the DBService database oozie1 is oozie1.

rangeradmin

Admin12!

User for Ranger to connect to the DBService database ranger.
Parent topic: Security Overview