Help Center/ MapReduce Service/ User Guide (Ankara Region)/ FusionInsight Manager Operation Guide/ Security Management/ Security Overview/ User Account List
Updated on 2024-11-29 GMT+08:00
View PDF
Share

User Account List

User Classification

There are three types of users available in MRS clusters. Do not use the default passwords. Change the passwords periodically.

This section describes the default users in the MRS cluster.

User Type

Description

System users
  • User created on FusionInsight Manager for O&M and service scenarios. There are two types of users:
    • Human-machine user: used in scenarios such as FusionInsight Manager O&M and operations on a component client. When creating a user of this type, you need to set password and confirm password by referring to Creating a User.
    • Machine-machine user: used for system application development.
  • User who runs OMS processes

Internal system users

Internal user to perform Kerberos authentication, process communications, save user group information, and associate user permissions. It is recommended that internal system users not be used in O&M scenarios. Operations can be performed as user admin or another user created by the system administrator based on service requirements.

Database users
  • User who manages OMS database and accesses data
  • User who runs service components (Hue, Hive, HetuEngine, Metadata, Loader, Oozie, Redis, Ranger, JobGateway, and DBService) in the database.

System Users

  • User root of the OS is required, the password of user root on all nodes must be the same.
  • User ldap of the OS is required. Do not delete this account. Otherwise, the cluster may not work properly. The OS administrator maintains the password management policies.

User Type

Username

Description

Password Change Method

System administrator

admin

FusionInsight Manager administrator.

NOTE:

By default, user admin does not have the management permission on other components. For example, when accessing the native UI of a component, the user fails to access the complete component information due to insufficient management permission on the component.

For details, see Changing the Password for User admin.

Node OS user

ommdba

User that creates the system database. This user is an OS user generated on the management node and does not require a unified password. This account cannot be used for remote login.

For details, see Changing the Password for an OS User.

omm

Internal running user of the system. This user is an OS user generated on all nodes and does not require a unified password.

Internal System Users

User Type

Default User

Description

Password Change Method

Kerberos administrator

kadmin/admin

Used to add, delete, modify, and query user accounts on Kerberos.

For details, see Changing the Password for the Kerberos Administrator.

OMS Kerberos administrator

kadmin/admin

Used to add, delete, modify, and query user accounts on OMS Kerberos.

For details, see Changing the Password for the OMS Kerberos Administrator.

LDAP administrator

cn=root,dc=hadoop,dc=com

Used to add, delete, modify, and query the user account information on LDAP.

For details, see Modifying OMS Service Configuration Parameters.

OMS LDAP administrator

cn=root,dc=hadoop,dc=com

Used to add, delete, modify, and query the user account information on OMS LDAP.

LDAP user

cn=pg_search_dn,ou=Users,dc=hadoop,dc=com

Used to query information about users and user groups on LDAP.

OMS LDAP user

cn=pg_search_dn,ou=Users,dc=hadoop,dc=com

Used to query information about users and user groups on OMS LDAP.

LDAP administrator account

cn=krbkdc,ou=Users,dc=hadoop,dc=com

Used to query Kerberos component authentication account information.

For details, see Modifying OMS Service Configuration Parameters.

cn=krbadmin,ou=Users,dc=hadoop,dc=com

Used to add, delete, modify, and query Kerberos component authentication account information.

Component running user

iotdb

This user is the IoTDB system administrator and has the following user permissions:

  1. IoTDB administrator permissions:
    • Creates and deletes databases.
    • Uses TTL.
  2. IoTDB data operation permissions:
    • Creates, modifies, and deletes a time sequence.
    • Writes, reads, and deletes data in a time sequence.
  3. Views user or role permission information.
  4. Grants or revokes permissions to or from a user or role.
    NOTE:

    In a common cluster, the IoTDB service retains the open-source feature. The default username is root. This user is an administrator and has all permissions, which cannot be assigned, revoked, or deleted.

For details, see Changing the Password for a Component Running User.

hdfs

This user is the HDFS system administrator and has the following permissions:

  1. File system operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
    • Views and sets disk quotas for users.
  2. HDFS management operation permissions:
    • Views the web UI status.
    • Views and sets the active and standby HDFS status.
    • Enters and exits the HDFS in security mode.
    • Checks the HDFS file system.
  3. Logs in to the FTP service page.

hbase

This user is the HBase and HBase1 to HBase4 system administrator and has the following permissions:

  • Cluster management permission: Performs Enable and Disable operations on tables to trigger MajorCompact and ACL operations.
  • Grants and revokes permissions, and shuts down the cluster.
  • Table management permission: Creates, modifies, and deletes tables.
  • Data management permission: Reads data in tables, column families, and columns.
  • Logs in to the HMaster web UI.
  • Logs in to the FTP service page.

mapred

This user is the MapReduce/Yarn system administrator and has the following permissions:

  • Submits, stops, and views the MapReduce tasks.
  • Modifies the Yarn configuration parameters.
  • Logs in to the FTP service page.
  • Logs in to the Yarn web UI.

zookeeper

This user is the ZooKeeper system administrator and has the following permissions:

  • Adds, deletes, modifies, and queries all nodes in ZooKeeper.
  • Modifies and queries quotas of all nodes in ZooKeeper.

solr

This user has the Solr system management permissions and user permissions:

  • Accesses the Solr Admin UI.
  • Management of configuration files: Uploads a Solr configuration file to a ZooKeeper directory and modifies the Solr configuration file in the ZooKeeper directory.
  • Management of index collections: Creates, deletes, and views collections.
  • Operations on index data: Creates, deletes, and views indexes.

Elasticsearch

This user has the Elasticsearch system management permissions and user permissions:

  • Management of index collections: Creates, deletes, and views index collections.
  • Operations on index data: Creates, deletes, and views indexes.

rangerkms

RangerKMS system administrator

rangeradmin

This user has the Ranger system management permissions and user permissions:

  • Ranger web UI management permission
  • Management permission of each component that uses Ranger authentication

rangerauditor

Default audit user of the Ranger system.

hive

This user is the Hive system administrator and has the following permissions:

  1. Hive administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

hive1

This user is the Hive1 system administrator and has the following permissions:

  1. Hive1 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

hive2

This user is the Hive2 system administrator and has the following permissions:

  1. Hive2 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

hive3

This user is the Hive3 system administrator and has the following permissions:

  1. Hive3 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

hive4

This user is the Hive4 system administrator and has the following permissions:

  1. Hive4 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.
  4. Ranger policy management permission

kafka

This user is the Kafka system administrator and has the following permissions:

  • Creates, deletes, produces, and consumes the topic; modifies the topic configuration.
  • Controls the cluster metadata, modifies the configuration, migrates the replica, elects the leader, and manages ACL.
  • Submits, queries, and deletes the consumer group offset.
  • Queries the delegation token.
  • Queries and submits the transaction.

cdl

CDL system administrator

Currently, user permissions are not involved in CDL.

rangerusersync

Synchronizes users and internal users of user groups.

rangertagsync

Internal user for synchronizing tags.

oms/manager

Controller and NodeAgent authentication user. The user has the permission on the supergroup group.

backup/manager

User for running backup and restoration tasks. The user has the permission on the supergroup, wheel, and ficommon groups. After cross-system mutual trust is configured, the user has the permission to access data in the HDFS, HBase, Hive, and ZooKeeper systems.

hdfs/hadoop.<System domain name>

This user is used to start the HDFS and has the following permissions:

  1. File system operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
    • Views and sets disk quotas for users.
  2. HDFS management operation permissions:
    • Views the web UI status.
    • Views and sets the active and standby HDFS status.
    • Enters and exits the HDFS in security mode.
    • Checks the HDFS file system.
  3. Logs in to the FTP service page.

hetuserver/hadoop.<System domain name>

This user is used to start HetuEngine and has the following permissions:

  • Accesses KrbServer and HDFS files in the cluster from HetuEngine.
  • Used for communication between HetuEngine internal nodes.

mapred/hadoop.<System domain name>

This user is used to start the MapReduce and has the following permissions:

  • Submits, stops, and views the MapReduce tasks.
  • Modifies the Yarn configuration parameters.
  • Logs in to the FTP service page.
  • Logs in to the Yarn web UI.

mr_zk/hadoop.<System domain name>

Used for MapReduce to access ZooKeeper.

hbase/hadoop.<System domain name>

User for the authentication between internal components during the HBase system startup.

hbase/zkclient.<System domain name>

User for HBase to perform ZooKeeper authentication in a security mode cluster.

thrift/hadoop.<System domain name>

ThriftServer system startup user.

rangerkms/hadoop.<System domain name>

RangerKMS system startup user

rest/hadoop.<System domain name>

RestServer system startup user.

thrift/<hostname>

User for the ThriftServer system to access HBase. This user has the read, write, execution, creation, and administration permission on all NameSpaces and tables of HBase. <hostname> indicates the name of the host where the ThriftServer node is installed in the cluster.

hive/hadoop.<System domain name>

User for the authentication between internal components during the Hive system startup. The user permissions are as follows:

  1. Hive administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

hive1/hadoop.<System domain name>

User for the authentication between internal components during the Hive1 system startup. The user permissions are as follows:

  1. Hive1 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

hive2/hadoop.<System domain name>

User for the authentication between internal components during the Hive2 system startup. The user permissions are as follows:

  1. Hive2 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

hive3/hadoop.<System domain name>

User for the authentication between internal components during the Hive3 system startup. The user permissions are as follows:

  1. Hive3 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

hive4/hadoop.<System domain name>

User for the authentication between internal components during the Hive4 system startup. The user permissions are as follows:

  1. Hive4 administrator permissions:
    • Creates, deletes, and modifies a database.
    • Creates, queries, modifies, and deletes a table.
    • Queries, inserts, and uploads data.
  2. HDFS file operation permissions:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  3. Submits and stops the MapReduce tasks.

loader/hadoop.<System domain name>

User for Loader system startup and Kerberos authentication

HTTP/<hostname>

Used to connect to the HTTP interface of each component. <hostname> indicates the host name of a node in the cluster.

hue

User for Hue system startup, Kerberos authentication, and HDFS and Hive access

flume

User for Flume system startup and HDFS and Kafka access. The user has read and write permission of the HDFS directory /flume.

flume_server

User for Flume system startup and HDFS and Kafka access. The user has read and write permission of the HDFS directory /flume.

ftpserver

FTP-Server system startup user.

metadata/hadoop.<System domain name>

Metadata system startup user who can access Hive and HBase metadata.

spark_zk/hadoop.<System domain name>

Used for Spark to access ZooKeeper.

spark2x/hadoop.<System domain name>

This user is the Spark system administrator and has the following user permissions:

1. Starts the Spark service.

2. Submits Spark tasks.

spark2x1/hadoop.<System domain name>

This user is the Spark1 system administrator and has the following user permissions:

  1. Starts the Spark1 service.
  2. Submits Spark tasks.

spark2x2/hadoop.<System domain name>

This user is the Spark2 system administrator and has the following user permissions:

  1. Starts the Spark2 service.
  2. Submits Spark tasks.

spark2x3/hadoop.<System domain name>

This user is the Spark3 system administrator and has the following user permissions:

  1. Starts the Spark3 service.
  2. Submits Spark tasks.

spark2x4/hadoop.<System domain name>

This user is the Spark4 system administrator and has the following user permissions:

  1. Starts the Spark4 service.
  2. Submits Spark tasks.

zookeeper/hadoop.<System domain name>

ZooKeeper system startup user.

zkcli/hadoop.<System domain name>

ZooKeeper server login user.

oozie

User for Oozie system startup and Kerberos authentication.

solr/hadoop.<System domain name>
  • Used to access the HDFS data directory. The HDFS Solr data directory is /user/solr and the user has the read and write permission of the directory.
  • Used to access the ZooKeeper data directory. The user can access all the files in the /solr directory in ZooKeeper and has the read and write permission of all the files in the directory.

elasticsearch/hadoop.<System domain name>

Used to access the ZooKeeper data directory. The user can access all the files in the /elasticsearch directory in ZooKeeper and has the read and write permission of all the files in the directory.

HTTP/<hostname>

Used to perform Kerberos authentication on the HTTP service of Solr.

HTTP/SOLR_FLOAT_IP

Used to perform Kerberos authentication on the HTTP service of Solr.

kafka/hadoop.<System domain name>

Used for security authentication of Kafka.

redisCli

Redis system administrator

redis/hadoop.<System domain name>

Redis system startup user

flink/hadoop.<System domain name>

Internal user of the Flink service.

check_ker_M

User who performs a system internal test about whether the Kerberos service is normal.

tez

User for TezUI system startup, Kerberos authentication, and access to Yarn

cdl/hadoop.<System domain name>

Internal user of the CDL service.

rangeradmin/hadoop.<System domain name>

Ranger system startup user, which is used for authentication between internal components.

clickhouse/hadoop.<System domain name>

Used for security authentication of ClickHouse. This user is an internal user and can be used only in the cluster.

default

ClickHouse internal user, which is an administrator user that can be used only in non-security mode.

For details, see "Configuring the Password of the Default Account of a ClickHouse Cluster" in .

K/M

Kerberos internal functional user. It cannot be deleted, and its password cannot be changed. This internal account can only be used on nodes where Kerberos service is installed.

None

kadmin/changepw

kadmin/history

krbtgt<System domain name>

root

Used in Doris internally to initialize the doris_manager user.

None

admin

Doris internal user of common clusters

After you can connect to Doris as user admin, run SET PASSWORD = PASSWORD('password'); to change the password. Commands carrying authentication passwords pose security risks. Disable historical command recording before running such commands to prevent information leakage.

doris_manager

Used in Doris internally to add instance, users, and roles

None

doris

Doris internal user, which is used by Hive Catalog to access other components when Kerberos authentication is enabled for the cluster (the cluster is in security mode).

None

doris/hadoop.<System domain name>

Doris internal user, which is used by Hive Catalog to access other components when Kerberos authentication is enabled for the cluster (the cluster is in security mode).

None

Component running user

rangerobs/hadoop.<System domain name>

System administrator used by Guardian to access Ranger

For details, see Changing the Password for a Component Running User.

Component running user

jobserver

This user is the JobGateway system administrator and has the following permissions:

  1. HDFS file operations:
    • Views, modifies, and creates files.
    • Views and creates directories.
    • Views and modifies the groups where files belong.
  2. Manager administrator permission

For details, see Changing the Password for a Component Running User.

Component running user

HTTP/_HOST

Internal user of the JobGateway service, which is used for Kerberos authentication of the HTTP service

For details, see Changing the Password for a Component Running User.

LDAP user

admin

FusionInsight Manager administrator.

The primary group is compcommon, which does not have the group permission but has the permission of the Manager_administrator role.

The LDAP user cannot log in to the system, and the password cannot be changed.

backup

The primary group is compcommon.

backup/manager

The primary group is compcommon.

oms

The primary group is compcommon.

oms/manager

The primary group is compcommon.

clientregister

The primary group is compcommon.

zookeeper

The primary group is hadoop.

zookeeper/hadoop.<System domain name>

The primary group is hadoop.

zkcli

The primary group is hadoop.

zkcli/hadoop.<System domain name>

The primary group is hadoop.

flume

The primary group is hadoop.

flume_server

The primary group is hadoop.

ftpserver

The primary group is supergroup.

hdfs

The primary group is hadoop.

hdfs/hadoop.<System domain name>

The primary group is hadoop.

mapred

The primary group is hadoop.

mapred/hadoop.<System domain name>

The primary group is hadoop.

mr_zk

The primary group is hadoop.

mr_zk/hadoop.<System domain name>

The primary group is hadoop.

hue

The primary group is supergroup.

hive

The primary group is hive.

hive/hadoop.<System domain name>

The primary group is hive.

hive1

The primary group is hive1.

hive1/hadoop.<System domain name>

The primary group is hive1.

hive2

The primary group is hive2.

hive2/hadoop.<System domain name>

The primary group is hive2.

hive3

The primary group is hive3.

hive3/hadoop.<System domain name>

The primary group is hive3.

hive4

The primary group is hive4.

hive4/hadoop.<System domain name>

The primary group is hive4.

hbase

The primary group is hadoop.

hbase/hadoop.<System domain name>

The primary group is hadoop.

thrift

The primary group is hadoop.

thrift/hadoop.<System domain name>

The primary group is hadoop.

oozie

The primary group is hadoop.

hbase/zkclient.<System domain name>

The primary group is hadoop.

loader

The primary group is hadoop.

loader/hadoop.<System domain name>

The primary group is hadoop.

spark2x

The primary group is hadoop.

spark2x/hadoop.<System domain name>

The primary group is hadoop.

spark2x1

The primary group is hadoop.

spark2x1/hadoop.<System domain name>

The primary group is hadoop.

spark2x2

The primary group is hadoop.

spark2x2/hadoop.<System domain name>

The primary group is hadoop.

spark2x3

The primary group is hadoop.

spark2x3/hadoop.<System domain name>

The primary group is hadoop.

spark2x4

The primary group is hadoop.

spark2x4/hadoop.<System domain name>

The primary group is hadoop.

metadata

The primary group is supergroup.

metadata/hadoop.<System domain name>

The primary group is supergroup.

kafka

The primary group is kafkaadmin.

kafka/hadoop.<System domain name>

The primary group is kafkaadmin.

cdl

The primary group is cdladmin.

cdl/hadoop.<System domain name>

The primary group is cdladmin.

redisCli

The primary group is supergroup.

redis

The primary group is supergroup.

redis/hadoop.<System domain name>

The primary group is supergroup.

solr

The primary group is ficommon.

solr/hadoop.<System domain name>

The primary group is ficommon.

Elasticsearch

The primary group is ficommon.

elasticsearch/hadoop.<System domain name>

The primary group is ficommon.

rangeradmin

The primary group is supergroup.

rangeradmin/hadoop.<System domain name>

The primary group is supergroup.

rangerusersync

The primary group is supergroup.

rangertagsync

The primary group is supergroup.

rangerauditor

The primary group is compcommon.

kms/hadoop

The primary group is kmsadmin.

knox

The primary group is compcommon.

executor

The primary group is compcommon.

doris

The primary group is supergroup.

doris/hadoop.<System domain name>

The primary group is supergroup.

LDAP user

jobserver

The primary group is compcommon.

The LDAP user cannot log in to the system, and the password cannot be changed.

Log in to FusionInsight Manager, choose System > Permission > Domain and Mutual Trust, and check the value of Local Domain. In the preceding table, all letters in the system domain name contained in the username of the system internal user are lowercase letters.

For example, if Local Domain is set to 9427068F-6EFA-4833-B43E-60CB641E5B6C.COM, the username of default HDFS startup user is hdfs/hadoop.9427068f-6efa-4833-b43e-60cb641e5b6c.com.

Database Users

The system database users include OMS database users and DBService database users.

Database Type

Default User

Description

Password Change Method

OMS database

ommdba

OMS database administrator who performs maintenance operations, such as creating, starting, and stopping.

For details, see Changing the Password of the OMS Database Administrator.

omm

User for accessing OMS database data

For details, see Changing the Password for the Data Access User of the OMS Database.

DBService database

omm

Administrator of the GaussDB database in the DBService component

For details, see Resetting the Password for User omm in DBService.

compdbuser

Administrator of the GaussDB database in the DBService component. It is used in service O&M scenarios. If the password of this account has expired, you need to reset the password upon your first login.

For details, see Changing the Password for User compdbuser of the DBService Database.

hetu

User for HetuEngine to connect to the DBService database hetumeta.

For details, see Resetting the Component Database User Password.

hive

User for Hive to connect to the DBService database hivemeta.

hive1

User for Hive1 to connect to the DBService database hivemeta1.

hive2

User for Hive2 to connect to the DBService database hivemeta2.

hive3

User for Hive3 to connect to the DBService database hivemeta3.

hive4

User for Hive4 to connect to the DBService database hivemeta4.

hiveNN

User for Hive-N to connect to the DBService database hiveNmeta when multiple services are installed.

For example, the user for Hive-1 to connect to the DBService database hive1meta is hive11.

hue

User for Hue to connect to the DBService database hue.

sqoop

User for Loader to connect to the DBService database sqoop.

sqoopN

User for Loader-N to connect to the DBService database sqoopN when multiple services are installed.

For example, the user for Loader-1 to connect to the DBService database sqoop1 is sqoop1.

metadata

User for Metadata to connect to the DBService database metadata.

metadataN

User for Metadata-N to connect to the DBService database metadataN when multiple services are installed.

For example, the user for Metadata-1 to connect to the DBService database metadata1 is metadata1.

oozie

User for Oozie to connect to the DBService database oozie.

oozieN

User for Oozie-N to connect to the DBService database oozieN when multiple services are installed.

For example, the user for Oozie-1 to connect to the DBService database oozie1 is oozie1.

redis

User for Redis to connect to the DBService database redismeta.

rangeradmin

User for Ranger to connect to the DBService database ranger.

kafkauiN

User for Kafka UI to connect to the DBService database kafkaui.

flink

User for Flink to connect to the DBService database flink.

cdl

User for CDL to connect to the DBService database cdl.

activiti

User for Containers to connect to the DBService database activitidb.

rtd

User for RTDService to connect to the DBService database rtdmeta.

lakesearch

User for LakeSearch to connect to the DBService database lakesearch.

jobgateway

User for JobGateway to connect to the DBService database jobmeta.

MOTService database

omm

Administrator of the database in the MOTService component

Contact the system administrator to obtain the password.
Parent topic: Security Overview