This procedure converts a MapR cluster running as
root to run as a non-root user. Non-root operation is available from MapR version 2.0 and later. In addition to converting the MapR user to a non-root user, you can also disable superuser privileges to the cluster for the root user for additional security.
You must perform these steps on all nodes on a stable cluster. Do not perform this procedure concurrently while upgrading packages.
To convert a MapR cluster from running as root to running as a non-root user:
- Create a user with the same UID/GID across the cluster. Assign that user to the
- On each node:
Stop the warden and the ZooKeeper (if present).
Run the config-mapr-user.sh script to configure the cluster to start as the non-root user.
Start the ZooKeeper (if present) and the warden.
After the previous step is complete on all nodes in the cluster, run the
upgrade2mapruser.shscript on all nodes.
This command may take several minutes to return. The script waits ten minutes for the process to complete across the entire cluster. If the cluster-wide operation takes longer than ten minutes, the script fails. Re-run the script on all nodes where the script failed.
MAPR_UID_MISMATCHalarm may raise during this process. The alarm will clear when this process is complete on all nodes.
To disable superuser access for the root user
cldb.reject.root configuration values can cause instability with the Oozie open source component. If your cluster uses Oozie, do not set the
cldb.reject.root configuration values to 1.
To disable root user (UID 0) access to the MapR filesystem on a cluster that is running as a non-root user, use either of the following commands:
The squash root configuration value treats all requests from UID 0 as coming from UID -2 (nobody):
The reject root configuration value automatically fails all filesystem requests from UID 0:
You can verify that these commands worked, as shown in the example below.