MapR 5.0 Documentation : Converting a Cluster from Root to Non-root User

This procedure converts a MapR cluster running as root to run as a non-root user. Non-root operation is available from MapR version 2.0 and later. In addition to converting the MapR user to a non-root user, you can also disable superuser privileges to the cluster for the root user for additional security.

You must perform these steps on all nodes on a stable cluster. Do not perform this procedure concurrently while upgrading packages.

To convert a MapR cluster from running as root to running as a non-root user:

  1. Create a user with the same UID/GID across the cluster. Assign that user to the MAPR_USER environment variable.
  2. On each node:
    1. Stop the warden and the ZooKeeper (if present).

      # service mapr-warden stop
      # service mapr-zookeeper stop
    2. Run the script to configure the cluster to start as the non-root user.

      # /opt/mapr/server/ -u <MapR user> [-g <MapR group>]
    3. Start the ZooKeeper (if present) and the warden.

      # service mapr-zookeeper start
      # service mapr-warden start
  3. After the previous step is complete on all nodes in the cluster, run the script on all nodes.

    # /opt/mapr/server/

    This command may take several minutes to return. The script waits ten minutes for the process to complete across the entire cluster. If the cluster-wide operation takes longer than ten minutes, the script fails. Re-run the script on all nodes where the script failed.

    • The MAPR_UID_MISMATCH alarm may raise during this process. The alarm will clear when this process is complete on all nodes.

To disable superuser access for the root user

Enabling the cldb.squash.root or cldb.reject.root configuration values can cause instability with the Oozie open source component. If your cluster uses Oozie, do not set the cldb.squash.root or cldb.reject.root configuration values to 1.


To disable root user (UID 0) access to the MapR filesystem on a cluster that is running as a non-root user, use either of the following commands:

  • The squash root configuration value treats all requests from UID 0 as coming from UID -2 (nobody):

    # maprcli config save -values {"cldb.squash.root":"1"}
  • The reject root configuration value automatically fails all filesystem requests from UID 0:

    # maprcli config save -values {"cldb.reject.root":"1"}

You can verify that these commands worked, as shown in the example below.

# maprcli config load -keys cldb.squash.root,cldb.reject.root
cldb.reject.root cldb.squash.root
1 1