Home

Running Unravel daemons with a custom user

Unravel Server daemons run as a local user unravel by default. You might want to run as a different user, for example:

  • Run as hdfsor mapr because this user has access to log files needed by Unravel on a non-Kerberos cluster with simple Unix security.

  • Run as a customized service account with a name aligned with your local policies.

  • The "run-as" user should match the user you targeted for setfacl commands done during installation on a Kerberos-enabled cluster.

Use the procedure below to change which user Unravel utilizes. This change only needs to be done once; it will be preserved by RPM upgrades.

Procedure to switch user
  1. Run the following command to switch running Unravel daemons to user and with group. Replace both with valid names, without the curly braces; see the scenarios below.

    sudo /usr/local/unravel/install_bin/switch_to_user.sh  user group

    Scenario

    USER

    GROUP

    MapR installation

    mapr

    mapr

    CDH or HDP with simple Linux security

    hdfs

    hadoop or hdfs

    Kerberos enabled on CDH/HDP and Sentry/Ranger/setfacl access already enabled for custom local user "foo" in group "foo".

    foo

    foo

    Kerberos enabled on CDH/HDP and Sentry/Ranger/setfacl access already enabled for local user "hdfs" in group "hadoop".

    hdfs

    hadoop

  2. Start Unravel daemons.

    sudo /etc/init.d/unravel_all.sh start
Effect

The effect of the switch_to_user.sh is:

  • /etc/unravel_ctl defines environment variables RUN_AS and USE_GROUP.

  • HDFS_KEYTAB_PATH and HDFS_KERBEROS_PRINCIPAL environment variables are removed from /usr/local/unravel/etc/unravel.ext.sh.

  • /usr/local/unravel/ and /srv/unravel/* are recursively set to ownership RUN_AS:USE_GROUP.

  • /srv/unravel/tmp_hdfs/ directory is removed (no longer needed).

  • Log files in /srv/unravel/log_hdfs are moved to /usr/local/unravel/logs.

  • /srv/unravel/log_hdfs directory is removed (no longer needed).

  • The umask of the run-as daemon can now be more restrictive than 022; it can be 007 or 077.

  • The permission (chmod) bits of /usr/local/unravel and /srv/unravel can remove Group and Other visibility if desired.