User Management Description
Last updated:2026-01-14 15:30:24
The user information of an Elastic MapReduce (EMR) cluster is stored in the OpenLDAP component of the cluster. EMR users can be used to access components and WebUI, and perform identity authentication after LDAP authentication is enabled for the components. If the user source in Ranger is set to LDAP, you can perform permission control over users in the User Management module. The EMR console provides control modules for users and user groups. This document describes how to manage cluster users and user groups through the console.
Note:
1. An EMR cluster uses the OpenLDAP component internally to manage users and user groups. Therefore, cluster types with the OpenLDAP component support user management.
2. The user list only displays information about users who were added through the User Management module. Users who were not added via the console are not displayed. All users support LDAP authentication. The root, hadoop, and emr_admin users in a StarRocks cluster retain their original authentication methods.
3. For operations related to users and user groups, see the change processes and operation records in the Task Center and Operation Log.
Users
The user list only displays information about users who were added through the User Management module. Users who were not added via the console are not displayed. Users in an EMR cluster are classified into two types, that is, system users and custom users.
System users: the users generated by default during cluster creation. This type of user does not support operations, including editing, deletion, and password resetting.
Custom users: the users added to the cluster through CAM user synchronization or manual creation in the User Management module. This type of user supports operations, including password resetting, editing, deletion, and keytab downloading.
Note:
System users consist of root and hadoop users. The newly added emr_admin user in a StarRocks cluster is a system user.
Deleting a user or resetting a password may cause running tasks to fail. Operate with caution.
All users support LDAP authentication. The root, hadoop, and emr_admin users in a StarRocks Cluster retain their original authentication methods.
In the User Management module, non-root system users and newly added users do not have a password set in Linux, resulting in an "empty password" status. As a result, SSH password login is unavailable. To enable SSH password login, log in to the node with the root account, then run the passwd command to set a password, or configure SSH key authentication.
During username uniqueness checks, letters are case-insensitive (for example, AA, aa, aA, and Aa are deemed as the same), and creation of system users is not supported.
Adding Users
You can add users either by importing users from CAM in batches or by creating users manually.
Importing Users from CAM
1. Log in to the EMR console, then click the cluster ID/Name in the cluster list to go to the cluster details page.
2. In the left sidebar, click User Management to go to the User Management page.
3. Click Synchronize CAM Users. In the pop-up window, select the list of users to be imported, and complete the relevant information.
Field | Required | Description |
User | Yes | Select the CAM users to be synchronized this time. Batch selection and synchronization, as well as username search, are supported. |
User Primary Group | Yes | Only the EMR on CVM edition requires setting the user primary group. The group should be a Linux user primary group, and username search is supported. |
User Group | Yes | 1. In the EMR on CVM edition, this field is optional. You can associate 0–2000 user groups and search for them by keywords. 2. In the EMR on TKE edition, this field is required. You can associate 1–2000 user groups and search for them by keywords. Note: You can add or edit up to 50 user groups at a time. |
Remarks | No | Custom remarks. |
Password | Yes | The length limit is 8–30 characters. The password can only include letters, digits, and the following special characters: hyphen (-), underscore (_), exclamation mark (!), at sign (@), number sign (#), and percent sign (%). It should start with an underscore (_), a letter, or a digit. |
Confirm Password | Yes | The password should be consistent with the first input. |
Note:
CAM users whose names do not comply with the naming rules specified in the User Management module cannot be synchronized to the User Management module. Each CAM user can be synchronized only once. Repeated synchronization is not supported.
Deleting a user in the CAM console will not synchronously delete the user in the User Management module. To delete the user synchronously, perform the deletion in the User Management module of the EMR console.
The initial passwords for CAM users synchronized in the same batch should be identical.
Creating Users Manually
1. Log in to the EMR console, then click the Cluster ID/Name in the cluster list to go to the cluster details page.
2. In the left sidebar, click User Management to go to the User Management page.
3. Click Create User, then set the user information in the pop-up window.
Field | Required | Description |
User | Yes | Custom username. 1. EMR on CVM edition: The length limit is 1–30 characters. The username can only include letters, digits, underscores (_), and hyphens (-). It cannot consist entirely of digits and cannot start with a hyphen (-). 2. EMR on TKE edition: The length limit is 1–30 characters. The username can only include letters, digits, hyphens (-), and underscores (_). It cannot consist entirely of digits and cannot start with a hyphen (-) or underscore (_). |
User Primary Group | Yes | Only the EMR on CVM edition requires setting the user primary group. The group should be a Linux user primary group, and username search is supported. |
User Group | Yes | 1. In the EMR on CVM edition, this field is optional. You can associate 0–2000 user groups and search for them by keywords. 2. In the EMR on TKE edition, this field is required. You can associate 1–2000 user groups and search for them by keywords. Note: You can add or edit up to 50 user groups at a time. |
Remarks | No | Custom remarks. |
Password | Yes | The length limit is 8–30 characters. The password can only include letters, digits, and the following special characters: hyphen (-), underscore (_), exclamation mark (!), at sign (@), number sign (#), and percent sign (%). It should start with an underscore (_), a letter, or a digit. |
Confirm Password | Yes | The password should be consistent with the first input. |
Created users can be automatically synchronized to Ranger, with a default synchronization frequency of 1 minute. To adjust the synchronization frequency, go to the Ranger configuration management page to modify the ranger.usersync.sleeptimeinmillisbetweensynccycle parameter and distribute the configurations.
Note:
For clusters created before July 1, 2023, you need to manually trigger the configuration distribution of ranger-ugsync-site.xml and restart the EnableUnixAuth service for user synchronization to take effect. To do this, go to the Ranger configuration management page, select the ranger-ugsync-site.xml configuration file, execute the configuration distribution operation, then restart the service.
Editing Users
On the user list page, select the user to be edited, then click Edit in the right-side operation column. In the pop-up window, modify the associated user primary group, user group, and remarks information of the current user.
Resetting Passwords
On the user management list page, locate the user whose password needs to be modified, then click Reset Password in the right-side operation column. Enter the new password, confirm the password, then click Confirm to complete the reset.
Note:
To ensure business security and stability, modifying the LDAP administrator password and the root account password is now an allowlist feature. This feature is not visible in the console by default. If you need to use this feature, please submit a ticket to contact us, and we will help you assess whether to use this feature.
Modifying the LDAP Administrator Password:
1.1 In User Management, click More Operations, then select "Modify Open LDAP Administrator Password" to modify the password.
1.2 After modifying the Open LDAP administrator password, you need to perform the following steps:
1.2.1 Choose Cluster Service > RANGER > Configuration Management. Modify the value of the ranger.usersync.ldap.ldapbindpassword configuration item in ranger-ugsync-site.xml to the new password.
1.2.2 Restart EnableUnixAuth.
Modifying the Root Account Password:
Ranger manages passwords internally and stores the passwords in its database. Therefore, the changepasswordutil.py script cannot be used to update passwords. Since the user_src value of Root in x_portal_user is 1, which indicates an external client, the password will not be modified. You need to perform the following steps to manually modify the database:
View the ranger-admin-site.xml configurations in ranger.jpa.jdbc.url. Assume the value is jdbc:mysql://IP:3306/ranger.
Connect to MySQL using mysql -h IP -uroot -P3306 -Dranger -p, and enter the cluster password.
Assume the new password for the root account is aaa. You need to obtain the md5 value of aaa{root}, which is the md5 value of the password{username}. You can obtain the md5 value using the command java -jar /usr/local/service/ranger/ews/lib/crypto-util-*.jar md5 'root' 'aaa' (aaa is the new password).
You can obtain the md5 value using the command java -jar /usr/local/service/ranger/ews/lib/crypto-util-*.jar md5 'root' 'aaa' (aaa is the new password).
update x_portal_user set password='md5 value' where login_id='root' limit 1.
Restart the EmbeddedServer service of Ranger. If the message "The account is locked" is displayed when you log in to the WebUI, add the ranger.admin.login.autolock.enabled false configurations.
Downloading Keytabs
Keytab downloading is available only for Kerberos clusters. On the user management list page, select the user for whom you want to download a Keytab, then click Download Keytab.
Deleting Users
The console supports single user deletion and batch user deletion. When a user is deleted, the home directory of the user is also deleted by default. To reserve the directory, unselect the home directory deletion.
1. Single user deletion: On the user list page, locate the user to be deleted, then click Delete in the right-side operation column. Click Confirm Deletion to complete the deletion.
2. Batch user deletion: Select the users to be deleted in batches, then select Batch Delete from the drop-down menu of More Operations to complete the deletion.
Warning:
Deletion is an irreversible operation. If you want to delete a specific user, please transfer the job and data permissions of the user to other users in advance. If certain jobs and data are only accessible to this user, deleting the user will cause related jobs to become inoperable. Please carefully evaluate the impact of user deletion to avoid business losses.
User Groups
The user group list only displays information about user groups that were added through the User Group Management module. User groups that were not added via the console are not displayed. User groups in an EMR cluster are classified into two types, that is, system user groups and custom user groups.
System user groups: the user groups generated by default during cluster creation. This type of user group does not support deletion.
Custom user groups: the user groups manually created in the User Group Management module. This type of user group supports operations, including editing and deletion.
Adding User Groups
1. Log in to the EMR console, then click the cluster ID/Name in the cluster list to go to the cluster details page.
2. In the left sidebar, click User Management to go to the User Group Management page.
3. Click the highlighted "Add User Group" button, then set the user group information in the pop-up window.
Field | Required | Description |
User Group Name | Yes | Custom user group name. 1. EMR on CVM edition: The length limit is 1–30 characters. The user group name can only include letters, digits, underscores (_), and hyphens (-). It cannot consist entirely of digits and cannot start with a hyphen (-). 2. EMR on TKE edition: The length limit is 1–30 characters. The user group name can only include letters, digits, hyphens (-), and underscores (_). It cannot consist entirely of digits and cannot start with a hyphen (-) or underscore (_). |
User | No | Select users to be associated with the current user group. You can search users by username. |
Remarks | No | Custom remarks. |
Note:
During uniqueness checks for user group names, letters are case-insensitive (for example, AA, aa, aA, and Aa are deemed as the same), and creation of system user groups is not supported.
System users do not support group changes.
Deleting User Groups
The console supports single user group deletion and batch user group deletion. Only user groups without associated users can be deleted.
1. Single user group deletion: On the user group list page, locate the user group to be deleted, then click Delete in the right-side operation column. Click Confirm Deletion to complete the deletion.
2. Batch user group deletion: Select the user groups to be deleted in batches, then select Batch Delete from the drop-down menu of More Operations to complete the deletion.
Editing User Groups
The console supports single user group editing and batch user group editing.
1. Single user group editing: On the user group list page, locate the user in the user group to be edited, then click Edit in the right-side operation column to edit the user and remarks information of the user group.
2. Batch user group editing: Select the users in the user groups to be edited in batches, then select Batch Remarks from the drop-down menu of More Operations to update the remarks information of the user groups in batches.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback