AMBARI-9377. hdfs superuser (usually user 'hdfs') should be in group dfs.cluster.administrators (aonishuk)

ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/configuration/hdfs-site.xml

@@ -326,7 +326,8 @@
 
   <property>
     <name>dfs.cluster.administrators</name>
-    <value> hdfs</value>
+    <value>hdfs</value>
+    <property-type>GROUP</property-type>
     <description>ACL for who all can view the default servlets in the HDFS</description>
   </property>
 

ambari-server/src/main/resources/stacks/HDP/2.0.6/hooks/before-ANY/scripts/params.py

@@ -152,6 +152,7 @@ has_oozie_server = not len(oozie_servers) == 0
 hbase_tmp_dir = config['configurations']['hbase-site']['hbase.tmp.dir']
 
 proxyuser_group = default("/configurations/hadoop-env/proxyuser_group","users")
+dfs_cluster_administrators_group = config['configurations']['hdfs-site']["dfs.cluster.administrators"]
 
 ignore_groupsusers_create = default("/configurations/cluster-env/ignore_groupsusers_create", False)
 
@@ -171,6 +172,8 @@ if has_tez:
   user_to_groups_dict[tez_user] = [proxyuser_group]
 if has_oozie_server:
   user_to_groups_dict[oozie_user] = [proxyuser_group]
+if has_namenode:
+  user_to_groups_dict[hdfs_user] = [dfs_cluster_administrators_group]
 
 user_to_gid_dict = collections.defaultdict(lambda:user_group)
 

ambari-server/src/test/python/stacks/2.0.6/hooks/before-ANY/test_before_any.py

@@ -73,7 +73,7 @@ class TestHookBeforeInstall(RMFTestCase):
     self.assertResourceCalled('User', 'hdfs',
         gid = 'hadoop',
         ignore_failures = False,
-        groups = [u'hadoop'],
+        groups = [u' hdfs'],
     )
     self.assertResourceCalled('User', 'storm',
         gid = 'hadoop',