https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94189#M57618 <P>We are running into an impersonation error while trying to access Ambari Views.</P><P>500 User root is not allowed to impersonate admin or ldap user</P><P>Here’s the background:</P><P>HDP 2.3 installed via Ambari 2.1.</P><UL> <LI>Ambari setup to authenticate against LDAP</LI><LI>Files view setup according to docs.hortonworks.com</LI><LI>LDAP user is granted permission to Files view in Ambari</LI><LI>LDAP user logs into Ambari and sees the View listed.</LI><LI>LDAP user clicks on the view and receives the error.</LI><LI>Ensured that Ambari is running as root.</LI></UL><P>I have successfully achieved this functionality locally on a virtual box cluster using HDP 2.2. In my setup, I do not find it necessary to create OS or HDFS users to use the views.</P><P>I did check the ambari-server logs, but there was only an error indicating the server 500 error. Nothing regarding an ldap or permissions error. </P><P>Any ideas or guidance on how to solve this is much appreciated.</P> Thu, 24 Sep 2015 03:22:53 GMT MCarter 2015-09-24T03:22:53Z https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94189#M57618 <P>We are running into an impersonation error while trying to access Ambari Views.</P><P>500 User root is not allowed to impersonate admin or ldap user</P><P>Here’s the background:</P><P>HDP 2.3 installed via Ambari 2.1.</P><UL> <LI>Ambari setup to authenticate against LDAP</LI><LI>Files view setup according to docs.hortonworks.com</LI><LI>LDAP user is granted permission to Files view in Ambari</LI><LI>LDAP user logs into Ambari and sees the View listed.</LI><LI>LDAP user clicks on the view and receives the error.</LI><LI>Ensured that Ambari is running as root.</LI></UL><P>I have successfully achieved this functionality locally on a virtual box cluster using HDP 2.2. In my setup, I do not find it necessary to create OS or HDFS users to use the views.</P><P>I did check the ambari-server logs, but there was only an error indicating the server 500 error. Nothing regarding an ldap or permissions error. </P><P>Any ideas or guidance on how to solve this is much appreciated.</P> Thu, 24 Sep 2015 03:22:53 GMT https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94189#M57618 MCarter 2015-09-24T03:22:53Z https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94190#M57619 <P>You need to create the proxy settings for 'root', since Ambari runs as root. This allows it to impersonate the user in hdfs. </P><P>hadoop.proxyuser.root.groups=*</P><P>hadoop.proxyuser.root.hosts=*</P><P>You'll also need to create the 'admin' user home directory in hdfs for Admin, if you haven't already done that. Since you're signed into Ambari as Admin, your jobs will be submitted/passed through as that user.</P> Thu, 24 Sep 2015 03:23:14 GMT https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94190#M57619 gvetticaden1 2015-09-24T03:23:14Z https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94191#M57620 <P>Please note that one should never use * for these settings.</P><P>hosts= should be set to that of the Ambari Server groups= should only be the groups which Ambari (running as root) is allowed to impersonate.</P> Fri, 02 Oct 2015 23:32:13 GMT https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94191#M57620 sroberts 2015-10-02T23:32:13Z https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94192#M57621 <P>Make sure you're following the configuration steps outlined in this doc to set the appropriate stack settings as <A rel="user" href="https://community.cloudera.com/users/11/gvetticaden.html" nodeid="11">@gvetticaden@hortonworks.com</A> and <A rel="user" href="https://community.cloudera.com/users/175/dstreever.html" nodeid="175">@dstreever@hortonworks.com</A> recommended, and tune Ambari Server appropriately.</P><P><A href="http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_ambari_views_guide/content/ch_using_ambari_views.html">http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_ambari_views_guide/content/ch_using_ambari_views.html</A></P> Fri, 02 Oct 2015 23:43:35 GMT https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94192#M57621 pcodding 2015-10-02T23:43:35Z https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94193#M57622 <P><STRONG>Impersonation</STRONG> is a key concept throughout the Hadoop ecosystem.</P><P>Impersonation grants a user (also known as a SuperUser or ProxyUser) right to access Hadoop user is granted on behalf of other users. <EM>It's similar to the idea of 'sudo' within Linux.</EM></P><P>To enable it you set the 'proxyuser' setting based on the user the service is running as, the groups or users you want it to be able to act on behalf of, and the hosts it should be able to do that from.</P><P>For example, for Ambari Views with:</P><UL> <LI>Ambari running as the user 'root' (which is the default)</LI><LI>Wanting to allow Ambari to act on behalf of users in the groups 'users', 'hive-users'<EM> (just an example as you may have similar groups in LDAP)</EM></LI><LI>Ambari hostname of 'ambarihost.domain.local'</LI></UL><P>You would set this in 'HDFS -&gt; core-site' from Ambari:</P><PRE>hadoop.proxyuser.root.groups=users,hive-users hadoop.proxyuser.root.hosts=ambarihost.domain.local</PRE><P>More detail is available in the documentation:</P><UL> <LI><A href="https://hadoop.apache.org/docs/r2.7.0/hadoop-project-dist/hadoop-common/Superusers.html">Apache Hadoop: Proxy user - Superusers Acting On Behalf Of Other Users</A></LI><LI><A href="https://oozie.apache.org/docs/4.2.0/AG_Install.html#User_ProxyUser_Configuration">Apache Oozie: User ProxyUser Configuration</A> </LI><LI>Apache YARN: yarn-site <UL> <LI>yarn.resourcemanager.webapp.proxyuser.USERNAME.groups</LI><LI>yarn.resourcemanager.webapp.proxyuser.USERNAME.hosts</LI></UL></LI></UL> Fri, 02 Oct 2015 23:47:56 GMT https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94193#M57622 sroberts 2015-10-02T23:47:56Z https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94194#M57623 <P><A rel="user" href="https://community.cloudera.com/users/12/mcarter.html" nodeid="12">@Matt Carter</A> just a bump to confirm if one of these answers worked, or reply to them for clarification.</P> Fri, 09 Oct 2015 16:24:50 GMT https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94194#M57623 sroberts 2015-10-09T16:24:50Z https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94195#M57624 <P><A rel="user" href="https://community.cloudera.com/users/150/sroberts.html" nodeid="150">@Sean Roberts</A></P><P>Want to understand the impersonation configuration better. The problem is that it is not clear what is impersonating what. For example, when trying to access the Hive view as an admin user failed with "User: hive is not allowed to impersonate user admin". So, by extension, it would seem logical that we introduce another proxy variables hadoop.proxyuser.hive.groups &amp; hosts, but what is the group that the hive user needs? Is that information available in the stack trace?</P><P>Is there a diagram of the view services that maps out the impersonation and user attributes in play?</P> Sun, 10 Jan 2016 05:11:41 GMT https://community.cloudera.com/t5/Support-Questions/Impersonation-Error-while-trying-to-access-Ambari-Views/m-p/94195#M57624 theo 2016-01-10T05:11:41Z