question Manage Ambari user roles in Archives of Support Questions (Read Only)

Manage Ambari user roles

vladislav_falfu — Fri, 24 Mar 2017 16:32:54 GMT

Dear community,

Is it possible to manage user roles not only from Ambari GUI? Blueprints? Some configs?

Re: Manage Ambari user roles

jsensharma — Fri, 24 Mar 2017 16:42:07 GMT

@Vladislav Falfushinsky

Do you want to use Ambari APIs to manage user roles/groups/users.

https://community.hortonworks.com/content/supportkb/49416/managing-ambari-users-and-groups-with-the-rest-api.html

Re: Manage Ambari user roles

vladislav_falfu — Fri, 24 Mar 2017 16:51:44 GMT

Thanks @Jay SenSharma

Ambari API is also ok. Is there a possibility to use Blueprints or ambari-server setup utility for this? Looked both but had not found proper option.

Re: Manage Ambari user roles

jsensharma — Fri, 24 Mar 2017 16:56:20 GMT

@Vladislav Falfushinsky

Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction

- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ldap_users_and_groups.html

Re: Manage Ambari user roles

vladislav_falfu — Fri, 24 Mar 2017 17:04:21 GMT

Thanks for answers. Will try to use API. However had not found any possibility to manage cluster roles with that tool.

Re: Manage Ambari user roles

rlevas — Fri, 24 Mar 2017 18:24:42 GMT

To manage user role (aka privileges) through the API, there are several entry point that can be used.

To set an Ambari administrator:

/api/v1/clusters/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "type": "AMBARI",
      "permission_name": "AMBARI.ADMINISTRATOR",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

Change the principal_name (in the payload) value to the relevant username

To set a cluster role:

/api/v1/clusters/:CLUSTER_NAME/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "permission_name": "PERMISSION_NAME",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

Change :CLUSTER_NAME (in the URL) to the relevant cluster's name
Change the permission_name (in the payload) value to the relevant permission name
- CLUSTER.ADMINISTRATOR
- CLUSTER.OPERATOR
- SERVICE.ADMINISTRATOR
- SERVICE.OPERATOR
- CLUSTER.USER
Change the principal_name (in the payload) value to the relevant username

To give access to a view:

/api/v1/views/:VIEW_TYPE/versions/:VIEW_VERSION/instances/:VIEW_INSTANCE/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "permission_name": "VIEW.USER",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

Change :VIEW_TYPE (in the URL) to the relevant view type (i.e., FILES)
Change :VIEW_VERSION (in the URL) to the relevant view type's version (i.e., 1.0.0)
Change :VIEW_INSTANCE (in the URL) to the relevant view type's version instance (i.e., MyFilesView)
Change the principal_name (in the payload) value to the relevant username

Re: Manage Ambari user roles

vladislav_falfu — Fri, 24 Mar 2017 19:00:12 GMT

That I was looking into. May thanks!!!!

According to the above reply:

1) To delete privileges:

curl -H "X-Requested-By: ambari" -X DELETE -u admin:admin "https://yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/1"

2) To add:

curl -H "X-Requested-By: ambari" -X POST --data-binary "@your_privileges_file.json" -u admin:admin "https:///yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/"

Privilege example:

{
"PrivilegeInfo" : {
    "permission_name" : "CLUSTER.USER",
    "principal_name" : "your-group",
    "principal_type" : "GROUP"
  }
}