Support Questions
Find answers, ask questions, and share your expertise

Ambari Pam Setup assign custom groups missing

Ambari Pam Setup assign custom groups missing

Explorer

I am trying to configure Ambari to use PAM and would like to assign a specific group to role during the configuration. I am performing the configuration inline and would like to add the option of adding a specific group to the service operator group while performing inline setup.

My PAM setup command looks like this:

ambari-server setup-pam --pam-config-file /etc/pam.d/login --pam-auto-create-groups true 

I have seen in some distribution that I can specify custom group mapping during the PAM configuration, like in this link: https://www.ibm.com/support/knowledgecenter/en/SSPT3X_4.2.5/com.ibm.swg.im.infosphere.biginsights.ad...

While with HDP 2.6.2 and Ambari 2.5.2, I do not get any option to update the custom group mapping to roles. I added the property pam.group.cluster.admin=abcgroup to ambari.properties but that did not work also as it did show the group mapping in Ambari after restarting the ambari server.

Does anyone know what I am doing wrong and what should I be doing instead?

2 REPLIES 2
Highlighted

Re: Ambari Pam Setup assign custom groups missing

@Theyaa Matti

Though Ambari will automatically create groups and assign users to them when authenticating using using PAM, Ambari will not automatically assign roles to the imported groups. However, there may be a version of Ambari that is/was maintained by IBM that allows this - as seen from the URL you posted.

In Ambari 3.0.0, we are trying to come up with a solution for this that is secure and works across different authentication sources. For example PAM and LDAP.

Highlighted

Re: Ambari Pam Setup assign custom groups missing

Explorer

@Robert Levas

Thank you for the reply. I was able to accomplish the functionality using 4 steps.

1 - Rest call to create the group.

curl -ivk -u admin:admin -H "X-Requested-By: ambari" -X POST -d '{"Groups/group_name":"1234_group"}' http://localhost:8080/api/v1/groups

2 - Sql command to modify the group type.

su - ambari -c "export PGPASSWORD=bigdata;psql -c \"update ambari.groups set group_type='PAM' where group_name='1234_group';\""

3 - Rest call to assign 'Service Operator' role to group.

curl -ivk -u admin:admin -H "X-Requested-By: ambari" -X POST -d '[{"PrivilegeInfo":{"permission_name":"SERVICE.OPERATOR","principal_name":"1234_group","principal_type":"GROUP"}}]' http://localhost:8080/api/v1/clusters/1234_cluster/privileges

4 - Restart Ambari Server

ambari-server restart