Support Questions

Find answers, ask questions, and share your expertise

Ambari Pam Setup assign custom groups missing


I am trying to configure Ambari to use PAM and would like to assign a specific group to role during the configuration. I am performing the configuration inline and would like to add the option of adding a specific group to the service operator group while performing inline setup.

My PAM setup command looks like this:

ambari-server setup-pam --pam-config-file /etc/pam.d/login --pam-auto-create-groups true 

I have seen in some distribution that I can specify custom group mapping during the PAM configuration, like in this link:

While with HDP 2.6.2 and Ambari 2.5.2, I do not get any option to update the custom group mapping to roles. I added the property to but that did not work also as it did show the group mapping in Ambari after restarting the ambari server.

Does anyone know what I am doing wrong and what should I be doing instead?


@Theyaa Matti

Though Ambari will automatically create groups and assign users to them when authenticating using using PAM, Ambari will not automatically assign roles to the imported groups. However, there may be a version of Ambari that is/was maintained by IBM that allows this - as seen from the URL you posted.

In Ambari 3.0.0, we are trying to come up with a solution for this that is secure and works across different authentication sources. For example PAM and LDAP.


@Robert Levas

Thank you for the reply. I was able to accomplish the functionality using 4 steps.

1 - Rest call to create the group.

curl -ivk -u admin:admin -H "X-Requested-By: ambari" -X POST -d '{"Groups/group_name":"1234_group"}' http://localhost:8080/api/v1/groups

2 - Sql command to modify the group type.

su - ambari -c "export PGPASSWORD=bigdata;psql -c \"update ambari.groups set group_type='PAM' where group_name='1234_group';\""

3 - Rest call to assign 'Service Operator' role to group.

curl -ivk -u admin:admin -H "X-Requested-By: ambari" -X POST -d '[{"PrivilegeInfo":{"permission_name":"SERVICE.OPERATOR","principal_name":"1234_group","principal_type":"GROUP"}}]' http://localhost:8080/api/v1/clusters/1234_cluster/privileges

4 - Restart Ambari Server

ambari-server restart