Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ambari Pam Setup assign custom groups missing

Labels:
theyaa
Explorer

Created ‎01-09-2018 04:08 PM

I am trying to configure Ambari to use PAM and would like to assign a specific group to role during the configuration. I am performing the configuration inline and would like to add the option of adding a specific group to the service operator group while performing inline setup.

My PAM setup command looks like this:

ambari-server setup-pam --pam-config-file /etc/pam.d/login --pam-auto-create-groups true

I have seen in some distribution that I can specify custom group mapping during the PAM configuration, like in this link: https://www.ibm.com/support/knowledgecenter/en/SSPT3X_4.2.5/com.ibm.swg.im.infosphere.biginsights.ad...

While with HDP 2.6.2 and Ambari 2.5.2, I do not get any option to update the custom group mapping to roles. I added the property pam.group.cluster.admin=abcgroup to ambari.properties but that did not work also as it did show the group mapping in Ambari after restarting the ambari server.

Does anyone know what I am doing wrong and what should I be doing instead?

1,160 Views
0 Kudos
2 REPLIES 2

rlevas
Guru

Created ‎01-09-2018 05:48 PM

@Theyaa Matti

Though Ambari will automatically create groups and assign users to them when authenticating using using PAM, Ambari will not automatically assign roles to the imported groups. However, there may be a version of Ambari that is/was maintained by IBM that allows this - as seen from the URL you posted.

In Ambari 3.0.0, we are trying to come up with a solution for this that is secure and works across different authentication sources. For example PAM and LDAP.

831 Views
0 Kudos

theyaa
Explorer

Created ‎01-09-2018 07:12 PM

@Robert Levas

Thank you for the reply. I was able to accomplish the functionality using 4 steps.

1 - Rest call to create the group.

curl -ivk -u admin:admin -H "X-Requested-By: ambari" -X POST -d '{"Groups/group_name":"1234_group"}' http://localhost:8080/api/v1/groups

2 - Sql command to modify the group type.

su - ambari -c "export PGPASSWORD=bigdata;psql -c \"update ambari.groups set group_type='PAM' where group_name='1234_group';\""

3 - Rest call to assign 'Service Operator' role to group.

curl -ivk -u admin:admin -H "X-Requested-By: ambari" -X POST -d '[{"PrivilegeInfo":{"permission_name":"SERVICE.OPERATOR","principal_name":"1234_group","principal_type":"GROUP"}}]' http://localhost:8080/api/v1/clusters/1234_cluster/privileges

4 - Restart Ambari Server

ambari-server restart
831 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
January 2023 Community Highlights
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector 2.6.30 for Impala is Released
What's New @ Cloudera
Cloudera Operational Database (COD) provides a CLI option to enable HBase region canaries
What's New @ Cloudera
Cloudera Operational Database (COD) supports creating an operational database using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports configuring JWT authentication for your HBase clients
View More Announcements