Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari-agent as non-root tries to execute /bin/su root -l -s


Ambari-agent as non-root tries to execute /bin/su root -l -s

New Contributor


I've installed ambari as non-root (ambari After kerberizing the cluster, when I start the datanode it gives me the following error:

Sorry, user ambari is not allowed to execute '/bin/su root -l -s /bin/bash -c export  PATH='/usr/sbin:/sbin:/usr/lib/ambari-server/*:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/java/jdk1.8.0_161/bin:/usr/java/jdk1.8.0_161/jre/bin:/home/ambari/.local/bin:/home/ambari/bin:/var/lib/ambari-agent' ; find /var/log/hadoop/hdfs -maxdepth 1 -type f -name '*' -exec echo '==> {} <==' \; -exec tail -n 40 {} \;' as root on worker2.

I think this is a very strange behavior since I only get it to work if I give the 'ambari' user that runs the ambari-agent on that node permitions to execute /bin/su root * whitout a password, which is exactly why we don't use root with ambari.

Update: I tried to re-install the cluster using other VMs with slightly different network configurations (e.g., without a DNS, manually configured /etc/hosts, and hostnames) and I was not able to replicate this problem. Therefore, if anyone ever encounters this issue again, you probably made some mistakes in your network configuration prior to installing HDP. This is only a theory, because I'm still going to try the installation again on our development cluster.

Best regards,

Carlos Costa


Re: Ambari-agent as non-root tries to execute /bin/su root -l -s

New Contributor

After a few further experiments if I add the command/bin/su root -l -s /bin/bash -c export * to the sudoers file it works. The entire command gives me some sintax problems in the suders file, so I replaced the parameters of the export command with *. other combinations did not work for me as well. Probably with some further adjustments you can pass the entire command, but I don't think that would be usefull to automate future installations, since it explicitely writes the java_home location, for example. However, I'm not entirely sure that it is secure to do this.

Re: Ambari-agent as non-root tries to execute /bin/su root -l -s

Super Mentor

@Carlos Costa

If you are running Ambari Agents as non root user then there are set of commands that it needs to execute which we need to carefully setup correctly as described in the following links:

1. Customizable Users - Ambari Agents (Specially the "su" commands):

2. Agent Command :

3. Sudoer Defaults :


Re: Ambari-agent as non-root tries to execute /bin/su root -l -s

New Contributor

Thank you @Jay Kumar SenSharma. I took care of that configurations. I’ve been developing an ansible playbook to automate the installation of a simple and secure Hadoop cluster and running ambari server and agents as non root was on my roadmap. I’ve been following the Hortonworks documentation rigorously :) However, after kerberizing the cluster the data nodes presented the behavior discussed above, being the solution the addition of that instruction to the sudoers file. I’m thinking that maybe there’s something missing from either the ambari project in version, the HDP documentation, or, of course me, but as I said this only started happening after kerberizing the cluster. The cluster was running for almost 5 days without a problem in a non-kerberizad environment, with ambari-server and ambari-agents as non root.

Don't have an account?
Coming from Hortonworks? Activate your account here