Support Questions
Find answers, ask questions, and share your expertise

Automated user home directory creation whith Ambari Server as non-root

Automated user home directory creation whith Ambari Server as non-root

Explorer

Hello,

As directed in the guide, I activated the automatic user home directory creation­.

Our cluster is Kerberized and Ambari running as non-root user and we correctly set sudoers content as told in the docs.

The original allowed commands in sudoers file are:

# Ambari Commands
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab

But, when i replace this line with a more permissive one:

ambari ALL=(ALL) NOPASSWD: ALL

The hook works correctly! :)

I searched and didn't find anyone else with this problem...

Ambari server log when it doesn't work, nothing very special:

12 Sep 2017 09:58:25,670  INFO [pool-18-thread-11] UserHookService:107 - Executing user hook for BatchUserHookContext{userGroups={ul-svd-user23=[]}}. 
12 Sep 2017 09:58:25,670  INFO [pool-18-thread-11] UserHookService:123 - Triggering user hook for user: BatchUserHookContext{userGroups={ul-svd-user23=[]}}
12 Sep 2017 09:58:25,670  INFO [pool-3-thread-1] UserHookService:131 - Preparing hook execution for event: UserCreatedEvent{eventType=USER_CREATED}
12 Sep 2017 09:58:25,684 ERROR [ambari-action-scheduler] ActionScheduler:754 - Execution command has no timeout parameter{"clusterName":"exp2","requestId":170,"stageId":-1,"taskId":2408,"commandId":"170--1","hostname":"_internal_ambari","role":"AMBARI_SERVER_ACTION","hostLevelParams":{},"roleParams":{"ACTION_USER_NAME":"ambari","ACTION_NAME":"org.apache.ambari.server.serveraction.users.PostUserCreationHookServerAction"},"roleCommand":"EXECUTE","clusterHostInfo":{},"configurations":{},"configuration_attributes":{},"configurationTags":{},"forceRefreshConfigTagsBeforeExecution":false,"commandParams":{"cmd-hdfs-principal":"hdfs-exp2@DOMAIN.COM","cmd-input-file":"/var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv","cluster-security-type":"KERBEROS","cmd-hdfs-user":"hdfs","cmd-payload":"{\"ul-svd-user23\":[]}","cmd-hdfs-keytab":"/etc/security/keytabs/hdfs.headless.keytab","hook-script":"/var/lib/ambari-server/resources/scripts/post-user-creation-hook.sh","cluster-name":"exp2","cluster-id":"2"},"serviceName":"","kerberosCommandParams":[],"localComponents":[],"availableServices":{},"commandType":"EXECUTION_COMMAND"}
12 Sep 2017 09:58:25,691  INFO [Server Action Executor Worker 2408] PostUserCreationHookServerAction:134 - Validating command parameters ...
12 Sep 2017 09:58:25,691  INFO [Server Action Executor Worker 2408] PostUserCreationHookServerAction:161 - Command parameter validation passed.
12 Sep 2017 09:58:25,692  INFO [Server Action Executor Worker 2408] CsvFilePersisterService:108 - Persisting map data to csv file
12 Sep 2017 09:58:25,692  INFO [Server Action Executor Worker 2408] CsvFilePersisterService:84 - Persisting collection to csv file
12 Sep 2017 09:58:25,692  INFO [Server Action Executor Worker 2408] CsvFilePersisterService:88 - Collection successfully persisted to csv file.
12 Sep 2017 09:58:25,693  INFO [Server Action Executor Worker 2408] ShellCommandUtilityWrapper:48 - Running command: /var/lib/ambari-server/resources/scripts/post-user-creation-hook.sh
12 Sep 2017 09:58:25,749  INFO [Server Action Executor Worker 2408] PostUserCreationHookServerAction:104 - Execution of command [ [/var/lib/ambari-server/resources/scripts/post-user-creation-hook.sh, /var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv, KERBEROS, hdfs-exp2@DOMAIN.COM, /etc/security/keytabs/hdfs.headless.keytab, hdfs] ] - succeeded
12 Sep 2017 09:58:25,749  INFO [Server Action Executor Worker 2408] PostUserCreationHookServerAction:108 - BEGIN - stdout for command [/var/lib/ambari-server/resources/scripts/post-user-creation-hook.sh, /var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv, KERBEROS, hdfs-exp2@DOMAIN.COM, /etc/security/keytabs/hdfs.headless.keytab, hdfs]
12 Sep 2017 09:58:25,749  INFO [Server Action Executor Worker 2408] PostUserCreationHookServerAction:110 - command output *** : 0
debug: OFF
Executing user hook with parameters: /var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv KERBEROS hdfs-exp2@DOMAIN.COM /etc/security/keytabs/hdfs.headless.keytab hdfs
The cluster is secure, calling kinit ...
Executing command: [ /var/lib/ambari-server/ambari-sudo.sh su 'hdfs' -l -s /bin/bash -c '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-exp2@DOMAIN.COM' ]
Checking for required tools ...
Executing command: [ /var/lib/ambari-server/ambari-sudo.sh su 'hdfs' -l -s /bin/bash -c 'type hadoop > /dev/null 2>&1 || { echo >&2 "hadoop client not installed"; exit 1; }' ]
Executing command: [ /var/lib/ambari-server/ambari-sudo.sh su 'hdfs' -l -s /bin/bash -c 'hadoop fs -ls / > /dev/null 2>&1 || { echo >&2 "hadoop dfs not available"; exit 1; }' ]
Checking for required tools ... DONE.
Processing post user creation hook payload ...
Generating json file /var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv.json ...
Processing user name: ul-svd-user23
Generating file /var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv.json ... DONE.
Processing post user creation hook payload ... DONE.
Executing command: [ /var/lib/ambari-server/ambari-sudo.sh su 'hdfs' -l -s /bin/bash -c 'yarn jar /var/lib/ambari-server/resources/stacks/HDP/2.0.6/hooks/before-START/files/fast-hdfs-resource.jar /var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv.json' ]
debug: OFF


12 Sep 2017 09:58:25,749  INFO [Server Action Executor Worker 2408] PostUserCreationHookServerAction:112 - END - stdout for command [/var/lib/ambari-server/resources/scripts/post-user-creation-hook.sh, /var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv, KERBEROS, hdfs-exp2@DOMAIN.COM, /etc/security/keytabs/hdfs.headless.keytab, hdfs]


When i try to call it manually with root, it creates the user directory:

# /usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-exp2@DOMAIN.COM
# yarn jar /var/lib/ambari-server/resources/stacks/HDP/2.0.6/hooks/before-START/files/fast-hdfs-resource.jar /var/lib/ambari-server/data/tmp/user_hook_input_1505224705673.csv.json
Using filesystem uri: hdfs://experimentation2              
Creating: Resource [source=null, target=/user/ul-svd-user23, type=directory, action=create, owner=ul-svd-user23, group=hdfs, mode=null, recursiveChown=false, recursiveChmod=false, changePermissionforParents=false, manageIfExists=true]    
All resources created.                                     

# hdfs dfs -ls /user
[...]
drwxr-xr-x   - ul-svd-user23 hdfs          0 2017-09-12 10:36 /user/ul-svd-user23 


When I change sudoers file to be more permissive for all commands, automatic creation is working well and the output is:

12 Sep 2017 10:45:10,235  INFO [Server Action Executor Worker 2409] PostUserCreationHookServerAction:110 - command output *** : 0                                                                                                             
debug: OFF                                                 
Executing user hook with parameters: /var/lib/ambari-server/data/tmp/user_hook_input_1505227502368.csv KERBEROS hdfs-exp2@UL.CA /etc/security/keytabs/hdfs.headless.keytab hdfs                                                               
The cluster is secure, calling kinit ...                   
Executing command: [ /var/lib/ambari-server/ambari-sudo.sh su 'hdfs' -l -s /bin/bash -c '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-exp2@DOMAIN.COM' ]                                                                     
Checking for required tools ...                            
Executing command: [ /var/lib/ambari-server/ambari-sudo.sh su 'hdfs' -l -s /bin/bash -c 'type hadoop > /dev/null 2>&1 || { echo >&2 "hadoop client not installed"; exit 1; }' ]                                                               
Executing command: [ /var/lib/ambari-server/ambari-sudo.sh su 'hdfs' -l -s /bin/bash -c 'hadoop fs -ls / > /dev/null 2>&1 || { echo >&2 "hadoop dfs not available"; exit 1; }' ]                                                              
Checking for required tools ... DONE.                      
Processing post user creation hook payload ...             
Generating json file /var/lib/ambari-server/data/tmp/user_hook_input_1505227502368.csv.json ...                        
Processing user name: ul-svd-user24                        
Generating file /var/lib/ambari-server/data/tmp/user_hook_input_1505227502368.csv.json ... DONE.                       
Processing post user creation hook payload ... DONE.       
Executing command: [ /var/lib/ambari-server/ambari-sudo.sh su 'hdfs' -l -s /bin/bash -c 'yarn jar /var/lib/ambari-server/resources/stacks/HDP/2.0.6/hooks/before-START/files/fast-hdfs-resource.jar /var/lib/ambari-server/data/tmp/user_hook_input_1505227502368.csv.json' ]
Using filesystem uri: hdfs://experimentation2              
Creating: Resource [source=null, target=/user/ul-svd-user24, type=directory, action=create, owner=ul-svd-user24, group=hdfs, mode=null, recursiveChown=false, recursiveChmod=false, changePermissionforParents=false, manageIfExists=true]    
All resources created.                                     
debug: OFF                                  

Changed original sudoers file for this, but not working too:

ambari-server ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab, /usr/bin/yarn

Any ideas to solve this?

Thanks

Bruno

1 REPLY 1
Highlighted

Re: Automated user home directory creation whith Ambari Server as non-root

Explorer

Resolved that, by adding one command to sudoers:

/bin/su hdfs *