Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Create an Ambari user of LDAP type via REST API

Create an Ambari user of LDAP type via REST API

New Contributor

Dear all,

There is a service aimed to create users in Ambari pretending that these users are LDAP users (i.e. user_type must be 'LDAP' in the Ambari databse). The service uses Ambari REST API '/api/v1/users/$USER_NAME' call, which creates a user with user_type='Local' by default. Passing the parameter 'Users/user_type":"LDAP"' has no effect (same reflected in the articles where it is for info purposes only). As a workaround I do a direct update of the database after the user is created:

UPDATE ambari.users SET user_type='LDAP' WHERE user_name=$USER_NAME;

Ambari user management view still shows $USER_NAME as 'Local'. The change in db has no effect until the Ambari server is restarted. The reason is Ambari caches info from database (user cache used in org.apache.ambari.server.controller.internal.UserPrivilegeResourceProvider).
I haven't found any solution to refresh the user cache forcely, via some API call or anything else.

So, my question is how to propagate this change without Ambari Server restart? How to invalidate or update the user cache?
All ideas are welcome!!!

3 REPLIES 3

Re: Create an Ambari user of LDAP type via REST API

Super Mentor

@Sergey Serdyukov

Why do you want to add / edit LDAP user by modifying the Amabri DB? Usually when we run the "ambari-server sync-ldap --all" command then it should sync the ambari database users table accordingly and add/remove the users based on the LDAP users data.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.0.0/bk_ambari-security/content/synchronizing_ld...

The query that you are executing has missing column ... "ldap_user=1" if ldap_user is 0 means it is local.

Example:

UPDATE ambari.users SET ldap_user=1, user_type='LDAP' WHERE user_name='$USER_NAME';

Updating the Ambari DB users table will not be very useful if the ldap is not setup properly as the user will not be authenticated properly against LDAP, So the best option is to use "ambari-server sync-ldap"

.

Re: Create an Ambari user of LDAP type via REST API

New Contributor

@Jay Kumar SenSharma

Thanks for your answer! I missed this parameter, but anyway it is not fixing the problem. "ambari-server sync-ldap"

doesn't help too much because the user management system in the project differs from the standartized LDAP/AD, which leads to either errors during the sync or to 0 users/groups updated. Login to Ambari is done via SSO, but syncronization between Ambari users/groups and the user management system's users/groups is still required (e.g, for granting users some permissions according to their groups). Thus, there is a script responsible for syncing users/groups in Ambari and happily across the cluster: HDFS/fs home dirs, keytabs etc. This is a short context. But one problem still remains:

  1. The script creates a new user in Ambari via API, the user has user_type='Local', because setting user_type='LDAP' is not available via API, it is read-only. SSO needs the users to be 'LDAP' type.
  2. The script does the change (thanks for the ldap_user parameter): UPDATE ambari.users SET user_type='LDAP',ldap_user=1 WHERE user_name=$USER_NAME;
  3. This change is not applyed immidiately, Ambari user management view shows user's type as Local, because Ambari backend caches db entities. I haven't find any solution to trigger a refresh of the cache or something. If the user logs in to Ambari right after the db change, it leads him to the infinite loop of page reloading.
  4. The only solution I found is to restart ambari-server at some point. After restart the user is recognized as 'LDAP' user and SSO works fine.

So, any ideas how to invalidate the cache, reload the user from db without 'ambari-server restart' or how to create a user of LDAP type via API from the scratch?

Re: Create an Ambari user of LDAP type via REST API

New Contributor

@ @Sergey Serdyukov any luck on this ? i am in the same situation . The updates to the user table expects a ambari restart to reflect . Any way to avoid the restart ?

Don't have an account?
Coming from Hortonworks? Activate your account here