Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Impersonation Error while trying to access Ambari Views

Labels:
avatar
author-rank MCarter
Contributor

Created ‎09-23-2015 08:22 PM

We are running into an impersonation error while trying to access Ambari Views.

500 User root is not allowed to impersonate admin or ldap user

Here’s the background:

HDP 2.3 installed via Ambari 2.1.

  • Ambari setup to authenticate against LDAP
  • Files view setup according to docs.hortonworks.com
  • LDAP user is granted permission to Files view in Ambari
  • LDAP user logs into Ambari and sees the View listed.
  • LDAP user clicks on the view and receives the error.
  • Ensured that Ambari is running as root.

I have successfully achieved this functionality locally on a virtual box cluster using HDP 2.2. In my setup, I do not find it necessary to create OS or HDFS users to use the views.

I did check the ambari-server logs, but there was only an error indicating the server 500 error. Nothing regarding an ldap or permissions error.

Any ideas or guidance on how to solve this is much appreciated.

13,032 Views
1 ACCEPTED SOLUTION

avatar
author-rank pcodding author-rank
Guru

Created ‎10-02-2015 04:43 PM

Make sure you're following the configuration steps outlined in this doc to set the appropriate stack settings as @gvetticaden@hortonworks.com and @dstreever@hortonworks.com recommended, and tune Ambari Server appropriately.

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_ambari_views_guide/content/ch_using_ambar...

View solution in original post

3,201 Views
6 REPLIES 6

avatar
author-rank gvetticaden1 author-rank
Super Collaborator

Created ‎09-23-2015 08:23 PM

You need to create the proxy settings for 'root', since Ambari runs as root. This allows it to impersonate the user in hdfs.

hadoop.proxyuser.root.groups=*

hadoop.proxyuser.root.hosts=*

You'll also need to create the 'admin' user home directory in hdfs for Admin, if you haven't already done that. Since you're signed into Ambari as Admin, your jobs will be submitted/passed through as that user.

3,201 Views

avatar
author-rank sroberts author-rank
Guru

Created ‎10-02-2015 04:32 PM

Please note that one should never use * for these settings.

hosts= should be set to that of the Ambari Server groups= should only be the groups which Ambari (running as root) is allowed to impersonate.

3,201 Views
0 Kudos

avatar
author-rank pcodding author-rank
Guru

Created ‎10-02-2015 04:43 PM

Make sure you're following the configuration steps outlined in this doc to set the appropriate stack settings as @gvetticaden@hortonworks.com and @dstreever@hortonworks.com recommended, and tune Ambari Server appropriately.

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_ambari_views_guide/content/ch_using_ambar...

3,202 Views

avatar
author-rank sroberts author-rank
Guru

Created ‎10-02-2015 04:47 PM

Impersonation is a key concept throughout the Hadoop ecosystem.

Impersonation grants a user (also known as a SuperUser or ProxyUser) right to access Hadoop user is granted on behalf of other users. It's similar to the idea of 'sudo' within Linux.

To enable it you set the 'proxyuser' setting based on the user the service is running as, the groups or users you want it to be able to act on behalf of, and the hosts it should be able to do that from.

For example, for Ambari Views with:

  • Ambari running as the user 'root' (which is the default)
  • Wanting to allow Ambari to act on behalf of users in the groups 'users', 'hive-users' (just an example as you may have similar groups in LDAP)
  • Ambari hostname of 'ambarihost.domain.local'

You would set this in 'HDFS -> core-site' from Ambari:

hadoop.proxyuser.root.groups=users,hive-users
hadoop.proxyuser.root.hosts=ambarihost.domain.local

More detail is available in the documentation:

3,201 Views

avatar
author-rank sroberts author-rank
Guru

Created ‎10-09-2015 09:24 AM

@Matt Carter just a bump to confirm if one of these answers worked, or reply to them for clarification.

3,201 Views
0 Kudos

avatar
author-rank theo
New Contributor

Created ‎01-09-2016 09:11 PM

@Sean Roberts

Want to understand the impersonation configuration better. The problem is that it is not clear what is impersonating what. For example, when trying to access the Hive view as an admin user failed with "User: hive is not allowed to impersonate user admin". So, by extension, it would seem logical that we introduce another proxy variables hadoop.proxyuser.hive.groups & hosts, but what is the group that the hive user needs? Is that information available in the stack trace?

Is there a diagram of the view services that maps out the impersonation and user attributes in play?

3,201 Views
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements