Created 09-20-2017 11:01 AM
I installed HDP using Ambari as root user. Due to security I want to change it. As I read, there is no problem with running Ambari Agent as non-root user (How to Configure an Ambari Agent for Non-Root). But what about Ambari Server?
During the Ambari Server setup process, when prompted to Customize user account for ambari-server daemon?
, I chose n
.
Is there any way to change user for Ambari Server? Or do I have to setup Ambari Server one more time?
Created 09-20-2017 11:16 AM
You can run the ambari-server setup command again. and then choose following option as "yes"
Customize user account for ambari-server daemon?, choose y.
.
Only thing we need to remember that , the non-root functionality relies on sudo to run specific commands that require elevated privileges as defined in the Sudoer Configuration - Ambari Server
Created 09-20-2017 11:23 AM
As said by Jay just choose y and ambari in the background will change the files permissions to the newly chosen user above who will also be the owner of all the ambari related process
- Make sure you revalidate your hadoop.proxyuser in Custom core-site for ambari and also for the Ambari views!
Created 09-20-2017 12:44 PM
I added those two lines to custom core-site
hadoop.proxyuser.ambari.groups=* hadoop.proxyuser.ambari.hosts=*
Do you know if I have to delete parameters for root users from custum core-site? I mean those two lines:
hadoop.proxyuser.root.groups=* hadoop.proxyuser.root.hosts=*
Created 09-20-2017 01:02 PM
You will need to replace "root" with "ambari" user. If you are planning to use Views then those proxy users are used. Ambari Views will run the queries/jobs using proxyusers so the proxyuser property need to be set to the user who is running the ambari server process (in your case it is 'ambari' user). (In case of Kerberied environment those proxy username will need to be replaced with the Kerberos Principal name of Ambari Server)
hadoop.proxyuser.ambari.groups=* hadoop.proxyuser.ambari.hosts=*
.
keeping the following property will be of no harm though. But there is no use for the below properties then. Because once you start running ambari server as user "ambari" then the following properties will not at all be used. So you can delete them or keep it.
hadoop.proxyuser.root.groups=* hadoop.proxyuser.root.hosts=*
.
Created 09-20-2017 02:11 PM
Thanks for the answer. I replaced root with ambari and everything is fine.
Can you tell me one more thing? What abou sudo configuration? Is it necessary to change it? Because I started ambari-server and it works good. There is one error in logs:
Unable to check firewall status when starting without root privileges. Please do not forget to disable or adjust firewall if needed Ambari database consistency check started... Server PID at: /var/run/ambari-server/ambari-server.pid Server out at: /var/log/ambari-server/ambari-server.out Server log at: /var/log/ambari-server/ambari-server.log Waiting for server start..../bin/sh: line 0: ulimit: open files: cannot modify limit: Operation not permitted
Created 09-20-2017 07:39 PM
Here is the official documentation that can guide you
Created 09-20-2017 08:43 PM
Yes you can because no process is being run as root anymore, and besides Ambari saves whatever config you change so you are safe !
Created 09-21-2017 02:07 AM
Yes, as shared in the link earlier : https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudoer_configura...
Above link talks about details of setting up the sudoer and the reason why. https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/commands_server....
The ambari user must be able to execute the commands like following to perform standard server operations:
# Ambari Commands ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytabTo ensure that the configuration has been done properly, you can su to the ambari user and run sudo -l.
.
"Sudo Defaults - Ambari Server" https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudo_defaults_se...
.