@Mateusz Grabowski

You can run the ambari-server setup command again. and then choose following option as "yes"

Customize user account for ambari-server daemon?, choose y. 

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/how_to_configure...

Only thing we need to remember that , the non-root functionality relies on sudo to run specific commands that require elevated privileges as defined in the Sudoer Configuration - Ambari Server

@Mateusz Grabowski

As said by Jay just choose y and ambari in the background will change the files permissions to the newly chosen user above who will also be the owner of all the ambari related process

- Make sure you revalidate your hadoop.proxyuser in Custom core-site for ambari and also for the Ambari views!

@Geoffrey Shelton Okot

I added those two lines to custom core-site

hadoop.proxyuser.ambari.groups=*
hadoop.proxyuser.ambari.hosts=* 

Do you know if I have to delete parameters for root users from custum core-site? I mean those two lines:

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=* 

@Mateusz Grabowski

You will need to replace "root" with "ambari" user. If you are planning to use Views then those proxy users are used. Ambari Views will run the queries/jobs using proxyusers so the proxyuser property need to be set to the user who is running the ambari server process (in your case it is 'ambari' user). (In case of Kerberied environment those proxy username will need to be replaced with the Kerberos Principal name of Ambari Server)

hadoop.proxyuser.ambari.groups=*
hadoop.proxyuser.ambari.hosts=* 

.

keeping the following property will be of no harm though. But there is no use for the below properties then. Because once you start running ambari server as user "ambari" then the following properties will not at all be used. So you can delete them or keep it.

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=* 

.

Thanks for the answer. I replaced root with ambari and everything is fine.

Can you tell me one more thing? What abou sudo configuration? Is it necessary to change it? Because I started ambari-server and it works good. There is one error in logs:

Unable to check firewall status when starting without root privileges.
Please do not forget to disable or adjust firewall if needed
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start..../bin/sh: line 0: ulimit: open files: cannot modify limit: Operation not permitted

@Mateusz Grabowski

Here is the official documentation that can guide you

@Mateusz Grabowski

Yes you can because no process is being run as root anymore, and besides Ambari saves whatever config you change so you are safe !

@Mateusz Grabowski

Yes, as shared in the link earlier : https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudoer_configura...

Above link talks about details of setting up the sudoer and the reason why. https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/commands_server....

The ambari user must be able to execute the commands like following to perform standard server operations:

# Ambari Commands
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab

.

"Sudo Defaults - Ambari Server" https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudo_defaults_se...

.