Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Advanced Search

Is there any way to change ambari-server user after installation

Labels:
grabowski14
Rising Star

Created ‎09-20-2017 11:01 AM

I installed HDP using Ambari as root user. Due to security I want to change it. As I read, there is no problem with running Ambari Agent as non-root user (How to Configure an Ambari Agent for Non-Root). But what about Ambari Server?

During the Ambari Server setup process, when prompted to Customize user account for ambari-server daemon?, I chose n.

Is there any way to change user for Ambari Server? Or do I have to setup Ambari Server one more time?

Reply
2,443 Views
0 Kudos
8 REPLIES 8

jsensharma
Super Mentor

Created ‎09-20-2017 11:16 AM

@Mateusz Grabowski

You can run the ambari-server setup command again. and then choose following option as "yes"

Customize user account for ambari-server daemon?, choose y.

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/how_to_configure...

Only thing we need to remember that , the non-root functionality relies on sudo to run specific commands that require elevated privileges as defined in the Sudoer Configuration - Ambari Server

Reply
1,541 Views

Shelton
Mentor

Created ‎09-20-2017 11:23 AM

@Mateusz Grabowski

As said by Jay just choose y and ambari in the background will change the files permissions to the newly chosen user above who will also be the owner of all the ambari related process

- Make sure you revalidate your hadoop.proxyuser in Custom core-site for ambari and also for the Ambari views!

Reply
1,541 Views

grabowski14
Rising Star

Created ‎09-20-2017 12:44 PM

@Geoffrey Shelton Okot

I added those two lines to custom core-site

hadoop.proxyuser.ambari.groups=*
hadoop.proxyuser.ambari.hosts=*

Do you know if I have to delete parameters for root users from custum core-site? I mean those two lines:

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*
Reply
1,541 Views
0 Kudos

jsensharma
Super Mentor

Created ‎09-20-2017 01:02 PM

@Mateusz Grabowski

You will need to replace "root" with "ambari" user. If you are planning to use Views then those proxy users are used. Ambari Views will run the queries/jobs using proxyusers so the proxyuser property need to be set to the user who is running the ambari server process (in your case it is 'ambari' user). (In case of Kerberied environment those proxy username will need to be replaced with the Kerberos Principal name of Ambari Server)

hadoop.proxyuser.ambari.groups=*
hadoop.proxyuser.ambari.hosts=*

.

keeping the following property will be of no harm though. But there is no use for the below properties then. Because once you start running ambari server as user "ambari" then the following properties will not at all be used. So you can delete them or keep it.

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*

.

Reply
1,541 Views

grabowski14
Rising Star

Created ‎09-20-2017 02:11 PM

Thanks for the answer. I replaced root with ambari and everything is fine.

Can you tell me one more thing? What abou sudo configuration? Is it necessary to change it? Because I started ambari-server and it works good. There is one error in logs:

Unable to check firewall status when starting without root privileges.
Please do not forget to disable or adjust firewall if needed
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start..../bin/sh: line 0: ulimit: open files: cannot modify limit: Operation not permitted
Reply
1,541 Views
0 Kudos

Shelton
Mentor

Created ‎09-20-2017 07:39 PM

@Mateusz Grabowski

Here is the official documentation that can guide you

Reply
1,541 Views

Shelton
Mentor

Created ‎09-20-2017 08:43 PM

@Mateusz Grabowski

Yes you can because no process is being run as root anymore, and besides Ambari saves whatever config you change so you are safe !

Reply
1,541 Views
0 Kudos

jsensharma
Super Mentor

Created ‎09-21-2017 02:07 AM

@Mateusz Grabowski

Yes, as shared in the link earlier : https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudoer_configura...

Above link talks about details of setting up the sudoer and the reason why. https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/commands_server....

The ambari user must be able to execute the commands like following to perform standard server operations: 

# Ambari Commands
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
To ensure that the configuration has been done properly, you can su to the ambari user and run sudo -l.

.


"Sudo Defaults - Ambari Server" https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudo_defaults_se...

.

Reply
1,541 Views
Don't have an account?
Register
Announcements
What's New @ Cloudera
CDP Operational Database supports listing all HBase snapshots using various filters
What's New @ Cloudera
CDP Operational Database supports disabling the ephemeral storage in CLI
What's New @ Cloudera
CDP Operational Database supports DataHub/OpDB deployment across Multi-AZ
What's New @ Cloudera
CDP Operational Database supports a built-in coprocessor ‘AggregateImplementation’
Support Announcements
How validations can help enable your CDP upgrade success
View More Announcements