Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Is there any way to change ambari-server user after installation

Labels:
grabowski14
Rising Star

Created ‎09-20-2017 11:01 AM

I installed HDP using Ambari as root user. Due to security I want to change it. As I read, there is no problem with running Ambari Agent as non-root user (How to Configure an Ambari Agent for Non-Root). But what about Ambari Server?

During the Ambari Server setup process, when prompted to Customize user account for ambari-server daemon?, I chose n.

Is there any way to change user for Ambari Server? Or do I have to setup Ambari Server one more time?

2,931 Views
0 Kudos
8 REPLIES 8

jsensharma
Super Mentor

Created ‎09-20-2017 11:16 AM

@Mateusz Grabowski

You can run the ambari-server setup command again. and then choose following option as "yes"

Customize user account for ambari-server daemon?, choose y.

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/how_to_configure...

Only thing we need to remember that , the non-root functionality relies on sudo to run specific commands that require elevated privileges as defined in the Sudoer Configuration - Ambari Server

2,029 Views

Shelton
Mentor

Created ‎09-20-2017 11:23 AM

@Mateusz Grabowski

As said by Jay just choose y and ambari in the background will change the files permissions to the newly chosen user above who will also be the owner of all the ambari related process

- Make sure you revalidate your hadoop.proxyuser in Custom core-site for ambari and also for the Ambari views!

2,029 Views

grabowski14
Rising Star

Created ‎09-20-2017 12:44 PM

@Geoffrey Shelton Okot

I added those two lines to custom core-site

hadoop.proxyuser.ambari.groups=*
hadoop.proxyuser.ambari.hosts=*

Do you know if I have to delete parameters for root users from custum core-site? I mean those two lines:

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*
2,029 Views
0 Kudos

jsensharma
Super Mentor

Created ‎09-20-2017 01:02 PM

@Mateusz Grabowski

You will need to replace "root" with "ambari" user. If you are planning to use Views then those proxy users are used. Ambari Views will run the queries/jobs using proxyusers so the proxyuser property need to be set to the user who is running the ambari server process (in your case it is 'ambari' user). (In case of Kerberied environment those proxy username will need to be replaced with the Kerberos Principal name of Ambari Server)

hadoop.proxyuser.ambari.groups=*
hadoop.proxyuser.ambari.hosts=*

.

keeping the following property will be of no harm though. But there is no use for the below properties then. Because once you start running ambari server as user "ambari" then the following properties will not at all be used. So you can delete them or keep it.

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*

.

2,029 Views

grabowski14
Rising Star

Created ‎09-20-2017 02:11 PM

Thanks for the answer. I replaced root with ambari and everything is fine.

Can you tell me one more thing? What abou sudo configuration? Is it necessary to change it? Because I started ambari-server and it works good. There is one error in logs:

Unable to check firewall status when starting without root privileges.
Please do not forget to disable or adjust firewall if needed
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start..../bin/sh: line 0: ulimit: open files: cannot modify limit: Operation not permitted
2,029 Views
0 Kudos

Shelton
Mentor

Created ‎09-20-2017 07:39 PM

@Mateusz Grabowski

Here is the official documentation that can guide you

2,029 Views

Shelton
Mentor

Created ‎09-20-2017 08:43 PM

@Mateusz Grabowski

Yes you can because no process is being run as root anymore, and besides Ambari saves whatever config you change so you are safe !

2,029 Views
0 Kudos

jsensharma
Super Mentor

Created ‎09-21-2017 02:07 AM

@Mateusz Grabowski

Yes, as shared in the link earlier : https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudoer_configura...

Above link talks about details of setting up the sudoer and the reason why. https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/commands_server....

The ambari user must be able to execute the commands like following to perform standard server operations: 

# Ambari Commands
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
To ensure that the configuration has been done properly, you can su to the ambari user and run sudo -l.

.


"Sudo Defaults - Ambari Server" https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudo_defaults_se...

.

2,029 Views
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
[ANNOUNCE] CDP Private Cloud Data Services 1.5.0 Released
Community Announcements
January 2023 Community Highlights
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector 2.6.30 for Impala is Released
What's New @ Cloudera
Cloudera Operational Database (COD) provides a CLI option to enable HBase region canaries
What's New @ Cloudera
Cloudera Operational Database (COD) supports creating an operational database using a predefined Data Lake template
View More Announcements