Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Is there any way to change ambari-server user after installation

Is there any way to change ambari-server user after installation

Rising Star

I installed HDP using Ambari as root user. Due to security I want to change it. As I read, there is no problem with running Ambari Agent as non-root user (How to Configure an Ambari Agent for Non-Root). But what about Ambari Server?

During the Ambari Server setup process, when prompted to Customize user account for ambari-server daemon?, I chose n.

Is there any way to change user for Ambari Server? Or do I have to setup Ambari Server one more time?

8 REPLIES 8

Re: Is there any way to change ambari-server user after installation

Super Mentor

@Mateusz Grabowski

You can run the ambari-server setup command again. and then choose following option as "yes"

Customize user account for ambari-server daemon?, choose y. 

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/how_to_configure...

Only thing we need to remember that , the non-root functionality relies on sudo to run specific commands that require elevated privileges as defined in the Sudoer Configuration - Ambari Server

Re: Is there any way to change ambari-server user after installation

Mentor

@Mateusz Grabowski

As said by Jay just choose y and ambari in the background will change the files permissions to the newly chosen user above who will also be the owner of all the ambari related process

- Make sure you revalidate your hadoop.proxyuser in Custom core-site for ambari and also for the Ambari views!

Re: Is there any way to change ambari-server user after installation

Rising Star

@Geoffrey Shelton Okot

I added those two lines to custom core-site

hadoop.proxyuser.ambari.groups=*
hadoop.proxyuser.ambari.hosts=* 

Do you know if I have to delete parameters for root users from custum core-site? I mean those two lines:

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=* 

Re: Is there any way to change ambari-server user after installation

Super Mentor

@Mateusz Grabowski

You will need to replace "root" with "ambari" user. If you are planning to use Views then those proxy users are used. Ambari Views will run the queries/jobs using proxyusers so the proxyuser property need to be set to the user who is running the ambari server process (in your case it is 'ambari' user). (In case of Kerberied environment those proxy username will need to be replaced with the Kerberos Principal name of Ambari Server)

hadoop.proxyuser.ambari.groups=*
hadoop.proxyuser.ambari.hosts=* 

.

keeping the following property will be of no harm though. But there is no use for the below properties then. Because once you start running ambari server as user "ambari" then the following properties will not at all be used. So you can delete them or keep it.

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=* 

.

Re: Is there any way to change ambari-server user after installation

Rising Star

Thanks for the answer. I replaced root with ambari and everything is fine.

Can you tell me one more thing? What abou sudo configuration? Is it necessary to change it? Because I started ambari-server and it works good. There is one error in logs:

Unable to check firewall status when starting without root privileges.
Please do not forget to disable or adjust firewall if needed
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start..../bin/sh: line 0: ulimit: open files: cannot modify limit: Operation not permitted

Re: Is there any way to change ambari-server user after installation

Mentor

@Mateusz Grabowski

Here is the official documentation that can guide you

Re: Is there any way to change ambari-server user after installation

Mentor

@Mateusz Grabowski

Yes you can because no process is being run as root anymore, and besides Ambari saves whatever config you change so you are safe !

Re: Is there any way to change ambari-server user after installation

Super Mentor

@Mateusz Grabowski

Yes, as shared in the link earlier : https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudoer_configura...

Above link talks about details of setting up the sudoer and the reason why. https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/commands_server....

The ambari user must be able to execute the commands like following to perform standard server operations:

# Ambari Commands
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
To ensure that the configuration has been done properly, you can su to the ambari user and run sudo -l.

.


"Sudo Defaults - Ambari Server" https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/sudo_defaults_se...

.