Support Questions

Find answers, ask questions, and share your expertise

Manage Ambari user roles

avatar
Expert Contributor

Dear community,

Is it possible to manage user roles not only from Ambari GUI? Blueprints? Some configs?

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Vladislav Falfushinsky

Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction

- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ld...

.

View solution in original post

6 REPLIES 6

avatar
Master Mentor

avatar
Expert Contributor

Thanks @Jay SenSharma

Ambari API is also ok. Is there a possibility to use Blueprints or ambari-server setup utility for this? Looked both but had not found proper option.

avatar
Master Mentor

@Vladislav Falfushinsky

Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction

- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ld...

.

avatar
Expert Contributor

Thanks for answers. Will try to use API. However had not found any possibility to manage cluster roles with that tool.

avatar

To manage user role (aka privileges) through the API, there are several entry point that can be used.

To set an Ambari administrator:

/api/v1/clusters/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "type": "AMBARI",
      "permission_name": "AMBARI.ADMINISTRATOR",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change the principal_name (in the payload) value to the relevant username

To set a cluster role:

/api/v1/clusters/:CLUSTER_NAME/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "permission_name": "PERMISSION_NAME",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change :CLUSTER_NAME (in the URL) to the relevant cluster's name
  • Change the permission_name (in the payload) value to the relevant permission name
    • CLUSTER.ADMINISTRATOR
    • CLUSTER.OPERATOR
    • SERVICE.ADMINISTRATOR
    • SERVICE.OPERATOR
    • CLUSTER.USER
  • Change the principal_name (in the payload) value to the relevant username

To give access to a view:

/api/v1/views/:VIEW_TYPE/versions/:VIEW_VERSION/instances/:VIEW_INSTANCE/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "permission_name": "VIEW.USER",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change :VIEW_TYPE (in the URL) to the relevant view type (i.e., FILES)
  • Change :VIEW_VERSION (in the URL) to the relevant view type's version (i.e., 1.0.0)
  • Change :VIEW_INSTANCE (in the URL) to the relevant view type's version instance (i.e., MyFilesView)
  • Change the principal_name (in the payload) value to the relevant username

avatar
Expert Contributor

That I was looking into. May thanks!!!!

According to the above reply:

1) To delete privileges:

curl -H "X-Requested-By: ambari" -X DELETE -u admin:admin "https://yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/1"

2) To add:

curl -H "X-Requested-By: ambari" -X POST --data-binary "@your_privileges_file.json" -u admin:admin "https:///yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/"

Privilege example:

{
"PrivilegeInfo" : {
    "permission_name" : "CLUSTER.USER",
    "principal_name" : "your-group",
    "principal_type" : "GROUP"
  }
}