Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Manage Ambari user roles

Labels:
avatar
author-rank vladislav_falfu
Expert Contributor

Created ‎03-24-2017 09:32 AM

Dear community,

Is it possible to manage user roles not only from Ambari GUI? Blueprints? Some configs?

4,777 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎03-24-2017 09:56 AM

@Vladislav Falfushinsky

Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction

- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ld...

.

View solution in original post

3,060 Views
0 Kudos
6 REPLIES 6

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎03-24-2017 09:42 AM

@Vladislav Falfushinsky

Do you want to use Ambari APIs to manage user roles/groups/users.

https://community.hortonworks.com/content/supportkb/49416/managing-ambari-users-and-groups-with-the-...

3,060 Views
0 Kudos

avatar
author-rank vladislav_falfu
Expert Contributor

Created ‎03-24-2017 09:51 AM

Thanks @Jay SenSharma

Ambari API is also ok. Is there a possibility to use Blueprints or ambari-server setup utility for this? Looked both but had not found proper option.

3,060 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎03-24-2017 09:56 AM

@Vladislav Falfushinsky

Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction

- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ld...

.

3,061 Views
0 Kudos

avatar
author-rank vladislav_falfu
Expert Contributor

Created ‎03-24-2017 10:04 AM

Thanks for answers. Will try to use API. However had not found any possibility to manage cluster roles with that tool.

3,060 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎03-24-2017 11:24 AM

To manage user role (aka privileges) through the API, there are several entry point that can be used.

To set an Ambari administrator:

/api/v1/clusters/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "type": "AMBARI",
      "permission_name": "AMBARI.ADMINISTRATOR",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change the principal_name (in the payload) value to the relevant username

To set a cluster role:

/api/v1/clusters/:CLUSTER_NAME/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "permission_name": "PERMISSION_NAME",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change :CLUSTER_NAME (in the URL) to the relevant cluster's name
  • Change the permission_name (in the payload) value to the relevant permission name
    • CLUSTER.ADMINISTRATOR
    • CLUSTER.OPERATOR
    • SERVICE.ADMINISTRATOR
    • SERVICE.OPERATOR
    • CLUSTER.USER
  • Change the principal_name (in the payload) value to the relevant username

To give access to a view:

/api/v1/views/:VIEW_TYPE/versions/:VIEW_VERSION/instances/:VIEW_INSTANCE/privileges

Payload:

[
  {
    "PrivilegeInfo": {
      "permission_name": "VIEW.USER",
      "principal_name": "username",
      "principal_type": "USER"
    }
  }
]

Notes:

  • Change :VIEW_TYPE (in the URL) to the relevant view type (i.e., FILES)
  • Change :VIEW_VERSION (in the URL) to the relevant view type's version (i.e., 1.0.0)
  • Change :VIEW_INSTANCE (in the URL) to the relevant view type's version instance (i.e., MyFilesView)
  • Change the principal_name (in the payload) value to the relevant username
3,060 Views

avatar
author-rank vladislav_falfu
Expert Contributor

Created ‎03-24-2017 12:00 PM

That I was looking into. May thanks!!!!

According to the above reply:

1) To delete privileges:

curl -H "X-Requested-By: ambari" -X DELETE -u admin:admin "https://yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/1"

2) To add:

curl -H "X-Requested-By: ambari" -X POST --data-binary "@your_privileges_file.json" -u admin:admin "https:///yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/"

Privilege example:

{
"PrivilegeInfo" : {
    "permission_name" : "CLUSTER.USER",
    "principal_name" : "your-group",
    "principal_type" : "GROUP"
  }
}
3,060 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements