Created 03-24-2017 09:32 AM
Dear community,
Is it possible to manage user roles not only from Ambari GUI? Blueprints? Some configs?
Created 03-24-2017 09:56 AM
Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction
- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ld...
.
Created 03-24-2017 09:42 AM
Do you want to use Ambari APIs to manage user roles/groups/users.
Created 03-24-2017 09:51 AM
Thanks @Jay SenSharma
Ambari API is also ok. Is there a possibility to use Blueprints or ambari-server setup utility for this? Looked both but had not found proper option.
Created 03-24-2017 09:56 AM
Ambari Blueprints are a declarative definition of a cluster. It does not contain any ambari DB users/group related information's. With a Blueprint, you specify a stack the Component layout and the Configurations to materialize a Hadoop cluster instance (via a REST API) without having to use the Ambari Cluster Install Wizard. https://cwiki.apache.org/confluence/display/AMBARI/Blueprints#Blueprints-Introduction
- "ambari-server setup" also does not have any feature to create users/groups. But if you have LDAP / Active Directory configured then you can sync users/groups using ldap-sync option. https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-security/content/synchronizing_ld...
.
Created 03-24-2017 10:04 AM
Thanks for answers. Will try to use API. However had not found any possibility to manage cluster roles with that tool.
Created 03-24-2017 11:24 AM
To manage user role (aka privileges) through the API, there are several entry point that can be used.
To set an Ambari administrator:
/api/v1/clusters/privileges
Payload:
[ { "PrivilegeInfo": { "type": "AMBARI", "permission_name": "AMBARI.ADMINISTRATOR", "principal_name": "username", "principal_type": "USER" } } ]
Notes:
To set a cluster role:
/api/v1/clusters/:CLUSTER_NAME/privileges
Payload:
[ { "PrivilegeInfo": { "permission_name": "PERMISSION_NAME", "principal_name": "username", "principal_type": "USER" } } ]
Notes:
To give access to a view:
/api/v1/views/:VIEW_TYPE/versions/:VIEW_VERSION/instances/:VIEW_INSTANCE/privileges
Payload:
[ { "PrivilegeInfo": { "permission_name": "VIEW.USER", "principal_name": "username", "principal_type": "USER" } } ]
Notes:
Created 03-24-2017 12:00 PM
That I was looking into. May thanks!!!!
According to the above reply:
1) To delete privileges:
curl -H "X-Requested-By: ambari" -X DELETE -u admin:admin "https://yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/1"
2) To add:
curl -H "X-Requested-By: ambari" -X POST --data-binary "@your_privileges_file.json" -u admin:admin "https:///yourcluster.com:8443/api/v1/clusters/yourclustername/privileges/"
Privilege example:
{ "PrivilegeInfo" : { "permission_name" : "CLUSTER.USER", "principal_name" : "your-group", "principal_type" : "GROUP" } }