If I install Ambari 2.7.3 as non-root and HDP 3.1, configuring everything as told in the documentation (https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/securing-credentials/content/ambari_sec_configuring_ambari_for_non_root.html), I get permission such as:
Execution of 'ambari-sudo.sh -H -E /usr/hdp/22.214.171.124-78/hadoop-yarn/bin/yarn --config /usr/hdp/126.96.36.199-78/hadoop/conf --daemon start registrydns' returned 1. Sorry, user ambari is not allowed to execute '/usr/hdp/188.8.131.52-78/hadoop-yarn/bin/yarn --config /usr/hdp/184.108.40.206-78/hadoop/conf --daemon start registrydns' as root on master.
I don't know why but why but /usr/hdp/220.127.116.11-78/hadoop-yarn/bin/yarn seems like something that is unnecessarily hard-coded, but that may have other justification as I don't know the codebase.
The same happens for commands under the default yarn-ats user as the documentation does not mention the need for a "/bin/su yarn-ats *" entry on the /etc/sudoers file.
Hope this helps other people not running ambari as root.
Not sure if I understand how this was resolved. How did you fix the original issue that produced the error message?
The only solution i found was to add the entries "/bin/su yarn-ats *" and "/usr/hdp/*/hadoop-yarn/bin/yarn *" to the /etc/sudoers file in the permissions of the ambari user.
I did it on my Ansible playbook to install a kerberized HDP cluster if you need to check more details (check the task - name: add ambari user permissions to sudoers):
@Carlos Costa - For the yarn registrydns, support told me to change the port it listens on to a non-priv port. Changed registry.dns.bind-port from 53 to a port greater than 1024, now it starts without an issue without changing any of the sudoers config.
Maybe it's a solution, i left the defaults, did not change any ports. Maybe the default should be a non-priv port then, or maybe one should consider documenting the situation