Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Misleading documentation of Ambari 2.7 installation as non-root

Misleading documentation of Ambari 2.7 installation as non-root

Explorer

If I install Ambari 2.7.3 as non-root and HDP 3.1, configuring everything as told in the documentation (https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/securing-credentials/content/ambari_sec_configuring_ambari_for_non_root.html), I get permission such as:

Execution of 'ambari-sudo.sh  -H -E /usr/hdp/3.1.0.0-78/hadoop-yarn/bin/yarn --config /usr/hdp/3.1.0.0-78/hadoop/conf --daemon start registrydns' returned 1. Sorry, user ambari is not allowed to execute '/usr/hdp/3.1.0.0-78/hadoop-yarn/bin/yarn --config /usr/hdp/3.1.0.0-78/hadoop/conf --daemon start registrydns' as root on master.

I don't know why but why but /usr/hdp/3.1.0.0-78/hadoop-yarn/bin/yarn seems like something that is unnecessarily hard-coded, but that may have other justification as I don't know the codebase.

The same happens for commands under the default yarn-ats user as the documentation does not mention the need for a "/bin/su yarn-ats *" entry on the /etc/sudoers file.

Hope this helps other people not running ambari as root.

4 REPLIES 4
Highlighted

Re: Misleading documentation of Ambari 2.7 installation as non-root

New Contributor

Not sure if I understand how this was resolved. How did you fix the original issue that produced the error message?

Highlighted

Re: Misleading documentation of Ambari 2.7 installation as non-root

Explorer

The only solution i found was to add the entries "/bin/su yarn-ats *" and "/usr/hdp/*/hadoop-yarn/bin/yarn *" to the /etc/sudoers file in the permissions of the ambari user.


I did it on my Ansible playbook to install a kerberized HDP cluster if you need to check more details (check the task - name: add ambari user permissions to sudoers):


https://github.com/epilif1017a/simple_secure_ansible_hdp_hadoop/blob/master/roles/ambariagent/tasks/...

Highlighted

Re: Misleading documentation of Ambari 2.7 installation as non-root

New Contributor

@Carlos Costa - For the yarn registrydns, support told me to change the port it listens on to a non-priv port. Changed registry.dns.bind-port from 53 to a port greater than 1024, now it starts without an issue without changing any of the sudoers config.

Highlighted

Re: Misleading documentation of Ambari 2.7 installation as non-root

Explorer

Maybe it's a solution, i left the defaults, did not change any ports. Maybe the default should be a non-priv port then, or maybe one should consider documenting the situation

Don't have an account?
Coming from Hortonworks? Activate your account here