Support Questions

rvillanueva · ‎07-29-2019

Confused about what Ambari users and groups are.

When looking at the docs and the Ambari UI (Admin/Users and Admin/Groups), I get the impression that users / groups created in this interface should appear across all nodes in the cluster, but this does not seem to be the case, eg...

[root@HW01 ~]# id <some user created in Ambari UI>
id: <some user created in Ambari UI>: no such user

Same situation for groups created in Ambari UI admin section.

Not sure I understand to use of the Ambari users and groups if they do not somehow have a link back to user and groups locally on the hosts. Can someone please explain what is going on here?

jsensharma · ‎07-30-2019

@Reed Villanueva

Regarding your query:

1. What is the point of these ambari users / groups?

Ambari-level administrators can assign user and group access to Ambari-, Cluster-, Host-, Service-, and User- (view-only) level permissions.

Access levels allow administrators to categorised cluster users and groups based on the permissions that each level includes.

Permissions that an Ambari-level administrator assigns each user or group define each role. These roles can be understood using the following table mentioned in the following doc. To understand which ambari role holder can do what.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.7.3.0/administering-ambari/content/amb_roles_and_...

2. What is the context they are intended to be used in?

When a user wants to login to Ambari UI or say in a Specific View like File View / Hive View ...etc then in that case the Users created in Ambari DB (listed in the "users" table) can perform the actions according to their roles defined. For Local users ambari will authenticate them using the password listed inside the "users" table. But for the LDAP users the authentication will be done at the LDAP level (because ambari does not store the LDAP Sync users passwords in it's DB).

.

View solution in original post

jsensharma · ‎07-29-2019

@Reed Villanueva

The users created inside the Ambari UI can be of two types "LOCAL" users and "LDAP" users. You can find this detail isnide the "users" table of ambari DB.

Ambari in any case is not responsible for creating user/groups for those ambari UI users in any node. For example you will see "admin" user in ambari but you wont see any such user on ambari server host or on any other node.

If you have integrated ambari with some user base like LDAP /AD then you can run the ldap-sync command to sync those users and groups present in the LDAP to sync them to ambari database "users'" table. So that those users can login to ambari UI with the LDAP credentials.

But if you want these same Users to be created on every Physical host so that you can login to those hosts using the mentioned user accounts then you will need to setup SSSD service to sync those LDAP users to the OS users.

https://github.com/HortonworksUniversity/Security_Labs/blob/master/HDP-2.6-AD.md#setup-ados-integrat...

rvillanueva · ‎07-29-2019

@Jay Kumar SenSharma

I understand using SSSD for cluster-wide users with LDAP, but my question more has to do with...

"Ambari in any case is not responsible for creating user/groups for those ambari UI users in any node. For example you will see "admin" user in ambari but you wont see any such user on ambari server host or on any other node."

What I was more interested in was, given the above, what is the point of these ambari users / groups? What is the context they are intended to be used in? I would think they could be used for adding ACL-like permissions to folders in the Ambari files view or something, but that does not seem to be the case, so I'm not sure what the point of them is.

**Note I previously used MapR Hadoop which did operate in a similar way to this (where users of HDFS needed to exist across all nodes and the MapR mgmt UI allowed ACL-like permissions on HDFS volumes based on users and groups), so that's my frame of reference.

jsensharma · ‎07-30-2019

@Reed Villanueva

Regarding your query:

1. What is the point of these ambari users / groups?

Ambari-level administrators can assign user and group access to Ambari-, Cluster-, Host-, Service-, and User- (view-only) level permissions.

Access levels allow administrators to categorised cluster users and groups based on the permissions that each level includes.

Permissions that an Ambari-level administrator assigns each user or group define each role. These roles can be understood using the following table mentioned in the following doc. To understand which ambari role holder can do what.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.7.3.0/administering-ambari/content/amb_roles_and_...

2. What is the context they are intended to be used in?

When a user wants to login to Ambari UI or say in a Specific View like File View / Hive View ...etc then in that case the Users created in Ambari DB (listed in the "users" table) can perform the actions according to their roles defined. For Local users ambari will authenticate them using the password listed inside the "users" table. But for the LDAP users the authentication will be done at the LDAP level (because ambari does not store the LDAP Sync users passwords in it's DB).

.

Cloudera Community

Support Questions

Understanding Ambari users and groups