Support Questions

I'm not sure if i get you right, but:

• Use ps -ef | grep -i kafka or ps -ef | grep -i ambari-agent at the respectively machines (which has the component installed) to check who's owning this process at linux
• Go to Ambari UI > Admin (tab) > Service Accounts > Table with each service=service account
• Use id <non-root-account> to check its groups, if belongs to root group and so on

Hope this helps!

thanks @Vinicius Higa Murakami

Checking with ps -ef confirms that it is running as a kafka user. But I do not know why the ambari-agent restarts as root .

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-security/content/how_to_configure...

I proceeded with this document.

• ambari-server

ambari]$sudo vi /etc/ambari-server/conf/ambari.properties 
      ambari-server.user=ambari
ambari]$ ambari-server status
	Using python  /usr/bin/python
	Ambari-server status
	Ambari Server running
	Found Ambari Server PID: 5862 at: /var/run/ambari-server/ambari-server.pid
ambari]$ ps -axu | grep 5864
	ambari     5862  4.7  2.0 12123220 662272 pts/0 Sl   14:19   4:40 /usr/jdk64/jdk1.8.0_112/bin/java -server -XX:NewRatio=3 -XX:+UseConcMarkSweepGC -XX:-UseGCOverheadLimit -XX:CMSInitiatingOccupancyFraction=60 -XX:+CMSClassUnloadingEnabled -Dsun.zip.disableMemoryMapping=true -Xms512m -Xmx2048m -XX:MaxPermSize=128m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -cp /etc/ambari-server/conf:/usr/lib/ambari-server/*:/usr/share/java/mysql-connector-java-6.0.6.jar:/usr/share/java/mysql-connector-java.jar org.apache.ambari.server.controller.AmbariServer

• server ambari-agent (user= ambari)

ambari]$ sudo vi /etc/ambari-agent/conf/ambari-agent.ini 
	hostname=xxx.xxx.xxx.xxx.ambari-server
	run_as_user=ambari

ambari]$  ambari-agent status
	Found ambari-agent PID: 7758
	ambari-agent running.
	Agent PID at: /run/ambari-agent/ambari-agent.pid
	Agent out at: /var/log/ambari-agent/ambari-agent.out
	Agent log at: /var/log/ambari-agent/ambari-agent.log

ambari]$ ps -axu | grep 7758
	ambari     7758  0.8  0.0 1980336 28208 pts/0   Sl   15:05   0:28 /usr/bin/python /usr/lib/ambari-agent/lib/ambari_agent/main.py start

• confirm Hosts install - > resource -> succ
• ambari-agent (user= root) ???? why ambari agent restart??

ambari]$ sudo vi /etc/ambari-agent/conf/ambari-agent.ini 
	hostname=xxx.xxx.xxx.xxx.ambari-server
	run_as_user=root

ambari]$ ambari-agent status
	Found ambari-agent PID: 9758
	ambari-agent running.
	Agent PID at: /run/ambari-agent/ambari-agent.pid
	Agent out at: /var/log/ambari-agent/ambari-agent.out
	Agent log at: /var/log/ambari-agent/ambari-agent.log

ambari]$ ps -axu | grep 9758
	root     7758  0.8  0.0 1980336 28208 pts/0   Sl   15:05   0:28 /usr/bin/python /usr/lib/ambari-agent/lib/ambari_agent/main.py start

ambair]$sudo visudo
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/su hdfs *,/bin/su ambari-qa *,/bin/su ranger *,/bin/su zookeeper *,/bin/su knox *,/bin/su falcon *,/bin/su ams *, /bin/su flume *,/bin/su hbase *,/bin/su spark *,/bin/su accumulo *,/bin/su hive *,/bin/su hcat *,/bin/su kafka *,/bin/su mapred *,/bin/su oozie *,/bin/su sqoop *,/bin/su storm *,/bin/su tez *,/bin/su atlas *,/bin/su yarn *,/bin/su kms *,/bin/su activity_analyzer *,/bin/su livy *,/bin/su zeppelin *,/bin/su infra-solr *,/bin/su logsearch *,/bin/su druid *,/bin/su superset *,/usr/bin/yum,/usr/bin/zypper,/usr/bin/apt-get, /bin/mkdir, /usr/bin/test, /bin/ln, /bin/ls, /bin/chown, /bin/chmod, /bin/chgrp, /bin/cp, /usr/sbin/setenforce, /usr/bin/test, /usr/bin/stat, /bin/mv, /bin/sed, /bin/rm, /bin/kill, /bin/readlink, /usr/bin/pgrep, /bin/cat, /usr/bin/unzip, /bin/tar, /usr/bin/tee, /bin/touch, /usr/bin/mysql, /sbin/service mysqld *, /usr/bin/dpkg *, /bin/rpm *, /usr/sbin/hst *, /sbin/service rpcbind *, /sbin/service portmap *,/usr/bin/hdp-select, /usr/bin/conf-select, /usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh, /usr/lib/hadoop/bin/hadoop-daemon.sh, /usr/lib/hadoop/sbin/hadoop-daemon.sh, /usr/bin/ambari-python-wrap *,/usr/sbin/groupadd, /usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/usermod,/usr/bin/python2.6 /var/lib/ambari-agent/data/tmp/validateKnoxStatus.py *, /usr/hdp/current/knox-server/bin/knoxcli.sh,/usr/hdp/*/ranger-usersync/setup.sh, /usr/bin/ranger-usersync-stop, /usr/bin/ranger-usersync-start, /usr/hdp/*/ranger-admin/setup.sh *, /usr/hdp/*/ranger-knox-plugin/disable-knox-plugin.sh *, /usr/hdp/*/ranger-storm-plugin/disable-storm-plugin.sh *, /usr/hdp/*/ranger-hbase-plugin/disable-hbase-plugin.sh *, /usr/hdp/*/ranger-hdfs-plugin/disable-hdfs-plugin.sh *, /usr/hdp/current/ranger-admin/ranger_credential_helper.py, /usr/hdp/current/ranger-kms/ranger_credential_helper.py, /usr/hdp/*/ranger-*/ranger_credential_helper.py,/usr/lib/ambari-infra-solr/bin/solr *, /usr/lib/ambari-logsearch-logfeeder/run.sh *, /usr/sbin/ambari-metrics-grafana *, /usr/lib/ambari-infra-solr-client/solrCloudCli.sh *,/var/lib/ambari-agent/tmp/create-python-wrap.sh, /usr/bin/python /var/lib/ambari-agent/tmp/setupAgent*.py, /usr/bin/python

Add in response to " Sorry, user ambari is not allowed to execute '/var/lib/ambari-agent/tmp/create-python-wrap.sh' as root on dev-xxx."

add the following to visudo /var/lib/ambari-agent/tmp/create-python-wrap.sh, /usr/bin/python /var/lib/ambari-agent/tmp/setupAgent*.py, /usr/bin/python

@mo mo

One python script internally invokes various other os utilities and commands so in otder to run ambari agent as non root user you will have to follow the list of commands that are mentioned in the following docs as it is:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.3/bk_security/content/_commands.html