Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

installing ambari2.5 for non root centos7 : privileges

Highlighted

installing ambari2.5 for non root centos7 : privileges

New Contributor

I want to install ambari2.5 on centos7 and manage it using a non-root account (ambari).

I have 2 nodes (a server 'node1' and an agent 'node2')

I followed these steps :

  • add user on both nodes (with temporary sudo acccess)
sudo adduser ambari 
sudo passwd ambari 
sudo gpasswd -a ambari wheel
  • configured and tested passwordless ssh (using the FQDN not only ip addresses) --> working fine
  • installed ambari-server on node1:
su ambari 
sudo yum install ambari-server -y 
sudo yum remove ambari-server -y
  • setup the server (from the ambari user account)
sudo ambari-server setup
Using python /usr/bin/python

Setup ambari-server

Checking SELinux...

SELinux status is 'enabled'

SELinux mode is 'permissive'

WARNING: SELinux is set to 'permissive' mode and temporarily disabled.

OK to continue [y/n] (y)? y

Customize user account for ambari-server daemon [y/n] (n)? y

Enter user account for ambari-server daemon (root):ambari

Adjusting ambari-server permissions and ownership...

Checking firewall status...

Checking JDK...

[1] Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8

[2] Oracle JDK 1.7 + Java Cryptography Extension (JCE) Policy Files 7

[3] Custom JDK

============================================================================== Enter choice (1): 1

JDK already exists, using /var/lib/ambari-server/resources/jdk-8u112-linux-x64.tar.gz Installing JDK to /usr/jdk64/

Successfully installed JDK to /usr/jdk64/

JCE Policy archive already exists, using /var/lib/ambari-server/resources/jce_policy-8.zip

Installing JCE policy...

Completing setup...

Configuring database...

Enter advanced database configuration [y/n] (n)? n

Configuring database...

Default properties detected. Using built-in database.

Configuring ambari database...

Checking PostgreSQL...

Configuring local database...

Configuring PostgreSQL...

Backup for pg_hba found, reconfiguration not required

Creating schema and user...

done.

Creating tables...

done.

Extracting system views... ............

Adjusting ambari-server permissions and ownership...

Ambari Server 'setup' completed successfully.

  • reboot
  • removed the ambari user from wheel group (the administrators root group in centos) I connected to the ambari web page (with the default user : admin/admin)on node1 and lauched the wizard, and it proceeded until confirm hosts where it tries to install on the remotes (bootstraping)

I noticed two issues :

  1. issue 1 : i couldn't see the logs from the browser (probably some rights issue)
  2. issue 2 : in the /var/logs/ambari-server/ambari-server.log i could see this error : BSRunner:369 - Error executing bootstrap Cannot create /var/run/ambari-server/bootstrap

There is probably something that i am doing wrong or that is missing during the installation or configuration.

Can you please help with this ?

Thanks

6 REPLIES 6
Highlighted

Re: installing ambari2.5 for non root centos7 : privileges

Super Guru
@ant one

Can you please check permissions under /var/ (for "run " directory and then for "ambari-server" directory). Does user Ambari have write permissions. Also check permissions for "/var/" directory. Which groups are allowed to write under /var? Is ambari part of a group which can write under /var or under /run and so on?

Highlighted

Re: installing ambari2.5 for non root centos7 : privileges

New Contributor

Hi,

thank you for your answer.

the 'ambari' user is not part of a group that has access to these directories (which explains why it can't access the logs) :

  • I had added it to 'wheel' group at first (to allow executing "sudo yum install -y ambari-server")
  • then i removed it from 'wheel' group after the installation and setup were done (i don't want to keep its root access)
  • then I added the following lines to /etc/sudoers (which don't give it access to /var/run/...) :
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
Defaults exempt_group = ambari
Defaults !env_reset,env_delete-=PATH
Defaults:ambari !requiretty

how do you think i can do the group management in this case ?

Highlighted

Re: installing ambari2.5 for non root centos7 : privileges

Guru

Hello @ant one,

Thanks for posting the detailed question. You almost got everything in order, I've one question though. Have you updated sudoers configuration for 'ambari' user?

Ambari, when run as non-root user, depends upon sudoers configuration to run certain commands with elevated privileges. Unless you do this, 'ambari' user will not able to execute those commands correctly. Please check this section from Ambari 2.5 documentation and follow the sudoers configuration steps.

Hope this helps !

Highlighted

Re: installing ambari2.5 for non root centos7 : privileges

New Contributor

hi,

thank you for your answer. i did add the following to the sudoers :

ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
Defaults exempt_group = ambari
Defaults !env_reset,env_delete-=PATH
Defaults:ambari !requiretty
Highlighted

Re: installing ambari2.5 for non root centos7 : privileges

New Contributor

hi Vipin,

thank you for your answer. i did add the following to the sudoers :

ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
Defaults exempt_group = ambari
Defaults !env_reset,env_delete-=PATH
Defaults:ambari !requiretty
Highlighted

Re: installing ambari2.5 for non root centos7 : privileges

New Contributor

Hi @mqureshi and @Vipin Rathor

thank you both for your answers.

the 'ambari' user is not part of a group that has access to these directories (which explains why it can't access the logs) :

  • I had added it to 'wheel' group at first (to allow executing "sudo yum install -y ambari-server")
  • then i removed it from 'wheel' group after the installation and setup were done (i don't want to keep its root access)
  • then I added the following lines to /etc/sudoers (which don't give it access to /var/run/...) :
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
Defaults exempt_group = ambari
Defaults !env_reset,env_delete-=PATH
Defaults:ambari !requiretty

how do you think i can do the group management in this case ?

Don't have an account?
Coming from Hortonworks? Activate your account here