Managing Cluster Roles
Ambari-level administrators can assign user and group access to Ambari-, Cluster-, Host-, Service-, and User- (view- only) level permissions.
A granted level of user access is a role. Role-based access control effectively distributes the responsibilities of managing a cluster while not relinquishing total control of the Ambari management facility.
Understanding Cluster Roles and Access
Access levels allow administrators to categorize cluster users and groups based on the permissions that each level includes.
The following roles are based on access-levels. Access levels enhance the granularity of permissions that can be granted to Ambari users and groups:
| Role | Description |
|---|---|
| Cluster User | Users assigned to the Cluster User role can view information about the cluster and its services, including configurations, service status, and health alerts. |
| Service Operator | Users assigned to the Service Operator role have control over service life cycles, such as starting and stopping services, performing service checks, and performing service-specific tasks such as rebalancing HDFS and refreshing the YARN Capacity Scheduler. |
| Service Administrator | Users assigned to the Service Administrator role have the same permissions as users assigned to the Service Operator role but have the added ability to configure services. This includes the ability to manage configuration groups, move service masters, and enable HA. |
| Cluster Operator | Users assigned to the Cluster Operator role have the same permissions as users assigned to the Service Administrator role but have the added ability to perform host-level tasks such as adding and removing hosts and components. |
| Cluster Administrator | Users assigned to the Cluster Administrators role have control over the relevant cluster, its hosts, and services. |
| Ambari Administrator | Ambari Administrator users have full control over all aspects of Ambari. This includes the ability to create clusters, change cluster names, register new versions of cluster software, and fully control all clusters managed by the Ambari instance. |
Role Based Access Control
Permissions that an Ambari-level administrator assigns each user or group define each role.
Use these tables to determine what permissions each role includes.
Table 1: Service-Level Permissions
| Permissions | Cluster User | Service Operator | Service Administrator | Cluster Operator | Cluster Administrator | Ambari Administrator | |
|---|---|---|---|---|---|---|---|
| View status information |  | | | | | | |
| View configurations | | | | | | | |
| Compare configurations | | | | | | | |
| View service alerts | | | | | | | |
| Start, stop, or restart service | | | | | | ||
| Decommission or recommission | | | | | | ||
| Run service checks | | | | | | ||
| Turn maintenance mode on or off | | | | | | ||
| Perform service-specific tasks | | | | | | ||
| Modify configurations | | | | | | ||
| Manage configuration groups | | | | | | ||
| Move to Another Host | | | | | | ||
| Enable HA | | | | | | ||
| Enable or Disable Service Alerts | | | | | | ||
| Add Service to Cluster | | | |
Table 2: Host-Level Permissions
| Permissions | Cluster User | Service Operator | Service Administrator | Cluster Operator | Cluster Administrator | Ambari Administrator |
|---|---|---|---|---|---|---|
| View status information | | | | | | |
| View configuration | | | | | | |
| Turn maintenance mode on or off | | | | |||
| Install components | | | | |||
| Add or delete hosts | | | |
Table 3: Cluster-Level Permissions
| Permissions | Cluster User | Service Operator | Service Administrator | Cluster Operator | Cluster Administrator | Ambari Administrator |
|---|---|---|---|---|---|---|
| View status information | | | | | | |
| View configuration | | | | | | |
| View alerts | | | | | | |
| Enable or disable alerts | | | ||||
| Enable or disable Kerberos | | | ||||
| Upgrade or downgrade stack | | |
Table 4: Ambari-Level Permissions
| Permissions | Cluster User | Service Operator | Service Administrator | Cluster Operator | Cluster Administrator | Ambari Administrator | |
|---|---|---|---|---|---|---|---|
| Create new clusters | | ||||||
| Set service users and groups | | ||||||
| Rename clusters | | ||||||
| Manage users | | ||||||
| Manage groups | | ||||||
| Assign permission and roles | | ||||||
| Manage stack versions | | ||||||
| Edit stack repository URLs | |
Modify access levels for users and groups
Use Ambari Admin > Users to manage access levels for users and groups.
About this task
An Ambari Admin can manage the role assignment of local and remote users imported from LDAP. An Ambari administrator can control the access level for any user or group.
Procedure
- In Ambari Admin > Users, click Users to display the current users known to Ambari.
- To modify access for a user, click Edit next to a user name.
- In Admin/Users, click an option from the User Access list.
- In Ambari Admin > Users, click Groups to display the current groups known to Ambari.
- To modify access for a group, click Edit next to a group name.
- In Admin/Groups for that group, click an option from the Group Access