Managing Local Users
As an Ambari administrator, you can create and manage users and groups available to Ambari. You can also import user and group information into Ambari from external LDAP systems.
You use the Ambari Admin page to manage both local and LDAP users. Local users are stored in and authenticate against the Ambari database. LDAP users have basic account information stored in the Ambari database. Unlike local users, LDAP users authenticate against an external LDAP system. To use LDAP users with Ambari, you must configure Ambari to authenticate against an external LDAP system. Ambari grants no permissions by default to a new user, created either locally or by synchronizing against LDAP, You, as an Ambari administrator, must explicitly grant each user permissions to access clusters or views.
You, as an Ambari administrator, can create new users, delete users, change user passwords, and edit user settings.
Manage privileges for local and ldap users
You can control certain privileges for local and LDAP users.
The following table lists the privileges available and those not available to the Ambari administrator for local and LDAP Ambari users.
Table 5: Ambari Administrator Privileges for Local and LDAP Users
| Ambari Administrator Privilege | Local User | LDAP User |
|---|---|---|
| Change password | Available | Not Available |
| Set Ambari Admin flag | Available | Available |
| Change group membership | Available | Not Available |
| Delete user | Available | Not Available |
| Set active or inactive status | Available | Available |
| Set user access | Available | Available |
Create a local user
You, as an Ambari administrator, can create new, local users.
Procedure
- On the Ambari Admin page, browse to Users.
- Click Create Local User.
- Enter a unique user name.
All user name characters are converted to lowercase.
- Enter a password, and then confirm that password.
- Click Save.
Set User Status
User status determines whether a user can or cannot log in to Ambari.
About this task
User status indicates whether the user is active and allowed to log in to Ambari or is inactive and denied the ability to log in. By setting the status flag as active or inactive, you can effectively disable user account access to Ambari while preserving the user account information related to permissions.
Procedure
- On the Ambari Admin page, browse to Users.
- Click the name of the user to modify.
- Click the Status control to toggle between Active or Inactive.
- Click OK.
The change is saved immediately.
Grant Ambari admin privileges
Only an Ambari Administrator can grant another user Ambari Administrator privileges.
About this task
You, as an Ambari administrator can grant one or more users Ambari administrator privileges by setting the Ambari Admin flag. Only an Ambari administrator can set or remove the Ambari Admin flag. Ambari prevents you from accidentally removing the flag from your own account.
Procedure
- On the Ambari Admin page, browse to Users.
- Click the name of the user to modify.
- Click the Ambari Admin control.
- Click Yes to set or No to remove the Ambari Admin flag.
Configure password policy for users
Ambari administrator can configure password policy for users.
About this task
You as an Ambari administrator can configure password policy users by performing the following steps:
Procedure
- On the Ambari Server host, open open /etc/ambari-server/conf/ambari.properties with a text editor.
- Add security.password.policy.regexp={some regexp} to ambari.properties file. Regular expression should follow the Java regex form at Oracle docs
security.password.policy.regexp=^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$
- Add property security.password.policy.description={some description} to ambari.properties file.
security.password.policy.description=Minimum length=15, Must contain at least three out of the following four character types (numeric character, lower case alphabetic characters, upper case alphabetic characters, punctuation/special symbol)
- Restart the Ambari Server.
Change the password for a local user
An Ambari administrator can change local user passwords, but not LDAP user passwords.
Procedure
- On the Ambari Admin page, browse to Users.
- Click the name of the user to modify.
- Click Change password.
- Enter your administrator password, to confirm that you have required privileges.
- Enter a password for the local user, and then confirm that password.
- Click Save.
Delete a local user
Deleting a local user removes the user account from the system, including all privileges associated with the user. If you want only to disable user log in, set the user status to Inactive.
Procedure
- On the Ambari Admin page, browse to Users.
- Click Delete User.
- Confirm the deletion.
Enable user home directory creation
You can enable automated creation of a /user/[USER_NAME] HDFS home directory for each user that you create.
About this task
A common requirement to initialize user accounts to run Hadoop components is the existence of a unique, /user/ [USER_NAME] HDFS home directory. You can enable automated creation of a /user/[USER_NAME] HDFS home directory for each user that you create. Home directory creation occurs for users created either manually using the Ambari Admin page, or through LDAP synchronization.
Procedure
- On your Ambari Server host, edit the ambari-properties file. using a command line editor (vi, in this example):
vi /etc/ambari-server/conf/ambari.properties
- Add the following property: ambari.post.user.creation.hook.enabled=true.
- Add the script path to the ambari properties file: ambari.post.user.creation.hook=/var/lib/ambari- server/resources/ scripts/post-user-creation-hook.sh
/var/lib/ambari-server/resources/scripts/post-user-creation-hook.sh
- Restart Ambari server. ambari-server restart
Results
After enabling the post-user creation script, Ambari executes the script whenever a user is created and logs a message each time the script is invoked. If the script has a non-zero exit code, an ERROR is logged, otherwise an INFO-level message that includes the script path and parameters is logged.
Managing Local Group Membership
You can manage membership of local groups by adding or removing users.
Understanding group types
Ambari supports two types of groups: local and LDAP.
You use the Ambari Admin page to manage both local and LDAP groups. Local groups are stored in the Ambari database. LDAP groups have basic information stored in the Ambari database, including group membership information. Unlike local groups, LDAP groups are imported and synchronized from an external LDAP system. To use LDAP groups with Ambari, you must configure Ambari to authenticate against an external LDAP system. Ambari grants no permissions by default to a new group, created either locally or by synchronizing against LDAP.
Modify Group Membership
Use Admin/Groups to add local users to an existing group.
Procedure
- On the Ambari Admin page, browse to Users > Groups.
- For a group name, under Actions, click edit.
- In Groups/[group name], use the Local Members control to modify group membership.
a) Click in the Local Members text area.
b) In the New control, type a new local user name,
c) Click the x next to the name of a user to remove that user.
d) To save your changes, click the check mark.
e) To discard your changes, click x.
Create a Local Group
Use Admin/Groups to create or manage an existing local group.
Procedure
- On the Ambari Admin page, browse to Users > Groups.
- Click Add Groups.
- Enter a unique group name.
- Click Save.
Delete a local group
Use Admin/Groups to create or manage an existing local group.
Procedure
- On the Ambari Admin page, browse to Users > Groups.
- On Admin/Groups, review the list of group names.
- For a named group, under Actions, click the can to delete the group.
- Confirm.
Results
Deleting a local group also removes associated group membership information, including privileges.