By default Ambari uses an internal database as the user store for authentication and authorization. If you want to add LDAP or Active Directory (AD) external authentication in addition for Ambari Web, you need to collect the following information and run a special setup command. Ambari Server must not be running when you execute this command. An LDAP client must be installed on the Ambari Server host.
Important | |
---|---|
Ambari Server should not be running when you do this: either make the edits before you start Ambari Server the first time or bring the server down to make the edits. |
The following table details the properties and values you need to know to set up LDAP authentication.
Note If you are going to set
bindAnonymously
to false (the default), you need to make sure you have an LDAP Manager name and password set up. If you are going to use SSL, you need to make sure you have already set up your certificate and keys.Table I.2.2. Ambari Server LDAP Properties
Property Values Description authentication.ldap.primaryUrl server:port The hostname and port for the LDAP or AD server.
Example: my.ldap.server:389
authentication.ldap.secondaryUrl server:port The hostname and port for the secondary LDAP or AD server.
Example: my.secondary.ldap.server:389
This is an optional value.
authentication.ldap.useSSL true or false If true, use SSL when connecting to the LDAP or AD server. authentication.ldap. usernameAttribute [LDAP attribute] The attribute for username
Example: uid
authentication.ldap.baseDn [Distinguished Name] The root Distinguished Name to search in the directory for users.
Example:
ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap. bindAnonymously true or false If true, bind to the LDAP or AD server anonymously authentication.ldap.managerDn [Full Distinguished Name] If Bind anonymous is set to false, the Distinguished Name (“DN”) for the manager.
Example:
uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap. managerPassword [password] If Bind anonymous is set to false, the password for the manager Note Ambari does not set up LDAP automatically. You must set up LDAP manually.
If the LDAPS server certificate is signed by a trusted Certificate Authority, there is no need to import the certificate into Ambari so this section does not apply to you. If the LDAPS server certificate is self-signed, or is signed by an unrecognized certificate authority such as an internal certificate authority, you must import the certificate and create a keystore file. The following example creates a keystore file at /keys/ldaps-keystore.jks, but you can create it anywhere in the file system:
On the Ambari server:
mkdir /keys
$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /keys/ldaps-keystore.jks
Set a password when prompted. You will use this during ambari-server setup-ldap.
Run the LDAP setup command and answer the prompts with the information you collected above:
ambari-server setup-ldap
At the Primary URL* prompt, enter the server URL and port you collected above. Prompts marked with an asterisk are required values.
At the Secondary URL prompt, enter the secondary server URL and port. This is optional value.
At the Use SSL* prompt, enter your selection. If using LDAPS, enter true.
At the User name attribute* prompt, enter your selection. The default value is
uid
.At the Base DN* prompt, enter your selection.
At the Bind anonymously* prompt, enter your selection.
At the Manager DN* prompt, enter your selection if you have set
bind.Anonymously
to false.At the Enter the Manager Password* , enter the password for your LDAP manager.
If you set Use SSL* = true in step 3, the following prompt appears: Do you want to provide custom TrustStore for Ambari?
Consider the following options and respond as appropriate.
More secure option: If using a self-signed certificate that you do not want imported to the existing JDK keystore, enter y.
For example, you want this certificate used only by Ambari, not by any other applications run by JDK on the same host.
If you choose this option, additional prompts appear. Respond to the additional prompts as follows:
At the TrustStore type prompt, enter jks.
At the Path to TrustStore file prompt, enter /keys/ldaps-keystore.jks (or the actual path to your keystore file).
At the Password for TrustStore prompt, enter the password that you defined for the keystore.
Less secure option: If using a self-signed certificate that you want to import and store in the existing, default JDK keystore, enter n.
Convert the SSL certificate to X.509 format, if necessary, by executing the following command:
openssl x509 -in slapd.pem -out slapd.crt
Where
slapd.crt
is the path to the X.509 certificate.Import the SSL certificate to the existing keystore, for example the default jre certificates storage, using the following instruction:
/usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file slapd.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
Where Ambari is set up to use JDK 1.7. Therefore, the certificate must be imported in the JDK 7 keystore.
Review your settings and if they are correct, select y.
Start or restart the Server
ambari-server restart
Initially the users you have enabled all have Ambari User privileges. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, use Ambari Web Admin -> Users -> Edit.