Securing Credentials
Also available as:

Configure Ambari Server for Non-Root

You can configure the Ambari Server to run as a non-root user.

  1. During the ambari-server setup process, when prompted to Customize user account for ambari-server daemon?, choose y.
  2. When prompted, enter the appropriate, non-root user to run the Ambari Server as; for example: ambari.
  3. The non-root functionality relies on sudo to run specific commands that require elevated privileges as defined in the Sudoer configuration. Each of the substeps include the specific sudo entries that you should place in /etc/sudoers by running the visudo command:
    1. Enter the the specific commands that must be issued for standard server operations:
      # Ambari Commands
      ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/ls /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
      ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /var/lib/ambari-server/data/tmp, /bin/chmod * /var/lib/ambari-server/data/tmp, /bin/chown * /var/lib/ambari-server/data/tmp, /bin/chgrp * /var/lib/ambari-server/data/tmp, /bin/rm -rf /var/lib/ambari-server/data/tmp/*, /bin/cp -f /tmp/* /var/lib/ambari-server/data/tmp/*, /usr/bin/test * *, /bin/stat -c %u %g %a /var/lib/ambari-server/data/tmp/*
    2. Some versions of sudo have a default configuration that prevents sudo from being invoked from a non-interactive shell. In order for the agent to run it's commands non-interactively, some defaults need to be overridden:
      Defaults exempt_group = ambari
      Defaults !env_reset,env_delete-=PATH
      Defaults: ambari !requiretty
To ensure that the configuration has been done properly, you can su to the ambari user and run sudo -l. There, you can double check that there are no warnings, and that the configuration output matches what was just applied.