You can configure the Ambari Server to run as a non-root user.
-
During the ambari-server setup process, when
prompted to
Customize user account for ambari-server daemon?
,
choose y
.
-
When prompted, enter the appropriate, non-root user to run the Ambari Server
as; for example: ambari.
-
The non-root functionality relies on sudo to run specific commands that require
elevated privileges as defined in the Sudoer configuration. Each of the substeps
include the specific sudo entries that you should place in
/etc/sudoers
by running the visudo
command:
-
Enter the the specific commands that must be issued for standard server
operations:
# Ambari Commands
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/ls /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab
ambari ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /var/lib/ambari-server/data/tmp, /bin/chmod * /var/lib/ambari-server/data/tmp, /bin/chown * /var/lib/ambari-server/data/tmp, /bin/chgrp * /var/lib/ambari-server/data/tmp, /bin/rm -rf /var/lib/ambari-server/data/tmp/*, /bin/cp -f /tmp/* /var/lib/ambari-server/data/tmp/*, /usr/bin/test * *, /bin/stat -c %u %g %a /var/lib/ambari-server/data/tmp/*
-
Some versions of sudo have a default configuration that prevents sudo
from being invoked from a non-interactive shell. In order for the agent
to run it's commands non-interactively, some defaults need to be
overridden:
Defaults exempt_group = ambari
Defaults !env_reset,env_delete-=PATH
Defaults: ambari !requiretty
To ensure that the configuration has been done properly,
you can su to the ambari user and run sudo -l. There, you can double check that there
are no warnings, and that the configuration output matches what was just
applied.