Securing Credentials
Also available as:

Configure an Ambari Agent for Non-Root

You can configure the Ambari Agent to run as a non-privileged user

The non-privileged user requires specific sudo access in order to su to Hadoop service accounts and perform specific privileged commands. Configuring Ambari Agents to run as non-root requires that you manually install agents on all nodes in the cluster. For these details, see “Installing Ambari Agents Manually” (link below). After installing each agent, you must configure the agent to run as the desired, non-root user. In this example we will use the ambari user.

  1. Change the run_as_user property in the /etc/ambari-agent/conf/ambari-agent.ini file.
  2. Restart ambari-agent to begin running as the non-root user: ambari-agent restart.
  3. The non-root functionality relies on sudo to run specific commands that require elevated privileges as defined in the Sudoer configuration. Each of the substeps include the specific sudo entries that should be placed in /etc/sudoers by running the visudo command:
    1. Enter the su commands and corresponding Hadoop service accounts that are configurable on install:
      # Ambari Customizable Users
      ambari ALL=(ALL) NOPASSWD:SETENV: /bin/su hdfs *,/bin/su ambari-qa *,/bin/su ranger *,/bin/su zookeeper *,/bin/su knox *,/bin/su falcon *,/bin/su ams *, /bin/su flume *,/bin/su hbase *,/bin/su spark *,/bin/su accumulo *,/bin/su hive *,/bin/su hcat *,/bin/su kafka *,/bin/su mapred *,/bin/su oozie *,/bin/su sqoop *,/bin/su storm *,/bin/su tez *,/bin/su atlas *,/bin/su yarn *,/bin/su yarn-ats *,/bin/su kms *,/bin/su activity_analyzer *,/bin/su livy *,/bin/su zeppelin *,/bin/su infra-solr *,/bin/su logsearch *

      These user accounts must match the service user accounts referenced in the Customize Services > Misc tab during the Install Wizard configuration step. For example, if you customize YARN to run as xyz_yarn, modify the su command above to be /bin/su xyz_yarn.

    2. Enter the specific commands that must be issued for standard agent operations:
         # Ambari: Core System Commands
      ambari ALL=(ALL) NOPASSWD:SETENV: /usr/bin/yum,/usr/bin/zypper,/usr/bin/apt-get, /bin/mkdir, /usr/bin/test, /bin/ln, /bin/ls, /bin/chown, /bin/chmod, /bin/chgrp, /bin/cp, /usr/sbin/setenforce, /usr/bin/test, /usr/bin/stat, /bin/mv, /bin/sed, /bin/rm, /bin/kill, /bin/readlink, /usr/bin/pgrep, /bin/cat, /usr/bin/unzip, /bin/tar, /usr/bin/tee, /bin/touch, /usr/bin/mysql, /sbin/service mysqld *, /usr/bin/dpkg *, /bin/rpm *, /usr/sbin/hst *
         # Ambari: Hadoop and Configuration Commands
      ambari ALL=(ALL) NOPASSWD:SETENV: /usr/bin/hdp-select, /usr/bin/conf-select, /usr/hdp/current/hadoop-client/sbin/, /usr/lib/hadoop/bin/, /usr/lib/hadoop/sbin/, /usr/bin/ambari-python-wrap *
         # Ambari: System User and Group Commands
      ambari ALL=(ALL) NOPASSWD:SETENV: /usr/sbin/groupadd, /usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/usermod
      # Ambari: Kerberos Commands
      ambari ALL=(ALL) NOPASSWD:SETENV: /usr/bin/klist -k /etc/security/keytabs/*
         # Ambari: Knox Commands
      ambari ALL=(ALL) NOPASSWD:SETENV: /usr/bin/python2.6 /var/lib/ambari-agent/data/tmp/ *, /usr/hdp/current/knox-server/bin/
         # Ambari: Ranger Commands
      ambari ALL=(ALL) NOPASSWD:SETENV: /usr/hdp/*/ranger-usersync/, /usr/bin/ranger-usersync-stop, /usr/bin/ranger-usersync-start, /usr/hdp/*/ranger-admin/ *, /usr/hdp/*/ranger-knox-plugin/ *, /usr/hdp/*/ranger-storm-plugin/ *, /usr/hdp/*/ranger-hbase-plugin/ *, /usr/hdp/*/ranger-hdfs-plugin/ *, /usr/hdp/current/ranger-admin/, /usr/hdp/current/ranger-kms/, /usr/hdp/*/ranger-*/
         # Ambari Infra and LogSearch Commands
      ambari ALL=(ALL) NOPASSWD:SETENV: /usr/lib/ambari-infra-solr/bin/solr *, /usr/lib/ambari-logsearch-logfeeder/ *, /usr/sbin/ambari-metrics-grafana *, /usr/lib/ambari-infra-solr-client/ *

      Do not modify the command lists, only the usernames in step 3a may be modified.

      This sudo configuration must be done on every node in the cluster.

    3. Some versions of sudo have a default configuration that prevents sudo from being invoked from a non-interactive shell. In order for the agent to run it's commands non-interactively, some defaults need to be overridden:
      Defaults exempt_group = ambari
      Defaults !env_reset,env_delete-=PATH
      Defaults: ambari !requiretty

      This sudo configuration must be done on every node in the cluster.

To ensure that the configuration has been done properly, you can su to the ambari user and run sudo -l. There, you can double-check that there are no warnings, and that the configuration output matches what was just applied.