Restricting root access
For many secure environments that requires restricted access and limits the services that run as the root user, the Ambari must be configured to operate without direct root access.
Before you begin
About this task
Perform the following steps to set up Ambari and IBM Storage® Scale for a non-root user:
Procedure
- Create a user ID that can perform passwordless ssh between all the nodes in the cluster. This non-root user ID is required to configure the Ambari server and agents when setting up the Ambari cluster in step 3.
-
Verify that the root ID and the Ambari server non-root ID can perform passwordless SSH.
Bi-directional passwordless SSH must work for the non-root ID from the GPFS™ Master node (Ambari server) to all the GPFS nodes and to itself (Ambari server node).
Root ID must be able to perform passwordless SSH from the GPFS Master node (Ambari server) to all the GPFS nodes and to itself (Ambari server node), uni-directional only.
The BI example uses am_agent as the non-root id for the Ambari server, the Ambari agents, and the IBM Spectrum® Scale cluster user.
The HDP example uses ambari-server as the non-root id for the Ambari server, and am_agent as the non-root id for the Ambari agents and the IBM Storage Scale cluster.
The user ID and group ID of this user must be same. The user ID and group ID of the non-root ID must be same.
For example,
As root: ssh am_agent@<ambari-agent-host> must work without a password.
As am_agent: ssh am_agent@<ambari-agent-host> must work without a password.
-
Set up an Ambari cluster as the non-root user.
For BI, follow the steps in the IBM® BigInsights® Installation documentation under Configuring Ambari for non-root access.
For HDP, follow the steps in the Hortonworks Installation documentation under Configuring Ambari for non-root.
Note: Once you are at the Host Registration wizard, ensure the following:- The SSH User Account specifies the non-root user ID.
- The manual host registration radio button in the Ambari UI is set. This will ensure that the Ambari agent processes will run as the non-root user, and execute the IBM Spectrum Scale service integration code.
-
Configure IBM Spectrum Scale without remote root
by following the steps in the Configuring sudo topic in the IBM
Storage Scale:
Administration Guide.
The non-root user/group id used in the Configuring sudo section of the IBM Storage Scale™ document is the Ambari agent non-root user/group id.
-
Additionally, on each host, modify the /etc/sudoers file to include the
following changes:
- Add the list of allowed commands for the non-root user:
/usr/bin/cd /usr/lpp/mmfs/src, /usr/bin/curl, /usr/bin/make Autoconfig, /usr/bin/make World, /usr/bin/make InstallImages, /usr/lpp/mmfs/hadoop/sbin/mmhadoopctl, /usr/lpp/mmfs/hadoop/sbin/hadoop-daemon.sh, /usr/lpp/mmfs/hadoop/sbin/gpfs_hdfs_pkg.sh, /usr/sbin/parted, /usr/sbin/partprobe,/sbin/mkfs.ext4
BI sudoers
The Ambari Server user and group is am_agent: am_agent.
The Ambari Agent user and group is am_agent:am_agent.
The IBM Spectrum Scale cluster user and group is am_agent:am_agent.
Example of /etc/sudoers file added entries in BI environment:
# Ambari IOP Customizable Users am_agent ALL=(ALL) NOPASSWD:SETENV: /bin/su hdfs *, /bin/su ambari-qa *, /bin/su zookeeper *, /bin/su knox *, /bin/su ams *, /bin/su flume *, /bin/su hbase *, /bin/su spark *, /bin/su hive *, /bin/su hcat *, /bin/su kafka *, /bin/su mapred *, /bin/su oozie *, /bin/su sqoop *, /bin/su storm *, /bin/su yarn *, /bin/su solr *, /bin/su titan *, /bin/su ranger *, /bin/su kms * # Ambari value-adds Customizable Users am_agent ALL=(ALL) NOPASSWD:SETENV: /bin/su - bigsheets *, /bin/su uiuser *, /bin/su tauser *, /bin/su - bigr * #Ambari Non-Customizable Users am_agent ALL=(ALL) NOPASSWD:SETENV: /bin/su mysql * # Ambari IOP Commands am_agent ALL=(ALL) NOPASSWD:SETENV: /usr/bin/yum,/usr/bin/zypper, /usr/bin/apt-get, /bin/mkdir, /usr/bin/test, /bin/ln, /bin/chown, /bin/chmod, /bin/chgrp, /usr/sbin/groupadd, /usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/usermod, /bin/cp, /usr/sbin/setenforce, /usr/bin/stat, /bin/mv, /bin/sed,/bin/rm, /bin/kill, /bin/readlink, /usr/bin/pgrep, /bin/cat, /usr/bin/unzip, /bin/tar, /usr/bin/tee, /bin/touch, /usr/bin/iop-select, /usr/bin/conf-select, /usr/iop/current/hadoop-client/sbin/hadoop-daemon.sh, /usr/lib/hadoop/bin/hadoop-daemon.sh, /usr/lib/hadoop/sbin/hadoop-daemon.sh, /sbin/chkconfig gmond off, /sbin/chkconfig gmetad off, /etc/init.d/httpd *, /sbin/service iop-gmetad start, /sbin/service iop-gmond start, /usr/sbin/gmond, /usr/sbin/update-rc.d ganglia-monitor *, /usr/sbin/update-rc.d gmetad *, /etc/init.d/apache2 *, /usr/sbin/service iop-gmond *, /usr/sbin/service iopgmetad *, /sbin/service mysqld *, /sbin/service mysql *, /usr/bin/python2.6/var/lib/ambari-agent/data/tmp/validateKnoxStatus.py *, /usr/iop/current/knox-server/bin/knoxcli.sh *, /usr/bin/dpkg *, /bin/rpm *, /usr/sbin/hst *, /usr/sbin/service mysql *, /usr/sbin/service mariadb *, /usr/bin/ambari-python-wrap, /usr/bin/cd /usr/lpp/mmfs/src, /usr/bin/curl, /usr/bin/make Autoconfig, /usr/bin/make World, /usr/bin/make InstallImages, /usr/lpp/mmfs/hadoop/sbin/mmhadoopctl, /usr/lpp/mmfs/hadoop/sbin/hadoop-daemon.sh, /usr/lpp/mmfs/hadoop/bin/gpfs, /usr/lpp/mmfs/hadoop/sbin/gpfs_hdfs_pkg.sh, /usr/sbin/parted, /usr/sbin/partprobe, /sbin/mkfs.ext4 # Ambari value-adds Commands am_agent ALL=(ALL) NOPASSWD:SETENV: /usr/bin/updatedb *, /usr/bin/sh *, /usr/bin/scp *, /usr/bin/pkill *, /bin/unlink *, /usr/bin/mysqld_safe, /usr/bin/mysql_install_db, /usr/bin/R, /usr/bin/Rscript, /bin/bash, /usr/bin/kinit, /usr/bin/hadoop, /usr/bin/mysqladmin, /usr/sbin/userdel, /usr/sbin/groupdel, /usr/sbin/ambari-server, /usr/bin/klist Cmnd_Alias BIGSQL_SERVICE_AGNT=/var/lib/ambari-agent/cache/stacks/BigInsights/*/services/ BIGSQL/package/scripts/* Cmnd_Alias BIGSQL_SERVICE_SRVR=/var/lib/ambari-server/resources/stacks/BigInsights/* /services/BIGSQL/package/scripts/* Cmnd_Alias BIGSQL_DIST_EXEC=/usr/ibmpacks/current/bigsql/bigsql/bin/*, /usr/ibmpacks/current/bigsql/bigsql/libexec/*, /usr/ibmpacks/current/bigsql/bigsql/install/*, /usr/ibmpacks/current/IBM-DSM/ibm-datasrvrmgr/bin/*, /usr/ibmpacks/bin/*/* Cmnd_Alias BIGSQL_OS_CALLS=/bin/su, /usr/bin/getent, /usr/bin/id, /usr/bin/ssh, /bin/echo, /usr/bin/scp, /bin/find, /usr/bin/du, /sbin/mkhomedir_helper, /bin/curl am_agent ALL=(ALL) NOPASSWD:SETENV:/bin/*, /usr/bin/*, /usr/sbin/*, /usr/bin/R, /usr/bin/Rscript, BIGSQL_SERVICE_AGNT, BIGSQL_SERVICE_SRVR, BIGSQL_DIST_EXEC, BIGSQL_OS_CALLS Defaults exempt_group = am_agent Defaults !env_reset,env_delete-=PATH Defaults: am_agent !requiretty #GPFS cluster non-root added # Preserve GPFS environment variables: Defaults env_keep += "MMMODE environmentType GPFS_rshPath GPFS_rcpPath mmScriptTrace GPFSCMDPOR-TRANGE GPFS_CIM_MSG_FORMAT" # Allow members of the gpfs group to run all commands but only selected commands without a password: %am_agent ALL=(ALL) PASSWD: ALL, NOPASSWD: /usr/lpp/mmfs/bin/mmremote, /usr/bin/scp, /bin/echo, /usr/lpp/mmfs/bin/mmsdrrestore # Disable requiretty for group gpfs: Defaults:%am_agent !requirettyHDP sudoers
The Ambari Server user and group is ambari-server:hadoop.
The Ambari Agent user and group is am_agent:am_agent.
The IBM Spectrum Scale cluster user and group is am_agent:am_agent.
Example of /etc/sudoers file added entries in HDP environment:
# Ambari Commands ambari-server ALL=(ALL) NOPASSWD:SETENV: /bin/mkdir -p /etc/security/keytabs, /bin/chmod * /etc/security/keytabs/*.keytab, /bin/chown * /etc/security/keytabs/*.keytab, /bin/chgrp * /etc/security/keytabs/*.keytab, /bin/rm -f /etc/security/keytabs/*.keytab, /bin/cp -p -f /var/lib/ambari-server/data/tmp/* /etc/security/keytabs/*.keytab #Sudo Defaults - Ambari Server(In order for the agent to run its commands non-interactively, some defaults need to be overridden) Defaults exempt_group = ambari-server Defaults !env_reset,env_delete-=PATH Defaults: ambari-server !requiretty # Ambari Agent non root configuration # Ambari Customizable Users am_agent ALL=(ALL) NOPASSWD:SETENV: /bin/su hdfs *,/bin/su ambari-qa *,/bin/su ranger *, /bin/su zookeeper *,/bin/su knox *,/bin/su falcon *,/bin/su ams *, /bin/su flume *,/bin/su hbase *, /bin/su spark *,/bin/su accumulo *,/bin/su hive *,/bin/su hcat *,/bin/su kafka *,/bin/su mapred *, /bin/su oozie *,/bin/su sqoop *,/bin/su storm *,/bin/su tez *,/bin/su atlas *,/bin/su yarn *, /bin/su kms *,/bin/su activity_analyzer *,/bin/su livy *,/bin/su zeppe-lin *,/bin/su infra-solr *, /bin/su logsearch * # Ambari: Core System Commands am_agent ALL=(ALL) NOPASSWD:SETENV: /usr/bin/yum,/usr/bin/zypper,/usr/bin/apt-get, /bin/mkdir, /usr/bin/test, /bin/ln, /bin/ls, /bin/chown, /bin/chmod, /bin/chgrp, /bin/cp, /usr/sbin/setenforce, /usr/bin/test, /usr/bin/stat, /bin/mv, /bin/sed, /bin/rm, /bin/kill, /bin/readlink, /usr/bin/pgrep, /bin/cat, /usr/bin/unzip, /bin/tar, /usr/bin/tee, /bin/touch, /usr/bin/mysql, /sbin/service mysqld *, /usr/bin/dpkg *, /bin/rpm *, /usr/sbin/hst *, /sbin/service rpcbind *, /sbin/service portmap *, /usr/bin/cd, /usr/lpp/mmfs/src, /usr/bin/curl, /usr/bin/make Au-toconfig, /usr/bin/make World, /usr/bin/make InstallImages, /usr/lpp/mmfs/hadoop/sbin/mmhadoopctl, /usr/lpp/mmfs/hadoop/sbin/hadoop-daemon.sh, /usr/lpp/mmfs/hadoop/bin/gpfs, /usr/lpp/mmfs/hadoop/sbin/gpfs_hdfs_pkg.sh, /usr/sbin/parted, /usr/sbin/partprobe, /sbin/mkfs.ext4 # Ambari: Hadoop and Configuration Commands am_agent ALL=(ALL) NOPASSWD:SETENV: /usr/bin/hdp-select, /usr/bin/conf-select, /usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh, /usr/lib/hadoop/bin/hadoop-daemon.sh, /usr/lib/hadoop/sbin/hadoop-daemon.sh, /usr/bin/ambari-python-wrap * # Ambari: System User and Group Commands am_agent ALL=(ALL) NOPASSWD:SETENV: /usr/sbin/groupadd, /usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/usermod # Ambari: Knox Commands am_agent ALL=(ALL) NOPASSWD:SETENV: /usr/bin/python2.6 /var/lib/ambari-agent/data/tmp/validateKnoxStatus.py *, /usr/hdp/current/knox-server/bin/knoxcli.sh # Ambari: Ranger Commands am_agent ALL=(ALL) NOPASSWD:SETENV: /usr/hdp/*/ranger-usersync/setup.sh, /usr/bin/ranger-usersync-stop, /usr/bin/ranger-usersync-start, /usr/hdp/*/ranger-admin/setup.sh *, /usr/hdp/*/ranger-knox-plugin/disable-knox-plugin.sh *, /usr/hdp/*/ranger-storm-plugin/disable-storm-plugin.sh *, /usr/hdp/*/ranger-hbase-plugin/disable-hbase-plugin.sh *, /usr/hdp/*/ranger-hdfs-plugin/disable-hdfs-plugin.sh *, /usr/hdp/current/ranger-admin/ranger_credential_helper.py, /usr/hdp/current/ranger-kms/ranger_credential_helper.py, /usr/hdp/*/ranger-*/ranger_credential_helper.py # Ambari Infra and LogSearch Commands am_agent ALL=(ALL) NOPASSWD:SETENV: /usr/lib/ambari-infra-solr/bin/solr *, /usr/lib/ambari-logsearch-logfeeder/run.sh *, /usr/sbin/ambari-metrics-grafana *, /usr/lib/ambari-infra-solr-client/solrCloudCli.sh * # Sudo Defaults - Ambari Agent (In order for the agent to run its commands non-interactively, some defaults need to be overridden) Defaults exempt_group = am_agent Defaults !env_reset,env_delete-=PATH Defaults: am_agent !requiretty #GPFS cluster non-root added # Preserve GPFS environment variables: Defaults env_keep += "MMMODE environmentType GPFS_rshPath GPFS_rcpPath mmScriptTrace GPFSCMDPOR-TRANGE GPFS_CIM_MSG_FORMAT" # Allow members of the gpfs group to run all commands but only selected commands without a password: %am_agent ALL=(ALL) PASSWD: ALL, NOPASSWD: /usr/lpp/mmfs/bin/mmremote, /usr/bin/scp, /bin/echo, /usr/lpp/mmfs/bin/mmsdrrestore # Disable requiretty for group gpfs: Defaults:%am_agent !requiretty -
Perform the steps from Deploy the IBM Spectrum Scale service to add the module as the root
user.
Note: You must restart Ambari as root. Exceptions occurs as non-root user. However, this issue is not shown on Ambari 2.5.0.3 when an Ambari-server restarts with non-root user.
-
Perform the steps from Deploy the IBM Spectrum Scale service.
This requires restarting Ambari as root. Exceptions occur as non-root user. However, this issue is not shown on Ambari 2.5.0.3 when ambari-server restart with a non-root user.Note:
- There might be an issue with HBase stopping in a non-root environment. For more information, see the Troubleshooting Ambari section.
- In non-root Ambari environment, the Hive service check might fail. For resolution, see the Troubleshooting Ambari section.