Managing LDAP Users in Ambari

cc_0309careers-waiting-in-line_16x9
Adding users to a Hadoop cluster can be a little time-intensive.

I’ve managed Hadoop clusters for just a little while now and I’ve discovered the user management factor of Ambari is a little rough around the edges. Specifically, there’s no easy way to manage Ambari LDAP users from within Ambari despite LDAP being a very popular way to provision and manage user access.

There is the command ambari-server sync-ldap [--users user.csv | --groups groups.csv] for adding users or groups but that can be an issue if access to the ambari user or server is limited. Additionally, the command line utility doesn’t innately have any control over HDFS directories (either creating or deleting) upon a user- or group-sync, creating extra steps in the user creation process.

To address this, I present:
ambari-ldap-manager

ambari-ldap-manager is a simple web server built with requests. It interacts with your Ambari server using the API and accomplishes various tasks associated with LDAP user and group management.

Installing

Assuming you have a Python 3 virtual environment setup, installing is very easy:

pip install ambari-ldap-manager

It’s hosted on PyPi here: https://pypi.python.org/pypi/ambari-ldap-manager

and the lovely, bug-free* code is hosted on Github here: https://github.com/Barneyjm/ambari-ldap-manager

Forks, pull requests, and issues welcomed!

Using

Once it’s installed, start it as follows:

python -m ambari-ldap-manager http://<ambari-server-url>:8080 <username> <password>

Then navigate to http://localhost:5000 to view the splendor that is the Ambari LDAP Manager.

home
Hey, I’m no UI designer, alright?

Look at all those things you can click! Users, Groups, LDAP Events, and a handy link to your specific Ambari server.

Perusing

Click around and you can add users or groups to your Ambari instance as long as you’re an Admin in Ambari. If you’re not, the webserver will just throw errors in the background but still allow you to click around and enjoy my super-slick Bootstrap theme.

Here’s what happens when you click Sync or Submit on any of these pages:

  1. ambari-ldap-manager issues a call, using the credentials you provided on startup, to create a user (or however many users are in a particular group)
  2. the server issues a call as hdfs* to create that user’s (or all user’s in a group) HDFS home.
  3. the server issues a call to the API to remove any LDAP users no longer in the group
  4. the server issues a call as hdfs* to remove any directory owned by the user that was removed.

That basic sequence is repeated for basically any operation that ambari-ldap-manager does, all using the Ambari API.

The great thing is that you don’t need access to the Ambari server or user to run this server. I just keep it available on my local laptop and provision access to lower level clusters as needed to people.

*Some caveats (there always are caveats with weekend hack projects!):

  1. Not guaranteed to do all the fancy HDFS folder control in a Ranger or Kerberos controlled cluster.
  2. You type your password plaintext on the command line (there’s ways around this)
  3. This was tested with “normal” usernames and group names: letters, numbers, and dashes. Strange characters may do strange things.
  4. There’s no reason why this wouldn’t work on higher environments (prod) but I haven’t tried it, so risk it if you want.
  5. No “Are you sure?” button when deleting things.
  6. Many other things but this blog post is getting long and I’m hungry.

Here’s some additional screenshots:

users
/users
user
/user/admin
groups
/groups
group
/group/ldap-group1
events
/events (a list of all LDAP sync events)
event1
/event/1 (a specific LDAP sync event)

 

 

I heavily used the Ambari API “documentation” to write this little package.

Cheers!

Advertisements

One thought on “Managing LDAP Users in Ambari

  1. kalpanak September 28, 2017 / 5:58 am

    I’m understand your creates and managing users, groups, LDAP events.Python 3 virtual environment setup is very easily installed in your command.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s