I’ve managed Hadoop clusters for just a little while now and I’ve discovered the user management factor of Ambari is a little rough around the edges. Specifically, there’s no easy way to manage Ambari LDAP users from within Ambari despite LDAP being a very popular way to provision and manage user access.
There is the command
ambari-server sync-ldap [--users user.csv | --groups groups.csv] for adding users or groups but that can be an issue if access to the
ambari user or server is limited. Additionally, the command line utility doesn’t innately have any control over HDFS directories (either creating or deleting) upon a user- or group-sync, creating extra steps in the user creation process.
To address this, I present:
ambari-ldap-manager is a simple web server built with
requests. It interacts with your Ambari server using the API and accomplishes various tasks associated with LDAP user and group management.
Assuming you have a Python 3 virtual environment setup, installing is very easy:
pip install ambari-ldap-manager
It’s hosted on PyPi here: https://pypi.python.org/pypi/ambari-ldap-manager
and the lovely, bug-free* code is hosted on Github here: https://github.com/Barneyjm/ambari-ldap-manager
Forks, pull requests, and issues welcomed!
Once it’s installed, start it as follows:
python -m ambari-ldap-manager http://<ambari-server-url>:8080 <username> <password>
Then navigate to http://localhost:5000 to view the splendor that is the Ambari LDAP Manager.
Look at all those things you can click! Users, Groups, LDAP Events, and a handy link to your specific Ambari server.
Click around and you can add users or groups to your Ambari instance as long as you’re an Admin in Ambari. If you’re not, the webserver will just throw errors in the background but still allow you to click around and enjoy my super-slick Bootstrap theme.
Here’s what happens when you click
Submit on any of these pages:
- ambari-ldap-manager issues a call, using the credentials you provided on startup, to create a user (or however many users are in a particular group)
- the server issues a call as
hdfs* to create that user’s (or all user’s in a group) HDFS home.
- the server issues a call to the API to remove any LDAP users no longer in the group
- the server issues a call as
hdfs* to remove any directory owned by the user that was removed.
That basic sequence is repeated for basically any operation that ambari-ldap-manager does, all using the Ambari API.
The great thing is that you don’t need access to the Ambari server or user to run this server. I just keep it available on my local laptop and provision access to lower level clusters as needed to people.
*Some caveats (there always are caveats with weekend hack projects!):
- Not guaranteed to do all the fancy HDFS folder control in a Ranger or Kerberos controlled cluster.
- You type your password plaintext on the command line (there’s ways around this)
- This was tested with “normal” usernames and group names: letters, numbers, and dashes. Strange characters may do strange things.
- There’s no reason why this wouldn’t work on higher environments (prod) but I haven’t tried it, so risk it if you want.
- No “Are you sure?” button when deleting things.
- Many other things but this blog post is getting long and I’m hungry.
Here’s some additional screenshots:
I heavily used the Ambari API “documentation” to write this little package.