Configuring Ambari Authentication with LDAP/Active Directory
In Big Data Service cluster, Ambari is used for managing the cluster. By default, Big Data Service cluster has only one administrator account that can manage the cluster. However, its essential to support Active Directory (AD) integration so that the users in AD can sign-in to Ambari and perform the cluster management operations.
Configuring Ambari to Authenticate External Users
-
On the un0 node, run:
sudo ambari-server setup-ldap -
Respond to each prompt with the following information. Prompts marked with asterisk are required,
Prompt
Description Please select the type of LDAP you want to use * AD Primary URL Host* <AD_FQDN> Primary URL Port* The port for the LDAP server. By default, secured LDAPs runs on port 636. Unsecured LDAP runs on port 389. Secondary URL Host Press enter for empty Secondary URL Port Press enter for empty Use SSL* True if you decide to use LDAPS over 636 port. Do you want to provide custom TrustStore for Ambari [y/n] For Big Data Service cluster, you can set 'n' here and ignore the subsequent request of 'removing The TrustStore is already configured:ssl.trustStore.type = jksssl.trustStore.path = /etc/security/serverKeys/truststore.jksssl.trustStore.password = ${alias=ambari.ssl.trustStore.password}Do you want to remove these properties [y/n] (n)? Enter n. If you have entered the LDAPS URL of AD in the bds-cert.conf and you have run sudo bds_cert_util --enablefrom mn0 node, the jks file here should already contain the LDAPS certificate.TrustStore type Not needed if you didn't remove the default property. Format of the truststore : jks Path to TrustStore Not needed if you didn't remove the default property. /etc/security/serverKeys/truststore.jksPassword for TrustStore Not needed if you didn't remove the default property. If needed, run sudo bash /home/opc/cloud/flask-microservice/cert_util/scripts/get_pass_mn0.shto get the password.User object class* person User name attribute* sAMAccountName Group object class* group Group name attribute* cn Group member attribute* member Distinguished name attribute* distinguishedName Search Base* <AD_SEARCH_BASE> Referral method* ignore Bind anonymously* false Bind DN*: <AD_BIND_USER_DN>. Run dsquery user -name BIND_USER_NAMEin Windows PowerShell on AD server.Bind DN Password*: <AD_BIND_USER_PWD> Handling behavior for username collisions*: convert (recommended) Force lower-case user names: true (recommended) Results from LDAP are paginated when requested: false (recommended) Disable endpoint identification during SSL handshake: true (recommended) For Example:
[opc@opowerun0-0 ~]$ sudo ambari-server setup-ldap Using python /usr/bin/python Currently 'no auth method' is configured, do you wish to use LDAP instead [y/n] (y)? y Enter Ambari Admin login: admin Enter Ambari Admin password: Fetching LDAP configuration from DB. No configuration. Please select the type of LDAP you want to use [AD/IPA/Generic](Generic):AD Primary LDAP Host: <PRIMARY_LDAP_HOST> Primary LDAP Port: 636 Secondary LDAP Host <Optional>: Secondary LDAP Port <Optional>: Use SSL [true/false] (false): true Disable endpoint identification during SSL handshake [true/false] (False): true Do you want to provide custom TrustStore for Ambari [y/n] (y)?n The TrustStore is already configured: ssl.trustStore.type = jks ssl.trustStore.path = /etc/security/serverKeys/truststore.jks ssl.trustStore.password = ${alias=ambari.ssl.trustStore.password} Do you want to remove these properties [y/n] (y)? n User object class (user): User ID attribute (sAMAccountName): Group object class (group): Group name attribute (cn): Group member attribute (member): Distinguished name attribute (distinguishedName): Search Base (dc=ambari,dc=apache,dc=org): cn=Users,dc=ad,dc=domain,dc=com Referral method [follow/ignore] (follow): ignore Bind anonymously [true/false] (false): Bind DN (cn=ldapbind,dc=ambari,dc=apache,dc=org): cn=Users,dc=ad,dc=domain,dc=com Enter Bind DN Password: Confirm Bind DN Password: Handling behavior for username collisions [convert/skip] for LDAP sync (skip): convert Force lower-case user names [true/false]:true Results from LDAP are paginated when requested [true/false]:false ==================== Review Settings ==================== Primary LDAP Host: <PRIMARY_LDAP_HOST> Primary LDAP Port: 636 Use SSL [true/false] (false): true User object class (user): user User ID attribute (sAMAccountName): sAMAccountName Group object class (group): group Group name attribute (cn): cn Group member attribute (member): member Distinguished name attribute (distinguishedName): distinguishedName Search Base (dc=ambari,dc=apache,dc=org): cn=Users,dc=ad,dc=domain,dc=com Bind anonymously [true/false] (false): false Handling behavior for username collisions [convert/skip] for LDAP sync (skip): convert Force lower-case user names [true/false]: true Results from LDAP are paginated when requested [true/false]: false ambari.ldap.connectivity.bind_dn: <AMBARI_LDAP_CONNECTIVITY_BIND_DN> ambari.ldap.connectivity.bind_password: ***** ambari.ldap.advanced.disable_endpoint_identification: true Save settings [y/n] (y)? y Saving LDAP properties... Saving LDAP properties finished Ambari Server 'setup-ldap' completed successfully. - Prepare a list of groups to restrict the Active Directory users and groups to synchronize into Ambari.
- (Optional)
If you plan to share Ambari access to the users in AD groups, run:
echo "g1,g2,g3" > groups.csv sudo ambari-server sync-ldap --groups=$(pwd)/groups.csv - (Optional)
To explicitly specify the list of AD users, run:
echo "U1, u2, u3" > users.csv -
Restart the Ambari server.
For Example:
[opc@opower2un0 ambari-server]$ sudo ambari-server restart Using python /usr/bin/python Restarting ambari-server Waiting for server stop... Ambari Server stopped Ambari Server running with administrator privileges. Organizing resource files at /var/lib/ambari-server/resources... Ambari database consistency check started... Server PID at: /var/run/ambari-server/ambari-server.pid Server out at: /var/log/ambari-server/ambari-server.out Server log at: /var/log/ambari-server/ambari-server.log Waiting for server start............... Server started listening on 7183
Configuring Access for Active Directory Users Through Ambari UI
- Access Apache Ambari with administrator user and password.
- Click the username button and select Manage Ambari.
- Click Users.
- Verify users and groups.
- In the filter enter Username: <username>, and then click Edit.
- Add the user to the appropriate group.
- Log the administrator out and sign in as the user you granted access to.