performing a non-root ambari install (with hortonworks admin 1 course)

Created by Lester Martin
Last updated: Apr 19, 2016
5 min read

These instructions have been tested on Rev 1.2 of the HDP Operations: Hadoop Administration I course.

These steps are captured to support a client who wants to do the Installing HDP lab from Hortonworks' Admin I course, but use a non-root user for the install.  The current version of this course is based on HDP 2.3.0 and you can visit http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_Installing_HDP_AMB/content/_set_up_password-less_ssh.html to see that the simple & novel instructions for this are as follows.

It is possible to use a non-root SSH account, if that account can execute sudo without entering a password. 

The good news is that for this lab (especially in the order it is now; at the END of the course) is only installing to node1 which makes this much easier.  Basically, you just need to do some of the steps I previously publicly published in setting up hdp 2.1 with non-standard users for hadoop services (why not use a non-standard user for ambari, too).  Specifically, the following steps need to happen just after the Resetting the Lab Environment section and just before the Installing Ambari Server section.

From the ubuntu host, log into node1 and create the user for the install.

root@ubuntu:~# ssh node1
Last login: Fri Sep 18 22:48:18 2015 from 172.17.42.1
[root@node1 ~]# useradd -m -s /bin/bash ryoambari
[root@node1 ~]# groupadd ryoambari
groupadd: group 'ryoambari' already exists

This creates a user w/ID of 500, but we need to increase that.

[root@node1 ~]# id -u ryoambari
500
[root@node1 ~]# usermod -u 1500 ryoambari
[root@node1 ~]# groupmod -g 1500 ryoambari
[root@node1 ~]# id -u ryoambari
1500

Now we need to make sure this new user can run password-less sudo commands.

[root@node1 ~]# cp /etc/sudoers ./sudoers.original
[root@node1 ~]# visudo

Now that you are editing this file, go to the end and add the following line then save the file.  If using vi, you can just hit ESC twice, then type a colon and finally type wq to write & quit.

ALL	ALL=(ALL)	NOPASSWD: ALL

You can verify this is all that was changed by running a diff command whose results should look something like the following.

[root@node1 ~]# diff sudoers.original /etc/sudoers
118a119,120
> 
> ALL	ALL=(ALL)	NOPASSWD: ALL

Now, verify it worked by seeing if this new user can edit the /etc/passwd file (be sure to hit ESC twice, then type a colon and finally type q! to quit w/o saving!!).

[root@node1 ~]# su - ryoambari
[ryoambari@node1 ~]$ sudo vi /etc/passwd

NOTE: This is clearly a hack and not at all what one would do in a production environment to give this service account elevated privledges, but this brute-force approach lets us then perform the install with a non-root user.

You will also need to be able to perform SSH connections to all the hosts (yes, we're only doing node1, but let's stick to the script) and this can be setup by running the following commands.

[ryoambari@node1 ~]$ sudo yum install openssh-clients

	...

Complete!
[ryoambari@node1 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ryoambari/.ssh/id_rsa): 
Created directory '/home/ryoambari/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ryoambari/.ssh/id_rsa.
Your public key has been saved in /home/ryoambari/.ssh/id_rsa.pub.
The key fingerprint is:
a8:60:cf:43:29:50:57:e9:0f:71:78:73:ae:b1:bc:11 ryoambari@node1
The key's randomart image is:
+--[ RSA 2048]----+
|  . ...o         |
| . .  + + .      |
|.    . + +       |
| .   .o.E .      |
|  + o .+S=       |
| . * .  *        |
|    =    o       |
|     .  .        |
|                 |
+-----------------+
[ryoambari@node1 ~]$ cd .ssh
[ryoambari@node1 .ssh]$ pwd
/home/ryoambari/.ssh
[ryoambari@node1 .ssh]$ ls -l
total 8
-rw------- 1 ryoambari ryoambari 1671 Apr 18 19:45 id_rsa
-rw-r--r-- 1 ryoambari ryoambari  397 Apr 18 19:45 id_rsa.pub
[ryoambari@node1 .ssh]$ cat id_rsa.pub >> authorized_keys
[ryoambari@node1 .ssh]$ ls -l
total 12
-rw-rw-r-- 1 ryoambari ryoambari  397 Apr 18 19:46 authorized_keys
-rw------- 1 ryoambari ryoambari 1671 Apr 18 19:45 id_rsa
-rw-r--r-- 1 ryoambari ryoambari  397 Apr 18 19:45 id_rsa.pub
[ryoambari@node1 .ssh]$ chmod 600 authorized_keys
[ryoambari@node1 .ssh]$ ls -l
total 12
-rw------- 1 ryoambari ryoambari  397 Apr 18 19:46 authorized_keys
-rw------- 1 ryoambari ryoambari 1671 Apr 18 19:45 id_rsa
-rw-r--r-- 1 ryoambari ryoambari  397 Apr 18 19:45 id_rsa.pub
[ryoambari@node1 .ssh]$ cd ..
[ryoambari@node1 ~]$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is 2e:0c:53:b1:d4:06:7d:ab:bd:79:f9:17:08:f2:8a:4b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
[ryoambari@node1 ~]$ cd .ssh
[ryoambari@node1 .ssh]$ echo 'StrictHostKeyChecking no' >> config
[ryoambari@node1 .ssh]$ cat config
StrictHostKeyChecking no
[ryoambari@node1 .ssh]$ exit
logout
Connection to localhost closed.

Yep, that was a mouthful, but it is really sysadmin stuff that would need to be setup ahead of time to allow the ryoadmin non-root user to perform SSH operations to the other hosts.  The good news is that is customers don't want to do this, Ambari tells them that they can just do a yum install ambari-agent operation on all nodes and configure the .ini file to point back to the ambari server address, but I digress...

At the beginning of the Installing Ambari Server section, go ahead and do steps 1 - 3 as root (i.e. type exit to ensure you are no longer ryoambari) which won't affect the scenario we are trying to test as these are specific to the course's lab environment and are not normal Ambari install activities.

PRIOR TO STEP 4, switch back to ryoambari and kick off the yum step to download and install the Ambari Server software, but prefix this operation with sudo since you are no longer root.

[root@node1 scripts]# su - ryoambari
[ryoambari@node1 ~]$ sudo yum -y install ambari-server

	...

Complete!

Once that is complete, you'll need to change back to root to be able to run the JDK copy script (again, this is special to this lab environment) in Step 5.

[ryoambari@node1 ~]$ pwd
/home/ryoambari
[ryoambari@node1 ~]$ exit
logout
[root@node1 scripts]# pwd
/root/scripts
[root@node1 scripts]# ./copy_jdk.sh

Then switch back to ryoambari for Step 6 and beyond, but realize these commands need to run with sudo prefixed to them as identified below.

[root@node1 scripts]# su - ryoambari
[ryoambari@node1 ~]$ sudo ambari-server setup -s

	...

Ambari Server 'setup' completed successfully.
[ryoambari@node1 ~]$ sudo ambari-server start

	...

Ambari Server 'start' completed successfully.

This takes us to the Installing HDP section and we need to make a couple of changes in Step 10.  The "SSH User Account" textbox's value needs to change from root to ryoambari as shown in the following screenshot.  Additionally, you'll need to copy the contents of the /home/ryoambari/.ssh/id_rsa into the textbox identified below (include the BEGIN and END lines).

At this point, the rest of the lab can be completed as is and you will have validated that you can install HDP with Ambari without needing access to the root user.

NOTE: it is my recommendation that you simply take it as a fact that this can be done and not go through all of these steps to validate a documented and supported process.