授权用户访问 Apache Ambari 视图Authorize users for Apache Ambari Views

支持企业安全性套餐 (ESP) 的 HDInsight 群集提供了企业级功能,包括基于 Azure Active Directory 的身份验证。Enterprise Security Package (ESP) enabled HDInsight clusters provide enterprise-grade capabilities, including Azure Active Directory-based authentication. 可以将已添加的新用户同步到已被授予群集访问权限的 Azure AD 组,从而允许这些特定用户执行某些操作。You can synchronize new users added to Azure AD groups that have been provided access to the cluster, allowing those specific users to perform certain actions. ESP HDInsight 群集和标准 HDInsight 群集均支持使用 Apache Ambari 中的用户、组和权限。Working with users, groups, and permissions in Apache Ambari is supported for both ESP HDInsight clusters and standard HDInsight clusters.

Active Directory 用户可以使用其域凭据登录到群集节点。Active Directory users can sign in to the cluster nodes using their domain credentials. 他们还可以使用自己的域凭据在其他已批准的终结点(例如 Hue、Ambari 视图、ODBC、JDBC、PowerShell 和 REST API)上进行身份验证,以便与群集交互。They can also use their domain credentials to authenticate cluster interactions with other approved endpoints like Hue, Ambari Views, ODBC, JDBC, PowerShell, and REST APIs.

警告

不要在基于 Linux 的 HDInsight 群集上更改 Ambari 监视程序 (hdinsightwatchdog) 的密码。Do not change the password of the Ambari watchdog (hdinsightwatchdog) on your Linux-based HDInsight cluster. 更改密码将导致无法通过群集使用脚本操作或执行缩放操作。Changing the password breaks the ability to use script actions or perform scaling operations with your cluster.

如果尚未如此操作,请按照这些说明预配新的 ESP 群集。If you have not already done so, follow these instructions to provision a new ESP cluster.

访问 Ambari 管理页Access the Ambari management page

要访问 Apache Ambari Web UI 上的 Ambari 管理页面,请浏览到 https://CLUSTERNAME.azurehdinsight.cnTo get to the Ambari management page on the Apache Ambari Web UI, browse to https://CLUSTERNAME.azurehdinsight.cn. 输入创建群集时定义的群集管理员用户名和密码。Enter the cluster administrator username and password that you defined when creating the cluster. 接下来,在 Ambari 仪表板中,选择“管理”菜单下面的“管理 Ambari”:Next, from the Ambari dashboard, select Manage Ambari underneath the admin menu:

Apache Ambari 仪表板管理

添加用户Add users

通过门户添加用户Add users through the portal

  1. 在管理页中,选择“用户”。From the management page, select Users .

    Apache Ambari 管理页用户

  2. 选择“+ 创建本地用户”。Select + Create Local User .

  3. 提供“用户名”和“密码” 。Provide Username and password . 选择“保存”。Select save .

通过 PowerShell 添加用户Add users through PowerShell

编辑以下变量,方法是将 CLUSTERNAMENEWUSERPASSWORD 替换为适当的值。Edit the variables below by replacing CLUSTERNAME, NEWUSER, and PASSWORD with the appropriate values.

# Set-ExecutionPolicy Unrestricted

# Begin user input; update values
$clusterName="CLUSTERNAME"
$user="NEWUSER"
$userpass='PASSWORD'
# End user input

$adminCredentials = Get-Credential -UserName "admin" -Message "Enter admin password"

$clusterName = $clusterName.ToLower()
$createUserUrl="https://$($clusterName).azurehdinsight.cn/api/v1/users"

$createUserBody=@{
    "Users/user_name" = "$user"
    "Users/password" = "$userpass"
    "Users/active" = "$true"
    "Users/admin" = "$false"
} | ConvertTo-Json

# Create user
$statusCode =
Invoke-WebRequest `
    -Uri $createUserUrl `
    -Credential $adminCredentials `
    -Method POST `
    -Headers @{"X-Requested-By" = "ambari"} `
    -Body $createUserBody | Select-Object -Expand StatusCode

if ($statusCode -eq 201) {
    Write-Output "User is created: $user"
}
else
{
    Write-Output 'User is not created'
    Exit
}

$grantPrivilegeUrl="https://$($clusterName).azurehdinsight.cn/api/v1/clusters/$($clusterName)/privileges"

$grantPrivilegeBody=@{
    "PrivilegeInfo" = @{
        "permission_name" = "CLUSTER.USER"
        "principal_name" = "$user"
        "principal_type" = "USER"
    }
} | ConvertTo-Json

# Grant privileges
$statusCode =
Invoke-WebRequest `
    -Uri $grantPrivilegeUrl `
    -Credential $adminCredentials `
    -Method POST `
    -Headers @{"X-Requested-By" = "ambari"} `
    -Body $grantPrivilegeBody | Select-Object -Expand StatusCode

if ($statusCode -eq 201) {
    Write-Output 'Privilege is granted'
}
else
{
    Write-Output 'Privilege is not granted'
    Exit
}

Write-Host "Pausing for 100 seconds"
Start-Sleep -s 100

$userCredentials = "$($user):$($userpass)"
$encodedUserCredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($userCredentials))
$zookeeperUrlHeaders = @{ Authorization = "Basic $encodedUserCredentials" }
$getZookeeperurl="https://$($clusterName).azurehdinsight.cn/api/v1/clusters/$($clusterName)/services/ZOOKEEPER/components/ZOOKEEPER_SERVER"

# Perform query with new user
$zookeeperHosts =
Invoke-WebRequest `
    -Uri $getZookeeperurl `
    -Method Get `
    -Headers $zookeeperUrlHeaders

Write-Output $zookeeperHosts

通过 Curl 添加用户Add users through Curl

编辑以下变量,方法是将 CLUSTERNAMEADMINPASSWORDNEWUSERUSERPASSWORD 替换为适当的值。Edit the variables below by replacing CLUSTERNAME, ADMINPASSWORD, NEWUSER, and USERPASSWORD with the appropriate values. 该脚本旨在使用 bash 执行。The script is designed to be executed with bash. Windows 命令提示符将需要稍作修改。Slight modifications would be needed for a Windows command prompt.

export clusterName="CLUSTERNAME"
export adminPassword='ADMINPASSWORD'
export user="NEWUSER"
export userPassword='USERPASSWORD'

# create user
curl -k -u admin:$adminPassword -H "X-Requested-By: ambari" -X POST \
-d "{\"Users/user_name\":\"$user\",\"Users/password\":\"$userPassword\",\"Users/active\":\"true\",\"Users/admin\":\"false\"}" \
https://$clusterName.azurehdinsight.cn/api/v1/users

echo "user created: $user"

# grant permissions
curl -k -u admin:$adminPassword -H "X-Requested-By: ambari" -X POST \
-d '[{"PrivilegeInfo":{"permission_name":"CLUSTER.USER","principal_name":"'$user'","principal_type":"USER"}}]' \
https://$clusterName.azurehdinsight.cn/api/v1/clusters/$clusterName/privileges

echo "Privilege is granted"

echo "Pausing for 100 seconds"
sleep 10s

# perform query using new user account
curl -k -u $user:$userPassword -H "X-Requested-By: ambari" \
-X GET "https://$clusterName.azurehdinsight.cn/api/v1/clusters/$clusterName/services/ZOOKEEPER/components/ZOOKEEPER_SERVER"

授予对 Apache Hive 视图的权限Grant permissions to Apache Hive views

Ambari 随附 Apache HiveApache TEZ 等服务的视图实例。Ambari comes with view instances for Apache Hive and Apache TEZ, among others. 若要授予对一个或多个 Hive 视图实例的访问权限,请转到 Ambari 管理页To grant access to one or more Hive view instances, go to the Ambari management page .

  1. 在管理页中,选择左侧“视图”菜单标题下面的“视图”链接。 From the management page, select the Views link under the Views menu heading on the left.

    Apache Ambari 视图的“视图”链接

  2. 在“视图”页中,展开“HIVE”行。 On the Views page, expand the HIVE row. 有一个默认的 Hive 视图,它是在将 Hive 服务添加到群集时创建的。There is one default Hive view that is created when the Hive service is added to the cluster. 还可以根据需要创建更多的 Hive 视图实例。You can also create more Hive view instances as needed. 选择一个 Hive 视图:Select a Hive view:

    HDInsight 视图 - Apache Hive 视图

  3. 滚动到“视图”页的底部。Scroll toward the bottom of the View page. 在“权限”部分下面,可使用两个选项向域用户授予对该视图的权限: Under the Permissions section, you have two options for granting domain users their permissions to the view:

向这些用户授予权限 Grant permission to these users

向这些用户授予权限

向这些组授予权限 Grant permission to these groups

向这些组授予权限

  1. 若要添加用户,请选择“添加用户”按钮。 To add a user, select the Add User button.

    • 开始键入用户名,随后会看到以前定义的名称的下拉列表。Start typing the user name and you will see a dropdown list of previously defined names.

      Apache Ambari 用户自动完成

    • 选择或完成键入用户名。Select, or finish typing, the user name. 若要将此用户名添加为新用户,请选择“新建”按钮。 To add this user name as a new user, select the New button.

    • 若要保存更改,请选中 蓝色复选框To save your changes, select the blue checkbox .

      Apache Ambari 授予用户权限

  2. 若要添加组,请选择“添加组”按钮。 To add a group, select the Add Group button.

    • 开始键入组名称。Start typing the group name. 选择现有组名称或添加新组的过程与添加用户的过程相同。The process of selecting an existing group name, or adding a new group, is the same as for adding users.

    • 若要保存更改,请选中 蓝色复选框To save your changes, select the blue checkbox .

      Apache Ambari 授予权限

若要向某个用户分配该视图的使用权限,但不希望该用户成为拥有其他权限的组的成员,那么,将用户直接添加到视图的做法就很有效。Adding users directly to a view is useful when you want to assign permissions to a user to use that view, but do not want them to be a member of a group that has additional permissions. 若要降低管理开销,向组分配权限的做法可能更简便。To reduce the amount of administrative overhead, it may be simpler to assign permissions to groups.

授予对 Apache TEZ 视图的权限Grant permissions to Apache TEZ views

Apache TEZ 视图实例可让用户监视和调试由 Apache Hive 查询和 Apache Pig 脚本提交的所有 Tez 作业。The Apache TEZ view instances allow the users to monitor and debug all Tez jobs, submitted by Apache Hive queries and Apache Pig scripts. 有一个默认的 Tez 视图实例,它是预配群集时创建的。There is one default Tez view instance that is created when the cluster is provisioned.

若要将用户和组分配到 Tez 视图实例,请如前所述,展开“视图”页上的“TEZ”行。 To assign users and groups to a Tez view instance, expand the TEZ row on the Views page, as described previously.

HDInsight 视图 - Apache Tez 视图

若要添加用户或组,请重复上一部分中的步骤 3 - 5。To add users or groups, repeat steps 3 - 5 in the previous section.

将用户分配到角色Assign users to roles

用户和组有五个安全角色,下面按访问权限的降序列出了这些角色:There are five security roles for users and groups, listed in order of decreasing access permissions:

  • 群集管理员Cluster Administrator
  • 群集操作员Cluster Operator
  • 服务管理员Service Administrator
  • 服务操作员Service Operator
  • 群集用户Cluster User

若要管理角色,请转到 Ambari 管理页,在左侧的“群集”菜单组中选择“角色”链接。To manage roles, go to the Ambari management page, then select the Roles link within the Clusters menu group on the left.

Apache Ambari“角色”菜单链接

若要查看授予每个角色的权限列表,请单击“角色”页上“角色”表标题旁边的蓝色问号。 To see the list of permissions given to each role, click on the blue question mark next to the Roles table header on the Roles page.

Apache Ambari 角色菜单链接权限Apache Ambari roles menu link permissions

在此页上,有两个可用于管理用户角色和组角色的不同视图:“块”和“列表”。On this page, there are two different views you can use to manage roles for users and groups: Block and List.

“块”视图Block view

“块”独行显示每个角色,提供前面所述的“向这些用户分配角色”和“向这些组分配角色”选项。 The Block view displays each role in its own row, and provides the Assign roles to these users and Assign roles to these groups options as described previously.

Apache Ambari 角色“块”视图

列表视图List view

“列表”视图提供两种类别的快速编辑功能:“用户”和“组”。The List view provides quick editing capabilities in two categories: Users and Groups.

  • “列表”视图的“用户”类别显示所有用户的列表,可让我们在下拉列表中选择每个用户的角色。The Users category of the List view displays a list of all users, allowing you to select a role for each user in the dropdown list.

    Apache Ambari 角色“列表”视图 - 用户

  • “列表”视图的“组”类别显示所有组,以及分配给每个组的角色。The Groups category of the List view displays all groups, and the role assigned to each group. 在本示例中,组列表已从群集“域”设置的“访问用户组”属性中指定的 Azure AD 组同步。 In our example, the list of groups is synchronized from the Azure AD groups specified in the Access user group property of the cluster's Domain settings. 请参阅在启用了 ESP 的情况下创建 HDInsight 群集See Create a HDInsight cluster with ESP enabled.

    Apache Ambari 角色“列表”视图 - 组

    在上图中,为“hiveusers”组分配了“群集用户”角色。 In the image above, the "hiveusers" group is assigned the Cluster User role. 这是一个只读的角色,允许该组的用户查看但不允许更改服务配置和群集指标。This is a read-only role that allows the users of that group to view but not change service configurations and cluster metrics.

以仅限查看用户的身份登录到 AmbariLog in to Ambari as a view-only user

我们已向 Azure AD 域用户“hiveuser1”分配了访问 Hive 和 Tez 视图的权限。We have assigned our Azure AD domain user "hiveuser1" permissions to Hive and Tez views. 当我们启动 Ambari Web UI 并输入该用户的域凭据(电子邮件格式的 Azure AD 用户名,以及密码)时,该用户会重定向到 Ambari 的“视图”页。When we launch the Ambari Web UI and enter this user's domain credentials (Azure AD user name in e-mail format, and password), the user is redirected to the Ambari Views page. 在此页中,该用户可以选择任何可访问的视图。From here, the user can select any accessible view. 该用户无法访问站点的其他任何部分,包括仪表板、服务、主机、警报或管理页。The user cannot visit any other part of the site, including the dashboard, services, hosts, alerts, or admin pages.

仅具有视图的 Apache Ambari 用户

以群集用户的身份登录到 AmbariLog in to Ambari as a cluster user

我们已将 Azure AD 域用户“hiveuser2”分配到“群集用户”角色。 We have assigned our Azure AD domain user "hiveuser2" to the Cluster User role. 此角色有权访问仪表板和所有菜单项。This role is able to access the dashboard and all of the menu items. 群集用户有权使用的选项比管理员要少。A cluster user has fewer permitted options than an administrator. 例如,hiveuser2 可以查看每个服务的配置,但不能编辑这些配置。For example, hiveuser2 can view configurations for each of the services, but cannot edit them.

Apache Ambari 仪表板显示

后续步骤Next steps