Adding users to a Hadoop cluster can be a little time-intensive.

I’ve managed Hadoop clusters for just a little while now and I’ve discovered the user management factor of Ambari is a little rough around the edges. Specifically, there’s no easy way to manage Ambari LDAP users from within Ambari despite LDAP being a very popular way to provision and manage user access.

There is the command ambari-server sync-ldap [--users user.csv | --groups groups.csv] for adding users or groups but that can be an issue if access to the ambari user or server is limited. Additionally, the command line utility doesn’t innately have any control over HDFS directories (either creating or deleting) upon a user- or group-sync, creating extra steps in the user creation process.

To address this, I present:

ambari-ldap-manager is a simple web server built with requests. It interacts with your Ambari server using the API and accomplishes various tasks associated with LDAP user and group management.


Assuming you have a Python 3 virtual environment setup, installing is very easy:

pip install ambari-ldap-manager

It’s hosted on PyPi here:

and the lovely, bug-free* code is hosted on Github here:

Forks, pull requests, and issues welcomed!


Once it’s installed, start it as follows:

python -m ambari-ldap-manager http://<ambari-server-url>:8080 <username> <password>

Then navigate to http://localhost:5000 to view the splendor that is the Ambari LDAP Manager.

Hey, I’m no UI designer, alright?

Look at all those things you can click! Users, Groups, LDAP Events, and a handy link to your specific Ambari server.


Click around and you can add users or groups to your Ambari instance as long as you’re an Admin in Ambari. If you’re not, the webserver will just throw errors in the background but still allow you to click around and enjoy my super-slick Bootstrap theme.

Here’s what happens when you click Sync or Submit on any of these pages:

  1. ambari-ldap-manager issues a call, using the credentials you provided on startup, to create a user (or however many users are in a particular group)
  2. the server issues a call as hdfs* to create that user’s (or all user’s in a group) HDFS home.
  3. the server issues a call to the API to remove any LDAP users no longer in the group
  4. the server issues a call as hdfs* to remove any directory owned by the user that was removed.

That basic sequence is repeated for basically any operation that ambari-ldap-manager does, all using the Ambari API.

The great thing is that you don’t need access to the Ambari server or user to run this server. I just keep it available on my local laptop and provision access to lower level clusters as needed to people.

*Some caveats (there always are caveats with weekend hack projects!):

  1. Not guaranteed to do all the fancy HDFS folder control in a Ranger or Kerberos controlled cluster.
  2. You type your password plaintext on the command line (there’s ways around this)
  3. This was tested with “normal” usernames and group names: letters, numbers, and dashes. Strange characters may do strange things.
  4. There’s no reason why this wouldn’t work on higher environments (prod) but I haven’t tried it, so risk it if you want.
  5. No “Are you sure?” button when deleting things.
  6. Many other things but this blog post is getting long and I’m hungry.

Here’s some additional screenshots:

/events (a list of all LDAP sync events)
/event/1 (a specific LDAP sync event)



I heavily used the Ambari API “documentation” to write this little package.


One thought

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.