Beispiel #1
0
def setup_component_https(component, command, property, alias):
    if not get_silent():
        jdk_path = find_jdk()
        if jdk_path is None:
            err = "No JDK found, please run the \"ambari-server setup\" " \
                  "command to install a JDK automatically or install any " \
                  "JDK manually to " + configDefaults.JDK_INSTALL_DIR
            raise FatalException(1, err)

        properties = get_ambari_properties()

        use_https = properties.get_property(property) in ['true']

        if use_https:
            if get_YN_input(
                    "Do you want to disable HTTPS for " + component +
                    " [y/n] (n)? ", False):
                truststore_path = get_truststore_path(properties)
                truststore_password = get_truststore_password(properties)

                run_component_https_cmd(
                    get_delete_cert_command(jdk_path, alias, truststore_path,
                                            truststore_password))

                properties.process_pair(property, "false")
            else:
                return
        else:
            if get_YN_input(
                    "Do you want to configure HTTPS for " + component +
                    " [y/n] (y)? ", True):
                truststore_type = get_truststore_type(properties)
                truststore_path = get_truststore_path(properties)
                truststore_password = get_truststore_password(properties)

                run_os_command(
                    get_delete_cert_command(jdk_path, alias, truststore_path,
                                            truststore_password))

                import_cert_path = get_validated_filepath_input( \
                    "Enter path to " + component + " Certificate: ", \
                    "Certificate not found")

                run_component_https_cmd(
                    get_import_cert_command(jdk_path, alias, truststore_type,
                                            import_cert_path, truststore_path,
                                            truststore_password))

                properties.process_pair(property, "true")
            else:
                return

        conf_file = find_properties_file()
        f = open(conf_file, 'w')
        properties.store(f,
                         "Changed by 'ambari-server " + command + "' command")
    else:
        print command + " is not enabled in silent mode."
Beispiel #2
0
def setup_https(args):
  if not is_root():
        err = 'ambari-server setup-https should be run with ' \
              'root-level privileges'
        raise FatalException(4, err)
  args.exit_message = None
  if not get_silent():
    properties = get_ambari_properties()
    try:
      security_server_keys_dir = properties.get_property(SSL_KEY_DIR)
      client_api_ssl_port = DEFAULT_SSL_API_PORT if properties.get_property(SSL_API_PORT) in ("") \
            else properties.get_property(SSL_API_PORT)
      api_ssl = properties.get_property(SSL_API) in ['true']
      client_api_ssl_port_old_value = properties.get_property(SSL_API_PORT)
      api_ssl_old_value = properties.get_property(SSL_API)
      cert_was_imported = False
      cert_must_import = True
      if api_ssl:
        if get_YN_input("Do you want to disable HTTPS [y/n] (n)? ", False):
          properties.process_pair(SSL_API, "false")
          cert_must_import=False
        else:
          properties.process_pair(SSL_API_PORT, \
                                  get_validated_string_input( \
                                      "SSL port ["+str(client_api_ssl_port)+"] ? ", \
                                      str(client_api_ssl_port), \
                                      "^[0-9]{1,5}$", "Invalid port.", False, validatorFunction = is_valid_https_port))
          cert_was_imported = import_cert_and_key_action(security_server_keys_dir, properties)
      else:
        if get_YN_input("Do you want to configure HTTPS [y/n] (y)? ", True):
          properties.process_pair(SSL_API_PORT, \
                                  get_validated_string_input("SSL port ["+str(client_api_ssl_port)+"] ? ", \
                                                               str(client_api_ssl_port), "^[0-9]{1,5}$", "Invalid port.", False, validatorFunction = is_valid_https_port))
          cert_was_imported = import_cert_and_key_action(security_server_keys_dir, properties)
        else:
          return False

      if cert_must_import and not cert_was_imported:
        print 'Setup of HTTPS failed. Exiting.'
        return False

      conf_file = find_properties_file()
      f = open(conf_file, 'w')
      properties.store(f, "Changed by 'ambari-server setup-https' command")

      if api_ssl_old_value != properties.get_property(SSL_API) \
          or client_api_ssl_port_old_value != properties.get_property(SSL_API_PORT):
        print "Ambari server URL changed. To make use of the Tez View in Ambari " \
              "please update the property tez.tez-ui.history-url.base in tez-site"

      ambari_user = read_ambari_user()
      if ambari_user:
        adjust_directory_permissions(ambari_user)
      return True
    except (KeyError), e:
        err = 'Property ' + str(e) + ' is not defined'
        raise FatalException(1, err)
Beispiel #3
0
def setup_https(args):
    if not is_root():
        warn = 'ambari-server setup-https is run as ' \
              'non-root user, some sudo privileges might be required'
        print warn
    args.exit_message = None
    if not get_silent():
        properties = get_ambari_properties()
        try:
            security_server_keys_dir = properties.get_property(SSL_KEY_DIR)
            client_api_ssl_port = DEFAULT_SSL_API_PORT if properties.get_property(SSL_API_PORT) in ("") \
                  else properties.get_property(SSL_API_PORT)
            api_ssl = properties.get_property(SSL_API) in ['true']
            cert_was_imported = False
            cert_must_import = True
            if api_ssl:
                if get_YN_input("Do you want to disable HTTPS [y/n] (n)? ",
                                False):
                    properties.process_pair(SSL_API, "false")
                    cert_must_import = False
                else:
                    properties.process_pair(SSL_API_PORT, \
                                            get_validated_string_input( \
                                                "SSL port ["+str(client_api_ssl_port)+"] ? ", \
                                                str(client_api_ssl_port), \
                                                "^[0-9]{1,5}$", "Invalid port.", False, validatorFunction = is_valid_https_port))
                    cert_was_imported = import_cert_and_key_action(
                        security_server_keys_dir, properties)
            else:
                if get_YN_input("Do you want to configure HTTPS [y/n] (y)? ",
                                True):
                    properties.process_pair(SSL_API_PORT, \
                                            get_validated_string_input("SSL port ["+str(client_api_ssl_port)+"] ? ", \
                                                                         str(client_api_ssl_port), "^[0-9]{1,5}$", "Invalid port.", False, validatorFunction = is_valid_https_port))
                    cert_was_imported = import_cert_and_key_action(
                        security_server_keys_dir, properties)
                else:
                    return False

            if cert_must_import and not cert_was_imported:
                print 'Setup of HTTPS failed. Exiting.'
                return False

            conf_file = find_properties_file()
            f = open(conf_file, 'w')
            properties.store(f,
                             "Changed by 'ambari-server setup-https' command")

            ambari_user = read_ambari_user()
            if ambari_user:
                adjust_directory_permissions(ambari_user)
            return True
        except (KeyError), e:
            err = 'Property ' + str(e) + ' is not defined'
            raise FatalException(1, err)
Beispiel #4
0
def setup_truststore(options, import_cert=False):
  if not get_silent():
    jdk_path = find_jdk()
    if jdk_path is None:
      err = "No JDK found, please run the \"ambari-server setup\" " \
            "command to install a JDK automatically or install any " \
            "JDK manually to " + configDefaults.JDK_INSTALL_DIR
      raise FatalException(1, err)

    properties = get_ambari_properties()

    truststore_confirm = True if options.trust_store_path is not None and options.trust_store_path else False
    truststore_reconfigure = True if options.trust_store_reconfigure is not None else False

    if truststore_confirm or get_YN_input("Do you want to configure a truststore [y/n] (y)? ", True):

      #Re-configuration enabled only for option "Setup truststore"
      if not import_cert and properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY)\
        and (truststore_reconfigure or get_YN_input(
            "The truststore is already configured. Do you want to re-configure "
            "the truststore [y/n] (y)? ", True)):
        properties.removeProp(SSL_TRUSTSTORE_TYPE_PROPERTY)
        properties.removeProp(SSL_TRUSTSTORE_PATH_PROPERTY)
        properties.removeProp(SSL_TRUSTSTORE_PASSWORD_PROPERTY)

      truststore_type = get_and_persist_truststore_type(properties, options)
      truststore_path = get_and_persist_truststore_path(properties, options)
      truststore_password = get_and_persist_truststore_password(properties, options)

      if import_cert:

        import_cert_confirm = True if options.import_cert_path is not None else get_YN_input("Do you want to import a certificate [y/n] (y)? ", True)
        if import_cert_confirm:
          aliasOption = options.import_cert_alias if options.import_cert_alias is not None and options.import_cert_alias else None
          alias = aliasOption if aliasOption is not None \
            else get_validated_string_input("Please enter an alias for the certificate: ", "", None, None, False, False)

          run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password))

          import_cert_path = get_validated_filepath_input("Enter path to certificate: ",
                                                          "Certificate not found",
                                                          answer=options.import_cert_path)

          run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password))

    else:
      return

    conf_file = find_properties_file()
    f = open(conf_file, 'w')
    properties.store(f, "Changed by 'ambari-server setup-security' command")
  else:
    print "setup-security is not enabled in silent mode."
Beispiel #5
0
def setup_truststore(import_cert=False):
    if not get_silent():
        jdk_path = find_jdk()
        if jdk_path is None:
            err = "No JDK found, please run the \"ambari-server setup\" " \
                  "command to install a JDK automatically or install any " \
                  "JDK manually to " + configDefaults.JDK_INSTALL_DIR
            raise FatalException(1, err)

        properties = get_ambari_properties()

        if get_YN_input("Do you want to configure a truststore [y/n] (y)? ",
                        True):
            truststore_type = get_truststore_type(properties)
            truststore_path = get_truststore_path(properties)
            truststore_password = get_truststore_password(properties)

            if import_cert:

                if get_YN_input(
                        "Do you want to import a certificate [y/n] (y)? ",
                        True):

                    alias = get_validated_string_input(
                        "Please enter an alias for the certificate: ", "",
                        None, None, False, False)

                    run_os_command(
                        get_delete_cert_command(jdk_path, alias,
                                                truststore_path,
                                                truststore_password))

                    import_cert_path = get_validated_filepath_input( \
                        "Enter path to certificate: ", \
                        "Certificate not found")

                    run_component_https_cmd(
                        get_import_cert_command(jdk_path, alias,
                                                truststore_type,
                                                import_cert_path,
                                                truststore_path,
                                                truststore_password))

        else:
            return

        conf_file = find_properties_file()
        f = open(conf_file, 'w')
        properties.store(f,
                         "Changed by 'ambari-server setup-security' command")
    else:
        print "setup-security is not enabled in silent mode."
Beispiel #6
0
def setup_https(args):
  if not is_root():
        err = 'tbds-server setup-https should be run with ' \
              'root-level privileges'
        raise FatalException(4, err)
  args.exit_message = None
  if not get_silent():
    properties = get_ambari_properties()
    try:
      security_server_keys_dir = properties.get_property(SSL_KEY_DIR)
      client_api_ssl_port = DEFAULT_SSL_API_PORT if properties.get_property(SSL_API_PORT) in ("") \
            else properties.get_property(SSL_API_PORT)
      api_ssl = properties.get_property(SSL_API) in ['true']
      cert_was_imported = False
      cert_must_import = True
      if api_ssl:
        if get_YN_input("Do you want to disable HTTPS [y/n] (n)? ", False):
          properties.process_pair(SSL_API, "false")
          cert_must_import=False
        else:
          properties.process_pair(SSL_API_PORT, \
                                  get_validated_string_input( \
                                      "SSL port ["+str(client_api_ssl_port)+"] ? ", \
                                      str(client_api_ssl_port), \
                                      "^[0-9]{1,5}$", "Invalid port.", False, validatorFunction = is_valid_https_port))
          cert_was_imported = import_cert_and_key_action(security_server_keys_dir, properties)
      else:
        if get_YN_input("Do you want to configure HTTPS [y/n] (y)? ", True):
          properties.process_pair(SSL_API_PORT, \
                                  get_validated_string_input("SSL port ["+str(client_api_ssl_port)+"] ? ", \
                                                               str(client_api_ssl_port), "^[0-9]{1,5}$", "Invalid port.", False, validatorFunction = is_valid_https_port))
          cert_was_imported = import_cert_and_key_action(security_server_keys_dir, properties)
        else:
          return False

      if cert_must_import and not cert_was_imported:
        print 'Setup of HTTPS failed. Exiting.'
        return False

      conf_file = find_properties_file()
      f = open(conf_file, 'w')
      properties.store(f, "Changed by 'tbds-server setup-https' command")

      ambari_user = read_ambari_user()
      if ambari_user:
        adjust_directory_permissions(ambari_user)
      return True
    except (KeyError), e:
        err = 'Property ' + str(e) + ' is not defined'
        raise FatalException(1, err)
Beispiel #7
0
def setup_component_https(component, command, property, alias):
  if not get_silent():
    jdk_path = find_jdk()
    if jdk_path is None:
      err = "No JDK found, please run the \"tbds-server setup\" " \
            "command to install a JDK automatically or install any " \
            "JDK manually to " + configDefaults.JDK_INSTALL_DIR
      raise FatalException(1, err)

    properties = get_ambari_properties()

    use_https = properties.get_property(property) in ['true']

    if use_https:
      if get_YN_input("Do you want to disable HTTPS for " + component + " [y/n] (n)? ", False):
        truststore_path = get_truststore_path(properties)
        truststore_password = get_truststore_password(properties)

        run_component_https_cmd(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password))

        properties.process_pair(property, "false")
      else:
        return
    else:
      if get_YN_input("Do you want to configure HTTPS for " + component + " [y/n] (y)? ", True):
        truststore_type = get_truststore_type(properties)
        truststore_path = get_truststore_path(properties)
        truststore_password = get_truststore_password(properties)

        run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password))

        import_cert_path = get_validated_filepath_input( \
            "Enter path to " + component + " Certificate: ", \
            "Certificate not found")

        run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password))

        properties.process_pair(property, "true")
      else:
        return

    conf_file = find_properties_file()
    f = open(conf_file, 'w')
    properties.store(f, "Changed by 'tbds-server " + command + "' command")
  else:
    print command + " is not enabled in silent mode."
def setup_truststore(import_cert=False):
  if not get_silent():
    jdk_path = find_jdk()
    if jdk_path is None:
      err = "No JDK found, please run the \"ambari-server setup\" " \
            "command to install a JDK automatically or install any " \
            "JDK manually to " + configDefaults.JDK_INSTALL_DIR
      raise FatalException(1, err)

    properties = get_ambari_properties()

    if get_YN_input("Do you want to configure a truststore [y/n] (y)? ", True):
      truststore_type = get_truststore_type(properties)
      truststore_path = get_truststore_path(properties)
      truststore_password = get_truststore_password(properties)

      if import_cert:

        if get_YN_input("Do you want to import a certificate [y/n] (y)? ", True):

          alias = get_validated_string_input("Please enter an alias for the certificate: ", "", None, None, False, False)

          run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password))

          import_cert_path = get_validated_filepath_input( \
              "Enter path to certificate: ", \
              "Certificate not found")

          run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password))

    else:
      return

    conf_file = find_properties_file()
    f = open(conf_file, 'w')
    properties.store(f, "Changed by 'ambari-server setup-security' command")
  else:
    print "setup-security is not enabled in silent mode."
Beispiel #9
0
def setup_master_key():
  if not is_root():
    err = 'Ambari-server setup should be run with ' \
          'root-level privileges'
    raise FatalException(4, err)

  properties = get_ambari_properties()
  if properties == -1:
    raise FatalException(1, "Failed to read properties file.")

  db_windows_auth_prop = properties.get_property(JDBC_USE_INTEGRATED_AUTH_PROPERTY)
  db_sql_auth = False if db_windows_auth_prop and db_windows_auth_prop.lower() == 'true' else True
  db_password = properties.get_property(JDBC_PASSWORD_PROPERTY)
  # Encrypt passwords cannot be called before setup
  if db_sql_auth and not db_password:
    print 'Please call "setup" before "encrypt-passwords". Exiting...'
    return 1

  # Check configuration for location of master key
  isSecure = get_is_secure(properties)
  (isPersisted, masterKeyFile) = get_is_persisted(properties)

  # Read clear text DB password from file
  if db_sql_auth and not is_alias_string(db_password) and os.path.isfile(db_password):
    with open(db_password, 'r') as passwdfile:
      db_password = passwdfile.read()

  ldap_password = properties.get_property(LDAP_MGR_PASSWORD_PROPERTY)
  if ldap_password:
    # Read clear text LDAP password from file
    if not is_alias_string(ldap_password) and os.path.isfile(ldap_password):
      with open(ldap_password, 'r') as passwdfile:
        ldap_password = passwdfile.read()

  ts_password = properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY)
  resetKey = False
  masterKey = None

  if isSecure:
    print "Password encryption is enabled."
    resetKey = get_YN_input("Do you want to reset Master Key? [y/n] (n): ", False)

  # For encrypting of only unencrypted passwords without resetting the key ask
  # for master key if not persisted.
  if isSecure and not isPersisted and not resetKey:
    print "Master Key not persisted."
    masterKey = get_original_master_key(properties)
  pass

  # Make sure both passwords are clear-text if master key is lost
  if resetKey:
    if not isPersisted:
      print "Master Key not persisted."
      masterKey = get_original_master_key(properties)
      # Unable get the right master key or skipped question <enter>
      if not masterKey:
        print "To disable encryption, do the following:"
        print "- Edit " + find_properties_file() + \
              " and set " + SECURITY_IS_ENCRYPTION_ENABLED + " = " + "false."
        err = "{0} is already encrypted. Please call {1} to store unencrypted" \
              " password and call 'encrypt-passwords' again."
        if db_sql_auth and db_password and is_alias_string(db_password):
          print err.format('- Database password', "'" + SETUP_ACTION + "'")
        if ldap_password and is_alias_string(ldap_password):
          print err.format('- LDAP manager password', "'" + LDAP_SETUP_ACTION + "'")
        if ts_password and is_alias_string(ts_password):
          print err.format('TrustStore password', "'" + LDAP_SETUP_ACTION + "'")

        return 1
      pass
    pass
  pass

  # Read back any encrypted passwords
  if db_sql_auth  and db_password and is_alias_string(db_password):
    db_password = read_passwd_for_alias(JDBC_RCA_PASSWORD_ALIAS, masterKey)
  if ldap_password and is_alias_string(ldap_password):
    ldap_password = read_passwd_for_alias(LDAP_MGR_PASSWORD_ALIAS, masterKey)
  if ts_password and is_alias_string(ts_password):
    ts_password = read_passwd_for_alias(SSL_TRUSTSTORE_PASSWORD_ALIAS, masterKey)
  # Read master key, if non-secure or reset is true
  if resetKey or not isSecure:
    masterKey = read_master_key(resetKey)
    persist = get_YN_input("Do you want to persist master key. If you choose " \
                           "not to persist, you need to provide the Master " \
                           "Key while starting the ambari server as an env " \
                           "variable named " + SECURITY_KEY_ENV_VAR_NAME + \
                           " or the start will prompt for the master key."
                           " Persist [y/n] (y)? ", True)
    if persist:
      save_master_key(masterKey, get_master_key_location(properties) + os.sep +
                      SECURITY_MASTER_KEY_FILENAME, persist)
    elif not persist and masterKeyFile:
      try:
        os.remove(masterKeyFile)
        print_info_msg("Deleting master key file at location: " + str(
          masterKeyFile))
      except Exception, e:
        print 'ERROR: Could not remove master key file. %s' % e
    # Blow up the credential store made with previous key, if any
    store_file = get_credential_store_location(properties)
    if os.path.exists(store_file):
      try:
        os.remove(store_file)
      except:
        print_warning_msg("Failed to remove credential store file.")
      pass
    pass