def setup_component_https(component, command, property, alias):
if not get_silent():
jdk_path = find_jdk()
if jdk_path is None:
err = "No JDK found, please run the \"ambari-server setup\" " \
"command to install a JDK automatically or install any " \
"JDK manually to " + configDefaults.JDK_INSTALL_DIR
raise FatalException(1, err)
properties = get_ambari_properties()
use_https = properties.get_property(property) in ['true']
if use_https:
if get_YN_input(
"Do you want to disable HTTPS for " + component +
" [y/n] (n)? ", False):
truststore_path = get_truststore_path(properties)
truststore_password = get_truststore_password(properties)
run_component_https_cmd(
get_delete_cert_command(jdk_path, alias, truststore_path,
truststore_password))
properties.process_pair(property, "false")
else:
return
else:
if get_YN_input(
"Do you want to configure HTTPS for " + component +
" [y/n] (y)? ", True):
truststore_type = get_truststore_type(properties)
truststore_path = get_truststore_path(properties)
truststore_password = get_truststore_password(properties)
run_os_command(
get_delete_cert_command(jdk_path, alias, truststore_path,
truststore_password))
import_cert_path = get_validated_filepath_input( \
"Enter path to " + component + " Certificate: ", \
"Certificate not found")
run_component_https_cmd(
get_import_cert_command(jdk_path, alias, truststore_type,
import_cert_path, truststore_path,
truststore_password))
properties.process_pair(property, "true")
else:
return
conf_file = find_properties_file()
f = open(conf_file, 'w')
properties.store(f,
"Changed by 'ambari-server " + command + "' command")
else:
print command + " is not enabled in silent mode."
def setup_truststore(options, import_cert=False):
if not get_silent():
jdk_path = find_jdk()
if jdk_path is None:
err = "No JDK found, please run the \"ambari-server setup\" " \
"command to install a JDK automatically or install any " \
"JDK manually to " + configDefaults.JDK_INSTALL_DIR
raise FatalException(1, err)
properties = get_ambari_properties()
truststore_confirm = True if options.trust_store_path is not None and options.trust_store_path else False
truststore_reconfigure = True if options.trust_store_reconfigure is not None else False
if truststore_confirm or get_YN_input("Do you want to configure a truststore [y/n] (y)? ", True):
#Re-configuration enabled only for option "Setup truststore"
if not import_cert and properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY)\
and (truststore_reconfigure or get_YN_input(
"The truststore is already configured. Do you want to re-configure "
"the truststore [y/n] (y)? ", True)):
properties.removeProp(SSL_TRUSTSTORE_TYPE_PROPERTY)
properties.removeProp(SSL_TRUSTSTORE_PATH_PROPERTY)
properties.removeProp(SSL_TRUSTSTORE_PASSWORD_PROPERTY)
truststore_type = get_and_persist_truststore_type(properties, options)
truststore_path = get_and_persist_truststore_path(properties, options)
truststore_password = get_and_persist_truststore_password(properties, options)
if import_cert:
import_cert_confirm = True if options.import_cert_path is not None else get_YN_input("Do you want to import a certificate [y/n] (y)? ", True)
if import_cert_confirm:
aliasOption = options.import_cert_alias if options.import_cert_alias is not None and options.import_cert_alias else None
alias = aliasOption if aliasOption is not None \
else get_validated_string_input("Please enter an alias for the certificate: ", "", None, None, False, False)
run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password))
import_cert_path = get_validated_filepath_input("Enter path to certificate: ",
"Certificate not found",
answer=options.import_cert_path)
run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password))
else:
return
conf_file = find_properties_file()
f = open(conf_file, 'w')
properties.store(f, "Changed by 'ambari-server setup-security' command")
else:
print "setup-security is not enabled in silent mode."
def setup_truststore(import_cert=False):
if not get_silent():
jdk_path = find_jdk()
if jdk_path is None:
err = "No JDK found, please run the \"ambari-server setup\" " \
"command to install a JDK automatically or install any " \
"JDK manually to " + configDefaults.JDK_INSTALL_DIR
raise FatalException(1, err)
properties = get_ambari_properties()
if get_YN_input("Do you want to configure a truststore [y/n] (y)? ",
True):
truststore_type = get_truststore_type(properties)
truststore_path = get_truststore_path(properties)
truststore_password = get_truststore_password(properties)
if import_cert:
if get_YN_input(
"Do you want to import a certificate [y/n] (y)? ",
True):
alias = get_validated_string_input(
"Please enter an alias for the certificate: ", "",
None, None, False, False)
run_os_command(
get_delete_cert_command(jdk_path, alias,
truststore_path,
truststore_password))
import_cert_path = get_validated_filepath_input( \
"Enter path to certificate: ", \
"Certificate not found")
run_component_https_cmd(
get_import_cert_command(jdk_path, alias,
truststore_type,
import_cert_path,
truststore_path,
truststore_password))
else:
return
conf_file = find_properties_file()
f = open(conf_file, 'w')
properties.store(f,
"Changed by 'ambari-server setup-security' command")
else:
print "setup-security is not enabled in silent mode."
def setup_component_https(component, command, property, alias):
if not get_silent():
jdk_path = find_jdk()
if jdk_path is None:
err = "No JDK found, please run the \"tbds-server setup\" " \
"command to install a JDK automatically or install any " \
"JDK manually to " + configDefaults.JDK_INSTALL_DIR
raise FatalException(1, err)
properties = get_ambari_properties()
use_https = properties.get_property(property) in ['true']
if use_https:
if get_YN_input("Do you want to disable HTTPS for " + component + " [y/n] (n)? ", False):
truststore_path = get_truststore_path(properties)
truststore_password = get_truststore_password(properties)
run_component_https_cmd(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password))
properties.process_pair(property, "false")
else:
return
else:
if get_YN_input("Do you want to configure HTTPS for " + component + " [y/n] (y)? ", True):
truststore_type = get_truststore_type(properties)
truststore_path = get_truststore_path(properties)
truststore_password = get_truststore_password(properties)
run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password))
import_cert_path = get_validated_filepath_input( \
"Enter path to " + component + " Certificate: ", \
"Certificate not found")
run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password))
properties.process_pair(property, "true")
else:
return
conf_file = find_properties_file()
f = open(conf_file, 'w')
properties.store(f, "Changed by 'tbds-server " + command + "' command")
else:
print command + " is not enabled in silent mode."
def setup_truststore(import_cert=False):
if not get_silent():
jdk_path = find_jdk()
if jdk_path is None:
err = "No JDK found, please run the \"ambari-server setup\" " \
"command to install a JDK automatically or install any " \
"JDK manually to " + configDefaults.JDK_INSTALL_DIR
raise FatalException(1, err)
properties = get_ambari_properties()
if get_YN_input("Do you want to configure a truststore [y/n] (y)? ", True):
truststore_type = get_truststore_type(properties)
truststore_path = get_truststore_path(properties)
truststore_password = get_truststore_password(properties)
if import_cert:
if get_YN_input("Do you want to import a certificate [y/n] (y)? ", True):
alias = get_validated_string_input("Please enter an alias for the certificate: ", "", None, None, False, False)
run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password))
import_cert_path = get_validated_filepath_input( \
"Enter path to certificate: ", \
"Certificate not found")
run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password))
else:
return
conf_file = find_properties_file()
f = open(conf_file, 'w')
properties.store(f, "Changed by 'ambari-server setup-security' command")
else:
print "setup-security is not enabled in silent mode."
def import_cert_and_key(security_server_keys_dir):
import_cert_path = get_validated_filepath_input( \
"Enter path to Certificate: ", \
"Certificate not found")
import_key_path = get_validated_filepath_input( \
"Enter path to Private Key: ", "Private Key not found")
pem_password = get_validated_string_input("Please enter password for Private Key: ", "", None, None, True)
certInfoDict = get_cert_info(import_cert_path)
if not certInfoDict:
print_warning_msg('Unable to get Certificate information')
else:
#Validate common name of certificate
if not is_valid_cert_host(certInfoDict):
print_warning_msg('Unable to validate Certificate hostname')
#Validate issue and expirations dates of certificate
if not is_valid_cert_exp(certInfoDict):
print_warning_msg('Unable to validate Certificate issue and expiration dates')
#jetty requires private key files with non-empty key passwords
retcode = 0
err = ''
if not pem_password:
print 'Generating random password for HTTPS keystore...done.'
pem_password = generate_random_string()
retcode, out, err = run_os_command(CHANGE_KEY_PWD_CND.format(
import_key_path, pem_password))
import_key_path += '.secured'
if retcode == 0:
keystoreFilePath = os.path.join(security_server_keys_dir, \
SSL_KEYSTORE_FILE_NAME)
keystoreFilePathTmp = os.path.join(tempfile.gettempdir(), \
SSL_KEYSTORE_FILE_NAME)
passFilePath = os.path.join(security_server_keys_dir, \
SSL_KEY_PASSWORD_FILE_NAME)
passFilePathTmp = os.path.join(tempfile.gettempdir(), \
SSL_KEY_PASSWORD_FILE_NAME)
passinFilePath = os.path.join(tempfile.gettempdir(), \
SSL_PASSIN_FILE)
passwordFilePath = os.path.join(tempfile.gettempdir(), \
SSL_PASSWORD_FILE)
with open(passFilePathTmp, 'w+') as passFile:
passFile.write(pem_password)
passFile.close
pass
set_file_permissions(passFilePath, "660", read_ambari_user(), False)
copy_file(passFilePathTmp, passinFilePath)
copy_file(passFilePathTmp, passwordFilePath)
retcode, out, err = run_os_command(EXPRT_KSTR_CMD.format(import_cert_path, \
import_key_path, passwordFilePath, passinFilePath, keystoreFilePathTmp))
if retcode == 0:
print 'Importing and saving Certificate...done.'
import_file_to_keystore(keystoreFilePathTmp, keystoreFilePath)
import_file_to_keystore(passFilePathTmp, passFilePath)
import_file_to_keystore(import_cert_path, os.path.join( \
security_server_keys_dir, SSL_CERT_FILE_NAME))
import_file_to_keystore(import_key_path, os.path.join( \
security_server_keys_dir, SSL_KEY_FILE_NAME))
#Validate keystore
retcode, out, err = run_os_command(VALIDATE_KEYSTORE_CMD.format(keystoreFilePath, \
passwordFilePath, passinFilePath))
remove_file(passinFilePath)
remove_file(passwordFilePath)
if not retcode == 0:
print 'Error during keystore validation occured!:'
print err
return False
return True
else:
print_error_msg('Could not import Certificate and Private Key.')
print 'SSL error on exporting keystore: ' + err.rstrip() + \
'.\nPlease ensure that provided Private Key password is correct and ' + \
're-import Certificate.'
return False
def import_cert_and_key(security_server_keys_dir):
import_cert_path = get_validated_filepath_input( \
"Enter path to Certificate: ", \
"Certificate not found")
import_key_path = get_validated_filepath_input( \
"Enter path to Private Key: ", "Private Key not found")
pem_password = get_validated_string_input(
"Please enter password for Private Key: ", "", None, None, True)
certInfoDict = get_cert_info(import_cert_path)
if not certInfoDict:
print_warning_msg('Unable to get Certificate information')
else:
#Validate common name of certificate
if not is_valid_cert_host(certInfoDict):
print_warning_msg('Unable to validate Certificate hostname')
#Validate issue and expirations dates of certificate
if not is_valid_cert_exp(certInfoDict):
print_warning_msg(
'Unable to validate Certificate issue and expiration dates')
#jetty requires private key files with non-empty key passwords
retcode = 0
err = ''
if not pem_password:
print 'Generating random password for HTTPS keystore...done.'
pem_password = generate_random_string()
retcode, out, err = run_os_command(
CHANGE_KEY_PWD_CND.format(import_key_path, pem_password))
import_key_path += '.secured'
if retcode == 0:
keystoreFilePath = os.path.join(security_server_keys_dir, \
SSL_KEYSTORE_FILE_NAME)
keystoreFilePathTmp = os.path.join(tempfile.gettempdir(), \
SSL_KEYSTORE_FILE_NAME)
passFilePath = os.path.join(security_server_keys_dir, \
SSL_KEY_PASSWORD_FILE_NAME)
passFilePathTmp = os.path.join(tempfile.gettempdir(), \
SSL_KEY_PASSWORD_FILE_NAME)
passinFilePath = os.path.join(tempfile.gettempdir(), \
SSL_PASSIN_FILE)
passwordFilePath = os.path.join(tempfile.gettempdir(), \
SSL_PASSWORD_FILE)
with open(passFilePathTmp, 'w+') as passFile:
passFile.write(pem_password)
passFile.close
pass
set_file_permissions(passFilePath, "660", read_ambari_user(), False)
copy_file(passFilePathTmp, passinFilePath)
copy_file(passFilePathTmp, passwordFilePath)
retcode, out, err = run_os_command(EXPRT_KSTR_CMD.format(import_cert_path, \
import_key_path, passwordFilePath, passinFilePath, keystoreFilePathTmp))
if retcode == 0:
print 'Importing and saving Certificate...done.'
import_file_to_keystore(keystoreFilePathTmp, keystoreFilePath)
import_file_to_keystore(passFilePathTmp, passFilePath)
import_file_to_keystore(import_cert_path, os.path.join( \
security_server_keys_dir, SSL_CERT_FILE_NAME))
import_file_to_keystore(import_key_path, os.path.join( \
security_server_keys_dir, SSL_KEY_FILE_NAME))
#Validate keystore
retcode, out, err = run_os_command(VALIDATE_KEYSTORE_CMD.format(keystoreFilePath, \
passwordFilePath, passinFilePath))
remove_file(passinFilePath)
remove_file(passwordFilePath)
if not retcode == 0:
print 'Error during keystore validation occured!:'
print err
return False
return True
else:
print_error_msg('Could not import Certificate and Private Key.')
print 'SSL error on exporting keystore: ' + err.rstrip() + \
'.\nPlease ensure that provided Private Key password is correct and ' + \
're-import Certificate.'
return False
