def SvcDoRun(self):
from ambari_server_main import server_process_main
scmStatus = SvcStatusCallback(self)
properties = get_ambari_properties()
self.options.verbose = get_value_from_properties(
properties, VERBOSE_OUTPUT_KEY, False)
self.options.debug = get_value_from_properties(properties,
DEBUG_MODE_KEY, False)
self.options.suspend_start = get_value_from_properties(
properties, SUSPEND_START_MODE_KEY, False)
# set verbose
set_verbose(self.options.verbose)
self.redirect_output_streams()
childProc = server_process_main(self.options, scmStatus)
if not self._StopOrWaitForChildProcessToFinish(childProc):
return
pid_file_path = os.path.join(configDefaults.PID_DIR, PID_NAME)
remove_file(pid_file_path)
pass
def select_dbms(self, options):
try:
dbms_index = options.database_index
except AttributeError:
db_name = get_value_from_properties(get_ambari_properties(),
JDBC_DATABASE_PROPERTY,
"").strip().lower()
persistence_type = get_value_from_properties(
get_ambari_properties(), PERSISTENCE_TYPE_PROPERTY,
"").strip().lower()
if persistence_type == STORAGE_TYPE_LOCAL:
dbms_index = self.DBMS_KEYS_LIST.index("embedded")
elif db_name:
dbms_index = self.DBMS_KEYS_LIST.index(db_name)
else:
dbms_index = self._get_default_dbms_index(options)
if options.must_set_database_options:
n_dbms = 1
dbms_choice_prompt = "==============================================================================\n" \
"Choose one of the following options:\n"
dbms_choices = ''
for desc in self.DBMS_LIST:
if len(desc.storage_name) > 0:
dbms_storage = " ({0})".format(desc.storage_name)
else:
dbms_storage = ""
dbms_choice_prompt += self.DBMS_PROMPT_PATTERN.format(
n_dbms, desc.dbms_name, dbms_storage)
dbms_choices += str(n_dbms)
n_dbms += 1
database_num = str(dbms_index + 1)
dbms_choice_prompt += self.DBMS_CHOICE_PROMPT_PATTERN.format(
database_num)
dbms_valid_choices = self.JDK_VALID_CHOICES_PATTERN.format(
dbms_choices)
database_num = get_validated_string_input(dbms_choice_prompt,
database_num,
dbms_valid_choices,
"Invalid number.", False)
dbms_index = int(database_num) - 1
if dbms_index >= n_dbms:
print_info_msg('Unknown db option, default to {0} {1}.'.format(
self.DBMS_LIST[0].storage_name,
self.DBMS_LIST[0].dbms_name))
dbms_index = 0
return dbms_index
def extract_views():
java_exe_path = get_java_exe_path()
if java_exe_path is None:
print_error_msg("No JDK found, please run the \"setup\" "
"command to install a JDK automatically or install any "
"JDK manually to " + configDefaults.JDK_INSTALL_DIR)
return 1
properties = get_ambari_properties()
if properties == -1:
print_error_msg("Error getting ambari properties")
return -1
vdir = get_value_from_properties(properties, VIEWS_DIR_PROPERTY, configDefaults.DEFAULT_VIEWS_DIR)
files = [f for f in os.listdir(vdir) if os.path.isfile(os.path.join(vdir,f))]
for f in files:
command = VIEW_EXTRACT_CMD.format(java_exe_path,
get_full_ambari_classpath(), os.path.join(vdir,f))
retcode, stdout, stderr = run_os_command(command)
if retcode == 0:
sys.stdout.write(f + "\n")
elif retcode == 2:
sys.stdout.write("Error extracting " + f + "\n")
else:
sys.stdout.write(".")
sys.stdout.flush()
print_info_msg("Return code from extraction of view archive " + f + ": " +
str(retcode))
sys.stdout.write("\n")
return 0
def setup_pam():
if not is_root():
err = 'Ambari-server setup-pam should be run with ' \
'root-level privileges'
raise FatalException(4, err)
properties = get_ambari_properties()
if get_value_from_properties(properties, CLIENT_SECURITY_KEY,
"") == 'ldap':
err = "LDAP is configured. Can not setup PAM."
raise FatalException(1, err)
pam_property_value_map = {}
pam_property_value_map[CLIENT_SECURITY_KEY] = 'pam'
pamConfig = get_validated_string_input("Enter PAM configuration file: ",
PAM_CONFIG_FILE, REGEX_ANYTHING,
"Invalid characters in the input!",
False, False)
pam_property_value_map[PAM_CONFIG_FILE] = pamConfig
if get_YN_input(
"Do you want to allow automatic group creation [y/n] (y)? ", True):
pam_property_value_map[AUTO_GROUP_CREATION] = 'true'
else:
pam_property_value_map[AUTO_GROUP_CREATION] = 'false'
update_properties_2(properties, pam_property_value_map)
print 'Saving...done'
return 0
def get_default_dbms_name(self):
properties = get_ambari_properties()
default_dbms_name = get_value_from_properties(properties, DEFAULT_DBMS_PROPERTY, "").strip().lower()
if default_dbms_name not in self.DBMS_KEYS_LIST:
return ""
else:
return default_dbms_name
def get_default_dbms_name(self):
properties = get_ambari_properties()
default_dbms_name = get_value_from_properties(properties, DEFAULT_DBMS_PROPERTY, "").strip().lower()
if default_dbms_name not in self.DBMS_KEYS_LIST:
return ""
else:
return default_dbms_name
def _init_member_with_properties(options, attr_name, properties,
property_key):
options_val = getattr(options, attr_name, None)
if options_val is None or options_val is "":
options_val = get_value_from_properties(properties, property_key,
None)
return options_val
def __init__(self, properties, i_option, i_prop_name, i_prop_val_pattern, i_prompt_regex, i_allow_empty_prompt, i_prop_name_default=None): self.prop_name = i_prop_name self.option = i_option self.ldap_prop_name = get_value_from_properties(properties, i_prop_name, i_prop_name_default) self.ldap_prop_val_prompt = i_prop_val_pattern.format(get_prompt_default(self.ldap_prop_name)) self.prompt_regex = i_prompt_regex self.allow_empty_prompt = i_allow_empty_prompt
def _install_jdbc_driver(self, properties, files_list):
driver_path = get_value_from_properties(properties, JDBC_DRIVER_PATH_PROPERTY, None)
if driver_path is None or driver_path == "":
driver_path = self._get_jdbc_driver_path()
properties.process_pair(JDBC_DRIVER_PATH_PROPERTY, driver_path)
return True
return False
def _install_jdbc_driver(self, properties, files_list):
driver_path = get_value_from_properties(properties, JDBC_DRIVER_PATH_PROPERTY, None)
if driver_path is None or driver_path == "":
driver_path = self._get_jdbc_driver_path()
properties.process_pair(JDBC_DRIVER_PATH_PROPERTY, driver_path)
return True
return False
def select_dbms(self, options):
try:
dbms_index = options.database_index
except AttributeError:
db_name = get_value_from_properties(get_ambari_properties(), JDBC_DATABASE_PROPERTY, "").strip().lower()
persistence_type = get_value_from_properties(get_ambari_properties(), PERSISTENCE_TYPE_PROPERTY, "").strip().lower()
if persistence_type == STORAGE_TYPE_LOCAL:
dbms_index = self.DBMS_KEYS_LIST.index("embedded")
elif db_name:
dbms_index = self.DBMS_KEYS_LIST.index(db_name)
else:
dbms_index = self._get_default_dbms_index(options)
if options.must_set_database_options:
n_dbms = 1
dbms_choice_prompt = "==============================================================================\n" \
"Choose one of the following options:\n"
dbms_choices = ''
for desc in self.DBMS_LIST:
if len(desc.storage_name) > 0:
dbms_storage = " ({0})".format(desc.storage_name)
else:
dbms_storage = ""
dbms_choice_prompt += self.DBMS_PROMPT_PATTERN.format(n_dbms, desc.dbms_name, dbms_storage)
dbms_choices += str(n_dbms)
n_dbms += 1
database_num = str(dbms_index + 1)
dbms_choice_prompt += self.DBMS_CHOICE_PROMPT_PATTERN.format(database_num)
dbms_valid_choices = self.JDK_VALID_CHOICES_PATTERN.format(dbms_choices)
database_num = get_validated_string_input(
dbms_choice_prompt,
database_num,
dbms_valid_choices,
"Invalid number.",
False
)
dbms_index = int(database_num) - 1
if dbms_index >= n_dbms:
print_info_msg('Unknown db option, default to {0} {1}.'.format(
self.DBMS_LIST[0].storage_name, self.DBMS_LIST[0].dbms_name))
dbms_index = 0
return dbms_index
def _read_password_from_properties(properties, options):
database_password = DEFAULT_PASSWORD
password_file = get_value_from_properties(properties, JDBC_PASSWORD_PROPERTY, "")
if password_file:
if is_alias_string(password_file):
database_password = decrypt_password_for_alias(properties, JDBC_RCA_PASSWORD_ALIAS, options)
else:
if os.path.isabs(password_file) and os.path.exists(password_file):
with open(password_file, 'r') as file:
database_password = file.read()
return database_password
def populate_sso_provider_url(options, properties):
if not options.sso_provider_url:
provider_url = get_value_from_properties(
properties, JWT_AUTH_PROVIDER_URL, JWT_AUTH_PROVIDER_URL_DEFAULT)
provider_url = get_validated_string_input(
"Provider URL [URL] ({0}):".format(provider_url), provider_url,
REGEX_URL, "Invalid provider URL", False)
else:
provider_url = options.sso_provider_url
properties.process_pair(JWT_AUTH_PROVIDER_URL, provider_url)
def migrate_ldap_pam(args):
properties = get_ambari_properties()
if get_value_from_properties(properties,CLIENT_SECURITY,"") != 'pam':
err = "PAM is not configured. Please configure PAM authentication first."
raise FatalException(1, err)
db_title = get_db_type(properties).title
confirm = get_YN_input("Ambari Server configured for %s. Confirm "
"you have made a backup of the Ambari Server database [y/n] (y)? " % db_title, True)
if not confirm:
print_error_msg("Database backup is not confirmed")
return 1
jdk_path = get_java_exe_path()
if jdk_path is None:
print_error_msg("No JDK found, please run the \"setup\" "
"command to install a JDK automatically or install any "
"JDK manually to " + configDefaults.JDK_INSTALL_DIR)
return 1
# At this point, the args does not have the ambari database information.
# Augment the args with the correct ambari database information
parse_properties_file(args)
ensure_jdbc_driver_is_installed(args, properties)
print 'Migrating LDAP Users & Groups to PAM'
serverClassPath = ServerClassPath(properties, args)
class_path = serverClassPath.get_full_ambari_classpath_escaped_for_shell()
command = LDAP_TO_PAM_MIGRATION_HELPER_CMD.format(jdk_path, class_path)
ambari_user = read_ambari_user()
current_user = ensure_can_start_under_current_user(ambari_user)
environ = generate_env(args, ambari_user, current_user)
(retcode, stdout, stderr) = run_os_command(command, env=environ)
print_info_msg("Return code from LDAP to PAM migration command, retcode = " + str(retcode))
if stdout:
print "Console output from LDAP to PAM migration command:"
print stdout
print
if stderr:
print "Error output from LDAP to PAM migration command:"
print stderr
print
if retcode > 0:
print_error_msg("Error executing LDAP to PAM migration, please check the server logs.")
else:
print_info_msg('LDAP to PAM migration completed')
return retcode
def populate_jwt_cookie_name(options, properties):
if not options.sso_jwt_cookie_name:
cookie_name = get_value_from_properties(properties, JWT_COOKIE_NAME,
JWT_COOKIE_NAME_DEFAULT)
cookie_name = get_validated_string_input(
"JWT Cookie name ({0}):".format(cookie_name), cookie_name,
REGEX_ANYTHING, "Invalid cookie name", False)
else:
cookie_name = options.sso_jwt_cookie_name
properties.process_pair(JWT_COOKIE_NAME, cookie_name)
def _read_password_from_properties(properties):
database_password = DEFAULT_PASSWORD
password_file = get_value_from_properties(properties, JDBC_PASSWORD_PROPERTY, "")
if password_file:
if is_alias_string(password_file):
database_password = decrypt_password_for_alias(properties, JDBC_RCA_PASSWORD_ALIAS)
else:
if os.path.isabs(password_file) and os.path.exists(password_file):
with open(password_file, 'r') as file:
database_password = file.read()
return database_password
def get_and_persist_truststore_type(properties, options):
truststore_type = properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY)
if not truststore_type:
SSL_TRUSTSTORE_TYPE_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_TYPE_PROPERTY, "jks")
truststore_type = get_validated_string_input(
"TrustStore type [jks/jceks/pkcs12] {0}:".format(get_prompt_default(SSL_TRUSTSTORE_TYPE_DEFAULT)),
SSL_TRUSTSTORE_TYPE_DEFAULT, "^(jks|jceks|pkcs12)?$", "Wrong type", False, answer = options.trust_store_type)
if truststore_type:
properties.process_pair(SSL_TRUSTSTORE_TYPE_PROPERTY, truststore_type)
return truststore_type
def SvcDoRun(self):
from ambari_server_main import server_process_main
scmStatus = SvcStatusCallback(self)
properties = get_ambari_properties()
self.options.verbose = get_value_from_properties(properties, VERBOSE_OUTPUT_KEY, False)
self.options.debug = get_value_from_properties(properties, DEBUG_MODE_KEY, False)
self.options.suspend_start = get_value_from_properties(properties, SUSPEND_START_MODE_KEY, False)
# set verbose
set_verbose(self.options.verbose)
self.redirect_output_streams()
childProc = server_process_main(self.options, scmStatus)
if not self._StopOrWaitForChildProcessToFinish(childProc):
return
pid_file_path = os.path.join(configDefaults.PID_DIR, PID_NAME)
remove_file(pid_file_path)
pass
def get_and_persist_truststore_path(properties, options):
truststore_path = properties.get_property(SSL_TRUSTSTORE_PATH_PROPERTY)
if not truststore_path:
SSL_TRUSTSTORE_PATH_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_PATH_PROPERTY)
while not truststore_path:
truststore_path = get_validated_string_input(
"Path to TrustStore file {0}:".format(get_prompt_default(SSL_TRUSTSTORE_PATH_DEFAULT)),
SSL_TRUSTSTORE_PATH_DEFAULT, ".*", False, False, answer = options.trust_store_path)
if truststore_path:
properties.process_pair(SSL_TRUSTSTORE_PATH_PROPERTY, truststore_path)
return truststore_path
def get_truststore_type(properties):
truststore_type = properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY)
if not truststore_type:
SSL_TRUSTSTORE_TYPE_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_TYPE_PROPERTY, "jks")
truststore_type = get_validated_string_input(
"TrustStore type [jks/jceks/pkcs12] {0}:".format(get_prompt_default(SSL_TRUSTSTORE_TYPE_DEFAULT)),
SSL_TRUSTSTORE_TYPE_DEFAULT,
"^(jks|jceks|pkcs12)?$", "Wrong type", False)
if truststore_type:
properties.process_pair(SSL_TRUSTSTORE_TYPE_PROPERTY, truststore_type)
return truststore_type
def _is_jdbc_user_changed(database_username):
properties = get_ambari_properties()
if properties == -1:
print_error_msg("Error getting ambari properties")
return None
previos_user = get_value_from_properties(properties, JDBC_USER_NAME_PROPERTY, "")
if previos_user and database_username:
if previos_user != database_username:
return True
else:
return False
return None
def adjust_directory_permissions(ambari_user):
properties = get_ambari_properties()
bootstrap_dir = os.path.abspath(get_value_from_properties(properties, BOOTSTRAP_DIR_PROPERTY))
print_info_msg("Cleaning bootstrap directory ({0}) contents...".format(bootstrap_dir))
if os.path.exists(bootstrap_dir):
shutil.rmtree(bootstrap_dir) #Ignore the non-existent dir error
if not os.path.exists(bootstrap_dir):
try:
os.makedirs(bootstrap_dir)
except Exception, ex:
print_warning_msg("Failed recreating the bootstrap directory: {0}".format(str(ex)))
pass
def _is_jdbc_user_changed(database_username):
properties = get_ambari_properties()
if properties == -1:
print_error_msg("Error getting ambari properties")
return None
previos_user = get_value_from_properties(properties, JDBC_USER_NAME_PROPERTY, "")
if previos_user and database_username:
if previos_user != database_username:
return True
else:
return False
return None
def get_truststore_path(properties):
truststore_path = properties.get_property(SSL_TRUSTSTORE_PATH_PROPERTY)
if not truststore_path:
SSL_TRUSTSTORE_PATH_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_PATH_PROPERTY)
while not truststore_path:
truststore_path = get_validated_string_input(
"Path to TrustStore file {0}:".format(get_prompt_default(SSL_TRUSTSTORE_PATH_DEFAULT)),
SSL_TRUSTSTORE_PATH_DEFAULT,
".*", False, False)
if truststore_path:
properties.process_pair(SSL_TRUSTSTORE_PATH_PROPERTY, truststore_path)
return truststore_path
def adjust_directory_permissions(ambari_user):
properties = get_ambari_properties()
bootstrap_dir = os.path.abspath(get_value_from_properties(properties, BOOTSTRAP_DIR_PROPERTY))
print_info_msg("Cleaning bootstrap directory ({0}) contents...".format(bootstrap_dir))
shutil.rmtree(bootstrap_dir, True) #Ignore the non-existent dir error
#Protect against directories lingering around
del_attempts = 0
while os.path.exists(bootstrap_dir) and del_attempts < 100:
time.sleep(50)
del_attempts += 1
if not os.path.exists(bootstrap_dir):
try:
os.makedirs(bootstrap_dir)
except Exception, ex:
print_warning_msg("Failed recreating the bootstrap directory: {0}".format(str(ex)))
pass
def setup_pam(options):
if not is_root():
err = 'Ambari-server setup-pam should be run with root-level privileges'
raise FatalException(4, err)
properties = get_ambari_properties()
if get_value_from_properties(properties,CLIENT_SECURITY,"") == 'ldap':
query = "LDAP is currently configured, do you wish to use PAM instead [y/n] (n)? "
if get_YN_input(query, False):
pass
else:
err = "LDAP is configured. Can not setup PAM."
raise FatalException(1, err)
pam_property_list_reqd = init_pam_properties_list_reqd(properties, options)
pam_property_value_map = {}
pam_property_value_map[CLIENT_SECURITY] = 'pam'
for pam_prop in pam_property_list_reqd:
input = get_validated_string_input(pam_prop.pam_prop_val_prompt, pam_prop.pam_prop_name, pam_prop.prompt_regex,
"Invalid characters in the input!", False, pam_prop.allow_empty_prompt,
answer = pam_prop.option)
if input is not None and input != "":
pam_property_value_map[pam_prop.prop_name] = input
# Verify that the PAM config file exists, else show warning...
pam_config_file = pam_property_value_map[PAM_CONFIG_FILE]
if not os.path.exists(pam_config_file):
print_warning_msg("The PAM configuration file, {0} does not exist. " \
"Please create it before restarting Ambari.".format(pam_config_file))
update_properties_2(properties, pam_property_value_map)
print 'Saving...done'
return 0
def setup_ldap(options):
logger.info("Setup LDAP.")
properties = get_ambari_properties()
server_status, pid = is_server_runing()
if not server_status:
err = 'Ambari Server is not running.'
raise FatalException(1, err)
current_client_security = get_value_from_properties(properties,CLIENT_SECURITY,"no auth method")
if current_client_security != 'ldap':
query = "Currently '" + current_client_security + "' is configured, do you wish to use LDAP instead [y/n] (n)? "
if get_YN_input(query, False):
pass
else:
err = "Currently '" + current_client_security + "' configured. Can not setup LDAP."
raise FatalException(1, err)
isSecure = get_is_secure(properties)
ldap_property_list_reqd = init_ldap_properties_list_reqd(properties, options)
ldap_property_list_opt = [LDAP_MGR_USERNAME_PROPERTY,
LDAP_MGR_PASSWORD_PROPERTY,
SSL_TRUSTSTORE_TYPE_PROPERTY,
SSL_TRUSTSTORE_PATH_PROPERTY,
SSL_TRUSTSTORE_PASSWORD_PROPERTY]
ldap_property_list_passwords=[LDAP_MGR_PASSWORD_PROPERTY,
SSL_TRUSTSTORE_PASSWORD_PROPERTY]
LDAP_MGR_DN_DEFAULT = None
SSL_TRUSTSTORE_TYPE_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_TYPE_PROPERTY, "jks")
SSL_TRUSTSTORE_PATH_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_PATH_PROPERTY)
ldap_property_value_map = {}
for ldap_prop in ldap_property_list_reqd:
input = get_validated_string_input(ldap_prop.ldap_prop_val_prompt, ldap_prop.ldap_prop_name, ldap_prop.prompt_regex,
"Invalid characters in the input!", False, ldap_prop.allow_empty_prompt,
answer = ldap_prop.option)
if input is not None and input != "":
ldap_property_value_map[ldap_prop.prop_name] = input
bindAnonymously = ldap_property_value_map[LDAP_ANONYMOUS_BIND]
anonymous = (bindAnonymously and bindAnonymously.lower() == 'true')
mgr_password = None
# Ask for manager credentials only if bindAnonymously is false
if not anonymous:
username = get_validated_string_input("Manager DN* {0}: ".format(
get_prompt_default(LDAP_MGR_DN_DEFAULT)), LDAP_MGR_DN_DEFAULT, ".*",
"Invalid characters in the input!", False, False, answer = options.ldap_manager_dn)
ldap_property_value_map[LDAP_MGR_USERNAME_PROPERTY] = username
mgr_password = configure_ldap_password(options)
ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = mgr_password
useSSL = ldap_property_value_map[LDAP_USE_SSL]
ldaps = (useSSL and useSSL.lower() == 'true')
ts_password = None
if ldaps:
truststore_default = "n"
truststore_set = bool(SSL_TRUSTSTORE_PATH_DEFAULT)
if truststore_set:
truststore_default = "y"
custom_trust_store = True if options.trust_store_path is not None and options.trust_store_path else False
if not custom_trust_store:
custom_trust_store = get_YN_input("Do you want to provide custom TrustStore for Ambari [y/n] ({0})?".
format(truststore_default),
truststore_set)
if custom_trust_store:
ts_type = get_validated_string_input("TrustStore type [jks/jceks/pkcs12] {0}:".format(get_prompt_default(SSL_TRUSTSTORE_TYPE_DEFAULT)),
SSL_TRUSTSTORE_TYPE_DEFAULT, "^(jks|jceks|pkcs12)?$", "Wrong type", False, answer=options.trust_store_type)
ts_path = None
while True:
ts_path = get_validated_string_input("Path to TrustStore file {0}:".format(get_prompt_default(SSL_TRUSTSTORE_PATH_DEFAULT)),
SSL_TRUSTSTORE_PATH_DEFAULT, ".*", False, False, answer = options.trust_store_path)
if os.path.exists(ts_path):
break
else:
print 'File not found.'
hasAnswer = options.trust_store_path is not None and options.trust_store_path
quit_if_has_answer(hasAnswer)
ts_password = read_password("", ".*", "Password for TrustStore:", "Invalid characters in password", options.trust_store_password)
ldap_property_value_map[SSL_TRUSTSTORE_TYPE_PROPERTY] = ts_type
ldap_property_value_map[SSL_TRUSTSTORE_PATH_PROPERTY] = ts_path
ldap_property_value_map[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = ts_password
pass
elif properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY):
print 'The TrustStore is already configured: '
print ' ' + SSL_TRUSTSTORE_TYPE_PROPERTY + ' = ' + properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY)
print ' ' + SSL_TRUSTSTORE_PATH_PROPERTY + ' = ' + properties.get_property(SSL_TRUSTSTORE_PATH_PROPERTY)
print ' ' + SSL_TRUSTSTORE_PASSWORD_PROPERTY + ' = ' + properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY)
if get_YN_input("Do you want to remove these properties [y/n] (y)? ", True, options.trust_store_reconfigure):
properties.removeOldProp(SSL_TRUSTSTORE_TYPE_PROPERTY)
properties.removeOldProp(SSL_TRUSTSTORE_PATH_PROPERTY)
properties.removeOldProp(SSL_TRUSTSTORE_PASSWORD_PROPERTY)
pass
pass
print '=' * 20
print 'Review Settings'
print '=' * 20
for property in ldap_property_list_reqd:
if ldap_property_value_map.has_key(property):
print("%s: %s" % (property, ldap_property_value_map[property]))
for property in ldap_property_list_opt:
if ldap_property_value_map.has_key(property):
if property not in ldap_property_list_passwords:
print("%s: %s" % (property, ldap_property_value_map[property]))
else:
print("%s: %s" % (property, BLIND_PASSWORD))
save_settings = True if options.ldap_save_settings is not None else get_YN_input("Save settings [y/n] (y)? ", True)
if save_settings:
if isSecure:
if mgr_password:
encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password, options)
if mgr_password != encrypted_passwd:
ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = encrypted_passwd
pass
if ts_password:
encrypted_passwd = encrypt_password(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password, options)
if ts_password != encrypted_passwd:
ldap_property_value_map[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = encrypted_passwd
pass
pass
# Persisting values
if mgr_password:
ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME)
print 'Saving LDAP properties...'
ldap_property_value_map[IS_LDAP_CONFIGURED] = "true"
#Saving LDAP configuration in Ambari DB using the REST API
update_ldap_configuration(properties, ldap_property_value_map)
#The only property we want to write out in Ambari.properties is the client.security type being LDAP
ldap_property_value_map.clear()
ldap_property_value_map[CLIENT_SECURITY] = 'ldap'
update_properties_2(properties, ldap_property_value_map)
print 'Saving LDAP properties finished'
return 0
if not stack_version:
Logger.error(
"Could not parse HDP version from output of hdp-select: %s"
% str(out))
return 1
else:
stack_version = options.hdp_version
return stack_version
parser = OptionParser()
parser.add_option("-d",
"--database-driver",
dest="sql_driver_path",
default=get_value_from_properties(
get_ambari_properties(), JDBC_DRIVER_PATH_PROPERTY,
DEFAULT_SQL_DRIVER_PATH),
help="Path to JDBC driver")
parser.add_option("-f",
"--fs-type",
dest="fs_type",
default="wasb",
help="Expected protocol of fs.defaultFS")
parser.add_option("-v",
"--hdp-version",
dest="hdp_version",
default="",
help="hdp-version used in path of tarballs")
parser.add_option("-u",
"--upgrade",
dest="upgrade",
def sync_ldap(options):
logger.info("Sync users and groups with configured LDAP.")
if not is_root():
err = 'Ambari-server sync-ldap should be run with ' \
'root-level privileges'
raise FatalException(4, err)
properties = get_ambari_properties()
if get_value_from_properties(properties, CLIENT_SECURITY_KEY, "") == 'pam':
err = "PAM is configured. Can not sync LDAP."
raise FatalException(1, err)
server_status, pid = is_server_runing()
if not server_status:
err = 'Ambari Server is not running.'
raise FatalException(1, err)
if properties == -1:
raise FatalException(1, "Failed to read properties file.")
ldap_configured = properties.get_property(IS_LDAP_CONFIGURED)
if ldap_configured != 'true':
err = "LDAP is not configured. Run 'ambari-server setup-ldap' first."
raise FatalException(1, err)
# set ldap sync options
ldap_sync_options = LdapSyncOptions(options)
if ldap_sync_options.no_ldap_sync_options_set():
err = 'Must specify a sync option (all, existing, users or groups). Please invoke ambari-server.py --help to print the options.'
raise FatalException(1, err)
admin_login = ldap_sync_options.ldap_sync_admin_name\
if ldap_sync_options.ldap_sync_admin_name is not None and ldap_sync_options.ldap_sync_admin_name \
else get_validated_string_input(prompt="Enter Ambari Admin login: "******"Enter Ambari Admin password: "******"Event": {
"specs": [{
"principal_type": "users",
"sync_type": "all"
}, {
"principal_type": "groups",
"sync_type": "all"
}]
}
}]
elif ldap_sync_options.ldap_sync_existing:
sys.stdout.write('Syncing existing.')
bodies = [{
"Event": {
"specs": [{
"principal_type": "users",
"sync_type": "existing"
}, {
"principal_type": "groups",
"sync_type": "existing"
}]
}
}]
else:
sys.stdout.write('Syncing specified users and groups.')
bodies = [{"Event": {"specs": []}}]
body = bodies[0]
events = body['Event']
specs = events['specs']
if ldap_sync_options.ldap_sync_users is not None:
new_specs = [{
"principal_type": "users",
"sync_type": "specific",
"names": ""
}]
get_ldap_event_spec_names(ldap_sync_options.ldap_sync_users, specs,
new_specs)
if ldap_sync_options.ldap_sync_groups is not None:
new_specs = [{
"principal_type": "groups",
"sync_type": "specific",
"names": ""
}]
get_ldap_event_spec_names(ldap_sync_options.ldap_sync_groups,
specs, new_specs)
if get_verbose():
sys.stdout.write('\nCalling API ' + url + ' : ' + str(bodies) + '\n')
request.add_data(json.dumps(bodies))
request.get_method = lambda: 'POST'
try:
response = urllib2.urlopen(request)
except Exception as e:
err = 'Sync event creation failed. Error details: %s' % e
raise FatalException(1, err)
response_status_code = response.getcode()
if response_status_code != 201:
err = 'Error during syncing. Http status code - ' + str(
response_status_code)
raise FatalException(1, err)
response_body = json.loads(response.read())
url = response_body['resources'][0]['href']
request = urllib2.Request(url)
request.add_header('Authorization', 'Basic %s' % admin_auth)
request.add_header('X-Requested-By', 'ambari')
body = [{"LDAP": {"synced_groups": "*", "synced_users": "*"}}]
request.add_data(json.dumps(body))
request.get_method = lambda: 'GET'
request_in_progress = True
while request_in_progress:
sys.stdout.write('.')
sys.stdout.flush()
try:
response = urllib2.urlopen(request)
except Exception as e:
request_in_progress = False
err = 'Sync event check failed. Error details: %s' % e
raise FatalException(1, err)
response_status_code = response.getcode()
if response_status_code != 200:
err = 'Error during syncing. Http status code - ' + str(
response_status_code)
raise FatalException(1, err)
response_body = json.loads(response.read())
sync_info = response_body['Event']
if sync_info['status'] == 'ERROR':
raise FatalException(1, str(sync_info['status_detail']))
elif sync_info['status'] == 'COMPLETE':
print '\n\nCompleted LDAP Sync.'
print 'Summary:'
for principal_type, summary in sync_info['summary'].iteritems():
print ' {0}:'.format(principal_type)
for action, amount in summary.iteritems():
print ' {0} = {1!s}'.format(action, amount)
request_in_progress = False
else:
time.sleep(1)
sys.stdout.write('\n')
sys.stdout.flush()
def __init__(self, properties, i_prop_name, i_prop_val_pattern, i_prompt_regex, i_allow_empty_prompt, i_prop_name_default=None): self.prop_name = i_prop_name self.ldap_prop_name = get_value_from_properties(properties, i_prop_name, i_prop_name_default) self.ldap_prop_val_prompt = i_prop_val_pattern.format(get_prompt_default(self.ldap_prop_name)) self.prompt_regex = i_prompt_regex self.allow_empty_prompt = i_allow_empty_prompt
def _init_member_with_properties(options, attr_name, properties, property_key):
options_val = getattr(options, attr_name, None)
if options_val is None or options_val is "":
options_val = get_value_from_properties(properties, property_key, None)
return options_val
def setup_ldap():
if not is_root():
err = 'Ambari-server setup-ldap should be run with ' \
'root-level privileges'
raise FatalException(4, err)
properties = get_ambari_properties()
isSecure = get_is_secure(properties)
ldap_property_list_reqd = init_ldap_properties_list_reqd(properties)
ldap_property_list_opt = ["authentication.ldap.managerDn",
LDAP_MGR_PASSWORD_PROPERTY,
SSL_TRUSTSTORE_TYPE_PROPERTY,
SSL_TRUSTSTORE_PATH_PROPERTY,
SSL_TRUSTSTORE_PASSWORD_PROPERTY]
ldap_property_list_truststore=[SSL_TRUSTSTORE_TYPE_PROPERTY,
SSL_TRUSTSTORE_PATH_PROPERTY,
SSL_TRUSTSTORE_PASSWORD_PROPERTY]
ldap_property_list_passwords=[LDAP_MGR_PASSWORD_PROPERTY,
SSL_TRUSTSTORE_PASSWORD_PROPERTY]
LDAP_MGR_DN_DEFAULT = get_value_from_properties(properties, ldap_property_list_opt[0])
SSL_TRUSTSTORE_TYPE_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_TYPE_PROPERTY, "jks")
SSL_TRUSTSTORE_PATH_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_PATH_PROPERTY)
ldap_property_value_map = {}
for ldap_prop in ldap_property_list_reqd:
input = get_validated_string_input(ldap_prop.ldap_prop_val_prompt, ldap_prop.ldap_prop_name, ldap_prop.prompt_regex,
"Invalid characters in the input!", False, ldap_prop.allow_empty_prompt)
if input is not None and input != "":
ldap_property_value_map[ldap_prop.prop_name] = input
bindAnonymously = ldap_property_value_map["authentication.ldap.bindAnonymously"]
anonymous = (bindAnonymously and bindAnonymously.lower() == 'true')
mgr_password = None
# Ask for manager credentials only if bindAnonymously is false
if not anonymous:
username = get_validated_string_input("Manager DN* {0}: ".format(
get_prompt_default(LDAP_MGR_DN_DEFAULT)), LDAP_MGR_DN_DEFAULT, ".*",
"Invalid characters in the input!", False, False)
ldap_property_value_map[LDAP_MGR_USERNAME_PROPERTY] = username
mgr_password = configure_ldap_password()
ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = mgr_password
useSSL = ldap_property_value_map["authentication.ldap.useSSL"]
ldaps = (useSSL and useSSL.lower() == 'true')
ts_password = None
if ldaps:
truststore_default = "n"
truststore_set = bool(SSL_TRUSTSTORE_PATH_DEFAULT)
if truststore_set:
truststore_default = "y"
custom_trust_store = get_YN_input("Do you want to provide custom TrustStore for Ambari [y/n] ({0})?".
format(truststore_default),
truststore_set)
if custom_trust_store:
ts_type = get_validated_string_input(
"TrustStore type [jks/jceks/pkcs12] {0}:".format(get_prompt_default(SSL_TRUSTSTORE_TYPE_DEFAULT)),
SSL_TRUSTSTORE_TYPE_DEFAULT,
"^(jks|jceks|pkcs12)?$", "Wrong type", False)
ts_path = None
while True:
ts_path = get_validated_string_input(
"Path to TrustStore file {0}:".format(get_prompt_default(SSL_TRUSTSTORE_PATH_DEFAULT)),
SSL_TRUSTSTORE_PATH_DEFAULT,
".*", False, False)
if os.path.exists(ts_path):
break
else:
print 'File not found.'
ts_password = read_password("", ".*", "Password for TrustStore:", "Invalid characters in password")
ldap_property_value_map[SSL_TRUSTSTORE_TYPE_PROPERTY] = ts_type
ldap_property_value_map[SSL_TRUSTSTORE_PATH_PROPERTY] = ts_path
ldap_property_value_map[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = ts_password
pass
else:
properties.removeOldProp(SSL_TRUSTSTORE_TYPE_PROPERTY)
properties.removeOldProp(SSL_TRUSTSTORE_PATH_PROPERTY)
properties.removeOldProp(SSL_TRUSTSTORE_PASSWORD_PROPERTY)
pass
pass
print '=' * 20
print 'Review Settings'
print '=' * 20
for property in ldap_property_list_reqd:
if property in ldap_property_value_map:
print("%s: %s" % (property, ldap_property_value_map[property]))
for property in ldap_property_list_opt:
if ldap_property_value_map.has_key(property):
if property not in ldap_property_list_passwords:
print("%s: %s" % (property, ldap_property_value_map[property]))
else:
print("%s: %s" % (property, BLIND_PASSWORD))
save_settings = get_YN_input("Save settings [y/n] (y)? ", True)
if save_settings:
ldap_property_value_map[CLIENT_SECURITY_KEY] = 'ldap'
if isSecure:
if mgr_password:
encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password)
if mgr_password != encrypted_passwd:
ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = encrypted_passwd
pass
if ts_password:
encrypted_passwd = encrypt_password(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password)
if ts_password != encrypted_passwd:
ldap_property_value_map[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = encrypted_passwd
pass
pass
# Persisting values
ldap_property_value_map[IS_LDAP_CONFIGURED] = "true"
if mgr_password:
ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME)
update_properties_2(properties, ldap_property_value_map)
print 'Saving...done'
return 0
def setup_sso(args):
logger.info("Setup SSO.")
if not is_root():
err = 'ambari-server setup-sso should be run with ' \
'root-level privileges'
raise FatalException(4, err)
if not get_silent():
properties = get_ambari_properties()
must_setup_params = False
store_new_cert = False
sso_enabled = properties.get_property(JWT_AUTH_ENBABLED).lower() in [
'true'
]
if sso_enabled:
if get_YN_input(
"Do you want to disable SSO authentication [y/n] (n)?",
False):
properties.process_pair(JWT_AUTH_ENBABLED, "false")
else:
if get_YN_input(
"Do you want to configure SSO authentication [y/n] (y)?",
True):
properties.process_pair(JWT_AUTH_ENBABLED, "true")
must_setup_params = True
else:
return False
if must_setup_params:
provider_url = get_value_from_properties(
properties, JWT_AUTH_PROVIDER_URL,
JWT_AUTH_PROVIDER_URL_DEFAULT)
provider_url = get_validated_string_input(
"Provider URL [URL] ({0}):".format(provider_url), provider_url,
REGEX_ANYTHING, "Invalid provider URL", False)
properties.process_pair(JWT_AUTH_PROVIDER_URL, provider_url)
cert_path = properties.get_property(JWT_PUBLIC_KEY)
cert_string = get_multi_line_input(
"Public Certificate pem ({0})".format(
'stored' if cert_path else 'empty'))
if cert_string is not None:
store_new_cert = True
if get_YN_input(
"Do you want to configure advanced properties [y/n] (n) ?",
False):
cookie_name = get_value_from_properties(
properties, JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT)
cookie_name = get_validated_string_input(
"JWT Cookie name ({0}):".format(cookie_name), cookie_name,
REGEX_ANYTHING, "Invalid cookie name", False)
properties.process_pair(JWT_COOKIE_NAME, cookie_name)
audiences = properties.get_property(JWT_AUDIENCES)
audiences = get_validated_string_input(
"JWT audiences list (comma-separated), empty for any ({0}):"
.format(audiences), audiences, REGEX_ANYTHING,
"Invalid value", False)
properties.process_pair(JWT_AUDIENCES, audiences)
# TODO not required for now as we support Knox only
# orig_query_param = get_value_from_properties(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT)
# orig_query_param = get_validated_string_input("Original URL query parameter name ({}):".format(orig_query_param),
# orig_query_param,
# REGEX_ANYTHING,
# "Invalid value",
# False)
# properties.process_pair(JWT_ORIGINAL_URL_QUERY_PARAM, orig_query_param)
if store_new_cert:
full_cert = JWT_PUBLIC_KEY_HEADER + cert_string + JWT_PUBLIC_KEY_FOOTER
cert_path = store_password_file(full_cert,
JWT_PUBLIC_KEY_FILENAME)
properties.process_pair(JWT_PUBLIC_KEY, cert_path)
update_properties(properties)
pass
else:
warning = "setup-sso is not enabled in silent mode."
raise NonFatalException(warning)
pass
