def populate_sso_provider_url(options, properties):
if not options.sso_provider_url:
provider_url = get_value_from_dictionary(properties, SSO_PROVIDER_URL,
SSO_PROVIDER_URL_DEFAULT)
provider_url = get_validated_string_input(
"Provider URL ({0}): ".format(provider_url), provider_url,
REGEX_URL, "Invalid provider URL", False)
else:
provider_url = options.sso_provider_url
properties[SSO_PROVIDER_URL] = provider_url
def populate_jwt_cookie_name(options, properties):
if not options.sso_jwt_cookie_name and (not options.sso_provider_url or
not options.sso_public_cert_file):
cookie_name = get_value_from_dictionary(properties, JWT_COOKIE_NAME,
JWT_COOKIE_NAME_DEFAULT)
cookie_name = get_validated_string_input(
"JWT Cookie name ({0}): ".format(cookie_name), cookie_name,
REGEX_ANYTHING, "Invalid cookie name", False)
else:
cookie_name = options.sso_jwt_cookie_name if options.sso_jwt_cookie_name else JWT_COOKIE_NAME_DEFAULT
properties[JWT_COOKIE_NAME] = cookie_name
def populate_tproxy_configuration_property(properties, tproxy_user_name,
property_name,
question_text_qualifier):
resolved_property_name = property_name.format(tproxy_user_name)
resolved_property_value = get_value_from_dictionary(
properties, resolved_property_name, WILDCARD_FOR_ALL)
resolved_property_value = get_validated_string_input(
"Allowed {0} for {1} ({2})? ".format(question_text_qualifier,
tproxy_user_name,
resolved_property_value),
resolved_property_value, REGEX_ANYTHING, "Invalid input", False)
properties[resolved_property_name] = resolved_property_value
def populate_jwt_audiences(options, properties):
if options.sso_jwt_audience_list is None and (
not options.sso_provider_url or not options.sso_public_cert_file):
audiences = get_value_from_dictionary(properties, JWT_AUDIENCES,
JWT_AUDIENCES_DEFAULT)
audiences = get_validated_string_input(
"JWT audiences list (comma-separated), empty for any ({0}): ".
format(audiences), audiences, REGEX_ANYTHING, "Invalid value",
False)
else:
audiences = options.sso_jwt_audience_list if options.sso_jwt_audience_list else JWT_AUDIENCES_DEFAULT
properties[JWT_AUDIENCES] = audiences
def populate_sso_public_cert(options, properties):
if not options.sso_public_cert_file:
cert = get_value_from_dictionary(properties, SSO_CERTIFICATE)
get_cert = True if not cert else get_YN_input(
"The SSO provider's public certificate has already set. Do you want to change it [y/n] (n)? ",
False)
if get_cert:
cert_string = get_multi_line_input("Public Certificate PEM")
properties[SSO_CERTIFICATE] = ensure_complete_cert(
cert_string) if cert_string else ""
else:
cert_path = options.sso_public_cert_file
with open(cert_path) as cert_file:
cert_string = cert_file.read()
properties[SSO_CERTIFICATE] = ensure_complete_cert(
cert_string) if cert_string else ""
def setup_sso(options):
print_info_msg("Setup SSO.")
server_status, pid = is_server_runing()
if not server_status:
err = 'Ambari Server is not running.'
raise FatalException(1, err)
if not get_silent():
validate_options(options)
ambari_properties = get_ambari_properties()
admin_login, admin_password = get_ambari_admin_username_password_pair(
options)
properties = get_sso_properties(ambari_properties, admin_login,
admin_password)
if not options.sso_enabled:
ambari_auth_enabled = get_value_from_dictionary(
properties, AMBARI_SSO_AUTH_ENABLED)
manage_services = get_value_from_dictionary(
properties, SSO_MANAGE_SERVICES)
if ambari_auth_enabled or manage_services:
if (ambari_auth_enabled and 'true' == ambari_auth_enabled) or \
(manage_services and 'true' == manage_services):
sso_status = "enabled"
else:
sso_status = "disabled"
else:
sso_status = "not configured"
sys.stdout.write("\nSSO is currently %s\n" % sso_status)
if sso_status == "enabled":
enable_sso = not get_YN_input(
"Do you want to disable SSO authentication [y/n] (n)? ",
False)
elif get_YN_input(
"Do you want to configure SSO authentication [y/n] (y)? ",
True):
enable_sso = True
else:
return False
else:
enable_sso = options.sso_enabled == 'true'
if enable_sso:
populate_sso_provider_url(options, properties)
populate_sso_public_cert(options, properties)
populate_ambari_requires_sso(options, properties)
populate_service_management(options, properties, ambari_properties,
admin_login, admin_password)
populate_jwt_cookie_name(options, properties)
populate_jwt_audiences(options, properties)
update_sso_conf(ambari_properties, properties, admin_login,
admin_password)
else:
remove_sso_conf(ambari_properties, admin_login, admin_password)
else:
warning = "setup-sso is not enabled in silent mode."
raise NonFatalException(warning)
pass
def populate_service_management(options, properties, ambari_properties,
admin_login, admin_password):
if not options.sso_enabled_services:
if not options.sso_manage_services:
manage_services = get_boolean_from_dictionary(
properties, SSO_MANAGE_SERVICES, False)
manage_services = get_YN_input(
"Manage SSO configurations for eligible services [y/n] ({0})? "
.format('y' if manage_services else 'n'), manage_services)
else:
manage_services = 'true' == options.sso_manage_services
if not options.sso_provider_url:
stored_manage_services = get_boolean_from_dictionary(
properties, SSO_MANAGE_SERVICES, False)
print(
"Manage SSO configurations for eligible services [y/n] ({0})? {1}"
.format('y' if stored_manage_services else 'n',
'y' if manage_services else 'n'))
if manage_services:
enabled_services = get_value_from_dictionary(
properties, SSO_ENABLED_SERVICES, "").upper().split(',')
all = "*" in enabled_services
configure_for_all_services = get_YN_input(
" Use SSO for all services [y/n] ({0})? ".format(
'y' if all else 'n'), all)
if configure_for_all_services:
services = WILDCARD_FOR_ALL_SERVICES
else:
cluster_name = get_cluster_name(ambari_properties, admin_login,
admin_password)
if cluster_name:
eligible_services = get_eligible_services(
ambari_properties, admin_login, admin_password,
cluster_name)
if eligible_services and len(eligible_services) > 0:
service_list = []
for service in eligible_services:
enabled = service.upper() in enabled_services
question = " Use SSO for {0} [y/n] ({1})? ".format(
service, 'y' if enabled else 'n')
if get_YN_input(question, enabled):
service_list.append(service)
services = ','.join(service_list)
else:
print(" There are no eligible services installed.")
services = ""
else:
services = ""
else:
services = ""
else:
if options.sso_manage_services:
manage_services = 'true' == options.sso_manage_services
else:
manage_services = True
services = options.sso_enabled_services.upper(
) if options.sso_enabled_services else ""
properties[SSO_MANAGE_SERVICES] = 'true' if manage_services else "false"
properties[SSO_ENABLED_SERVICES] = services
def setup_trusted_proxy(options):
print_info_msg("Setup Trusted Proxy")
server_status, pid = is_server_runing()
if not server_status:
err = 'Ambari Server is not running.'
raise FatalException(1, err)
if not get_silent():
validate_options(options)
ambari_properties = get_ambari_properties()
admin_login, admin_password = get_ambari_admin_username_password_pair(
options)
properties = get_trusted_proxy_properties(ambari_properties,
admin_login, admin_password)
if not options.tproxy_enabled:
tproxy_support_enabled = get_value_from_dictionary(
properties, TPROXY_SUPPORT_ENABLED)
if tproxy_support_enabled:
if 'true' == tproxy_support_enabled:
tproxy_status = "enabled"
else:
tproxy_status = "disabled"
else:
tproxy_status = "not configured"
print_info_msg("\nTrusted Proxy support is currently %s\n" %
tproxy_status)
if tproxy_status == "enabled":
enable_tproxy = not get_YN_input(
"Do you want to disable Trusted Proxy support [y/n] (n)? ",
False)
elif get_YN_input(
"Do you want to configure Trusted Proxy Support [y/n] (y)? ",
True):
enable_tproxy = True
else:
return False
else:
enable_tproxy = options.tproxy_enabled == 'true'
if enable_tproxy:
properties[TPROXY_SUPPORT_ENABLED] = "true"
if not options.tproxy_configuration_file_path:
add_new_trusted_proxy = add_new_trusted_proxy_config(
properties)
while add_new_trusted_proxy:
add_new_trusted_proxy = add_new_trusted_proxy_config(
properties)
else:
parse_trusted_configuration_file(
options.tproxy_configuration_file_path, properties)
update_tproxy_conf(ambari_properties, properties, admin_login,
admin_password)
else:
remove_tproxy_conf(ambari_properties, admin_login, admin_password)
else:
warning = "setup-trusted-proxy is not enabled in silent mode."
raise NonFatalException(warning)
pass