def setup_component_https(component, command, property, alias): if not get_silent(): jdk_path = find_jdk() if jdk_path is None: err = "No JDK found, please run the \"ambari-server setup\" " \ "command to install a JDK automatically or install any " \ "JDK manually to " + configDefaults.JDK_INSTALL_DIR raise FatalException(1, err) properties = get_ambari_properties() use_https = properties.get_property(property) in ['true'] if use_https: if get_YN_input( "Do you want to disable HTTPS for " + component + " [y/n] (n)? ", False): truststore_path = get_truststore_path(properties) truststore_password = get_truststore_password(properties) run_component_https_cmd( get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password)) properties.process_pair(property, "false") else: return else: if get_YN_input( "Do you want to configure HTTPS for " + component + " [y/n] (y)? ", True): truststore_type = get_truststore_type(properties) truststore_path = get_truststore_path(properties) truststore_password = get_truststore_password(properties) run_os_command( get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password)) import_cert_path = get_validated_filepath_input( \ "Enter path to " + component + " Certificate: ", \ "Certificate not found") run_component_https_cmd( get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password)) properties.process_pair(property, "true") else: return conf_file = find_properties_file() f = open(conf_file, 'w') properties.store(f, "Changed by 'ambari-server " + command + "' command") else: print command + " is not enabled in silent mode."
def setup_truststore(options, import_cert=False): if not get_silent(): jdk_path = find_jdk() if jdk_path is None: err = "No JDK found, please run the \"ambari-server setup\" " \ "command to install a JDK automatically or install any " \ "JDK manually to " + configDefaults.JDK_INSTALL_DIR raise FatalException(1, err) properties = get_ambari_properties() truststore_confirm = True if options.trust_store_path is not None and options.trust_store_path else False truststore_reconfigure = True if options.trust_store_reconfigure is not None else False if truststore_confirm or get_YN_input("Do you want to configure a truststore [y/n] (y)? ", True): #Re-configuration enabled only for option "Setup truststore" if not import_cert and properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY)\ and (truststore_reconfigure or get_YN_input( "The truststore is already configured. Do you want to re-configure " "the truststore [y/n] (y)? ", True)): properties.removeProp(SSL_TRUSTSTORE_TYPE_PROPERTY) properties.removeProp(SSL_TRUSTSTORE_PATH_PROPERTY) properties.removeProp(SSL_TRUSTSTORE_PASSWORD_PROPERTY) truststore_type = get_and_persist_truststore_type(properties, options) truststore_path = get_and_persist_truststore_path(properties, options) truststore_password = get_and_persist_truststore_password(properties, options) if import_cert: import_cert_confirm = True if options.import_cert_path is not None else get_YN_input("Do you want to import a certificate [y/n] (y)? ", True) if import_cert_confirm: aliasOption = options.import_cert_alias if options.import_cert_alias is not None and options.import_cert_alias else None alias = aliasOption if aliasOption is not None \ else get_validated_string_input("Please enter an alias for the certificate: ", "", None, None, False, False) run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password)) import_cert_path = get_validated_filepath_input("Enter path to certificate: ", "Certificate not found", answer=options.import_cert_path) run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password)) else: return conf_file = find_properties_file() f = open(conf_file, 'w') properties.store(f, "Changed by 'ambari-server setup-security' command") else: print "setup-security is not enabled in silent mode."
def setup_truststore(import_cert=False): if not get_silent(): jdk_path = find_jdk() if jdk_path is None: err = "No JDK found, please run the \"ambari-server setup\" " \ "command to install a JDK automatically or install any " \ "JDK manually to " + configDefaults.JDK_INSTALL_DIR raise FatalException(1, err) properties = get_ambari_properties() if get_YN_input("Do you want to configure a truststore [y/n] (y)? ", True): truststore_type = get_truststore_type(properties) truststore_path = get_truststore_path(properties) truststore_password = get_truststore_password(properties) if import_cert: if get_YN_input( "Do you want to import a certificate [y/n] (y)? ", True): alias = get_validated_string_input( "Please enter an alias for the certificate: ", "", None, None, False, False) run_os_command( get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password)) import_cert_path = get_validated_filepath_input( \ "Enter path to certificate: ", \ "Certificate not found") run_component_https_cmd( get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password)) else: return conf_file = find_properties_file() f = open(conf_file, 'w') properties.store(f, "Changed by 'ambari-server setup-security' command") else: print "setup-security is not enabled in silent mode."
def setup_component_https(component, command, property, alias): if not get_silent(): jdk_path = find_jdk() if jdk_path is None: err = "No JDK found, please run the \"tbds-server setup\" " \ "command to install a JDK automatically or install any " \ "JDK manually to " + configDefaults.JDK_INSTALL_DIR raise FatalException(1, err) properties = get_ambari_properties() use_https = properties.get_property(property) in ['true'] if use_https: if get_YN_input("Do you want to disable HTTPS for " + component + " [y/n] (n)? ", False): truststore_path = get_truststore_path(properties) truststore_password = get_truststore_password(properties) run_component_https_cmd(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password)) properties.process_pair(property, "false") else: return else: if get_YN_input("Do you want to configure HTTPS for " + component + " [y/n] (y)? ", True): truststore_type = get_truststore_type(properties) truststore_path = get_truststore_path(properties) truststore_password = get_truststore_password(properties) run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password)) import_cert_path = get_validated_filepath_input( \ "Enter path to " + component + " Certificate: ", \ "Certificate not found") run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password)) properties.process_pair(property, "true") else: return conf_file = find_properties_file() f = open(conf_file, 'w') properties.store(f, "Changed by 'tbds-server " + command + "' command") else: print command + " is not enabled in silent mode."
def setup_truststore(import_cert=False): if not get_silent(): jdk_path = find_jdk() if jdk_path is None: err = "No JDK found, please run the \"ambari-server setup\" " \ "command to install a JDK automatically or install any " \ "JDK manually to " + configDefaults.JDK_INSTALL_DIR raise FatalException(1, err) properties = get_ambari_properties() if get_YN_input("Do you want to configure a truststore [y/n] (y)? ", True): truststore_type = get_truststore_type(properties) truststore_path = get_truststore_path(properties) truststore_password = get_truststore_password(properties) if import_cert: if get_YN_input("Do you want to import a certificate [y/n] (y)? ", True): alias = get_validated_string_input("Please enter an alias for the certificate: ", "", None, None, False, False) run_os_command(get_delete_cert_command(jdk_path, alias, truststore_path, truststore_password)) import_cert_path = get_validated_filepath_input( \ "Enter path to certificate: ", \ "Certificate not found") run_component_https_cmd(get_import_cert_command(jdk_path, alias, truststore_type, import_cert_path, truststore_path, truststore_password)) else: return conf_file = find_properties_file() f = open(conf_file, 'w') properties.store(f, "Changed by 'ambari-server setup-security' command") else: print "setup-security is not enabled in silent mode."
def import_cert_and_key(security_server_keys_dir): import_cert_path = get_validated_filepath_input( \ "Enter path to Certificate: ", \ "Certificate not found") import_key_path = get_validated_filepath_input( \ "Enter path to Private Key: ", "Private Key not found") pem_password = get_validated_string_input("Please enter password for Private Key: ", "", None, None, True) certInfoDict = get_cert_info(import_cert_path) if not certInfoDict: print_warning_msg('Unable to get Certificate information') else: #Validate common name of certificate if not is_valid_cert_host(certInfoDict): print_warning_msg('Unable to validate Certificate hostname') #Validate issue and expirations dates of certificate if not is_valid_cert_exp(certInfoDict): print_warning_msg('Unable to validate Certificate issue and expiration dates') #jetty requires private key files with non-empty key passwords retcode = 0 err = '' if not pem_password: print 'Generating random password for HTTPS keystore...done.' pem_password = generate_random_string() retcode, out, err = run_os_command(CHANGE_KEY_PWD_CND.format( import_key_path, pem_password)) import_key_path += '.secured' if retcode == 0: keystoreFilePath = os.path.join(security_server_keys_dir, \ SSL_KEYSTORE_FILE_NAME) keystoreFilePathTmp = os.path.join(tempfile.gettempdir(), \ SSL_KEYSTORE_FILE_NAME) passFilePath = os.path.join(security_server_keys_dir, \ SSL_KEY_PASSWORD_FILE_NAME) passFilePathTmp = os.path.join(tempfile.gettempdir(), \ SSL_KEY_PASSWORD_FILE_NAME) passinFilePath = os.path.join(tempfile.gettempdir(), \ SSL_PASSIN_FILE) passwordFilePath = os.path.join(tempfile.gettempdir(), \ SSL_PASSWORD_FILE) with open(passFilePathTmp, 'w+') as passFile: passFile.write(pem_password) passFile.close pass set_file_permissions(passFilePath, "660", read_ambari_user(), False) copy_file(passFilePathTmp, passinFilePath) copy_file(passFilePathTmp, passwordFilePath) retcode, out, err = run_os_command(EXPRT_KSTR_CMD.format(import_cert_path, \ import_key_path, passwordFilePath, passinFilePath, keystoreFilePathTmp)) if retcode == 0: print 'Importing and saving Certificate...done.' import_file_to_keystore(keystoreFilePathTmp, keystoreFilePath) import_file_to_keystore(passFilePathTmp, passFilePath) import_file_to_keystore(import_cert_path, os.path.join( \ security_server_keys_dir, SSL_CERT_FILE_NAME)) import_file_to_keystore(import_key_path, os.path.join( \ security_server_keys_dir, SSL_KEY_FILE_NAME)) #Validate keystore retcode, out, err = run_os_command(VALIDATE_KEYSTORE_CMD.format(keystoreFilePath, \ passwordFilePath, passinFilePath)) remove_file(passinFilePath) remove_file(passwordFilePath) if not retcode == 0: print 'Error during keystore validation occured!:' print err return False return True else: print_error_msg('Could not import Certificate and Private Key.') print 'SSL error on exporting keystore: ' + err.rstrip() + \ '.\nPlease ensure that provided Private Key password is correct and ' + \ 're-import Certificate.' return False
def import_cert_and_key(security_server_keys_dir): import_cert_path = get_validated_filepath_input( \ "Enter path to Certificate: ", \ "Certificate not found") import_key_path = get_validated_filepath_input( \ "Enter path to Private Key: ", "Private Key not found") pem_password = get_validated_string_input( "Please enter password for Private Key: ", "", None, None, True) certInfoDict = get_cert_info(import_cert_path) if not certInfoDict: print_warning_msg('Unable to get Certificate information') else: #Validate common name of certificate if not is_valid_cert_host(certInfoDict): print_warning_msg('Unable to validate Certificate hostname') #Validate issue and expirations dates of certificate if not is_valid_cert_exp(certInfoDict): print_warning_msg( 'Unable to validate Certificate issue and expiration dates') #jetty requires private key files with non-empty key passwords retcode = 0 err = '' if not pem_password: print 'Generating random password for HTTPS keystore...done.' pem_password = generate_random_string() retcode, out, err = run_os_command( CHANGE_KEY_PWD_CND.format(import_key_path, pem_password)) import_key_path += '.secured' if retcode == 0: keystoreFilePath = os.path.join(security_server_keys_dir, \ SSL_KEYSTORE_FILE_NAME) keystoreFilePathTmp = os.path.join(tempfile.gettempdir(), \ SSL_KEYSTORE_FILE_NAME) passFilePath = os.path.join(security_server_keys_dir, \ SSL_KEY_PASSWORD_FILE_NAME) passFilePathTmp = os.path.join(tempfile.gettempdir(), \ SSL_KEY_PASSWORD_FILE_NAME) passinFilePath = os.path.join(tempfile.gettempdir(), \ SSL_PASSIN_FILE) passwordFilePath = os.path.join(tempfile.gettempdir(), \ SSL_PASSWORD_FILE) with open(passFilePathTmp, 'w+') as passFile: passFile.write(pem_password) passFile.close pass set_file_permissions(passFilePath, "660", read_ambari_user(), False) copy_file(passFilePathTmp, passinFilePath) copy_file(passFilePathTmp, passwordFilePath) retcode, out, err = run_os_command(EXPRT_KSTR_CMD.format(import_cert_path, \ import_key_path, passwordFilePath, passinFilePath, keystoreFilePathTmp)) if retcode == 0: print 'Importing and saving Certificate...done.' import_file_to_keystore(keystoreFilePathTmp, keystoreFilePath) import_file_to_keystore(passFilePathTmp, passFilePath) import_file_to_keystore(import_cert_path, os.path.join( \ security_server_keys_dir, SSL_CERT_FILE_NAME)) import_file_to_keystore(import_key_path, os.path.join( \ security_server_keys_dir, SSL_KEY_FILE_NAME)) #Validate keystore retcode, out, err = run_os_command(VALIDATE_KEYSTORE_CMD.format(keystoreFilePath, \ passwordFilePath, passinFilePath)) remove_file(passinFilePath) remove_file(passwordFilePath) if not retcode == 0: print 'Error during keystore validation occured!:' print err return False return True else: print_error_msg('Could not import Certificate and Private Key.') print 'SSL error on exporting keystore: ' + err.rstrip() + \ '.\nPlease ensure that provided Private Key password is correct and ' + \ 're-import Certificate.' return False