def generate_env(options, ambari_user, current_user): properties = get_ambari_properties() isSecure = get_is_secure(properties) (isPersisted, masterKeyFile) = get_is_persisted(properties) environ = os.environ.copy() # Need to handle master key not persisted scenario if isSecure and not masterKeyFile: prompt = False masterKey = environ.get(SECURITY_KEY_ENV_VAR_NAME) if masterKey is not None and masterKey != "": pass else: keyLocation = environ.get(SECURITY_MASTER_KEY_LOCATION) if keyLocation is not None: try: # Verify master key can be read by the java process with open(keyLocation, 'r'): pass except IOError: print_warning_msg( "Cannot read Master key from path specified in " "environemnt.") prompt = True else: # Key not provided in the environment prompt = True if prompt: import pwd masterKey = get_original_master_key(properties) environ[SECURITY_KEY_ENV_VAR_NAME] = masterKey tempDir = tempfile.gettempdir() tempFilePath = tempDir + os.sep + "masterkey" save_master_key(options, masterKey, tempFilePath, True) if ambari_user != current_user: uid = pwd.getpwnam(ambari_user).pw_uid gid = pwd.getpwnam(ambari_user).pw_gid os.chown(tempFilePath, uid, gid) else: os.chmod(tempFilePath, stat.S_IREAD | stat.S_IWRITE) if tempFilePath is not None: environ[SECURITY_MASTER_KEY_LOCATION] = tempFilePath return environ
def verify_setup_allowed(): if get_silent(): properties = get_ambari_properties() if properties == -1: print_error_msg("Error getting ambari properties") return -1 isSecure = get_is_secure(properties) if isSecure: (isPersisted, masterKeyFile) = get_is_persisted(properties) if not isPersisted: print "ERROR: Cannot run silent 'setup' with password encryption enabled " \ "and Master Key not persisted." print "Ambari Server 'setup' exiting." return 1 return 0
def verify_setup_allowed(): if get_silent(): properties = get_ambari_properties() if properties == -1: print_error_msg("Error getting tbds properties") return -1 isSecure = get_is_secure(properties) if isSecure: (isPersisted, masterKeyFile) = get_is_persisted(properties) if not isPersisted: print "ERROR: Cannot run silent 'setup' with password encryption enabled " \ "and Master Key not persisted." print "TBDS Server 'setup' exiting." return 1 return 0
def generate_env(ambari_user, current_user): properties = get_ambari_properties() isSecure = get_is_secure(properties) (isPersisted, masterKeyFile) = get_is_persisted(properties) environ = os.environ.copy() # Need to handle master key not persisted scenario if isSecure and not masterKeyFile: prompt = False masterKey = environ.get(SECURITY_KEY_ENV_VAR_NAME) if masterKey is not None and masterKey != "": pass else: keyLocation = environ.get(SECURITY_MASTER_KEY_LOCATION) if keyLocation is not None: try: # Verify master key can be read by the java process with open(keyLocation, 'r'): pass except IOError: print_warning_msg("Cannot read Master key from path specified in " "environemnt.") prompt = True else: # Key not provided in the environment prompt = True if prompt: import pwd masterKey = get_original_master_key(properties) tempDir = tempfile.gettempdir() tempFilePath = tempDir + os.sep + "masterkey" save_master_key(masterKey, tempFilePath, True) if ambari_user != current_user: uid = pwd.getpwnam(ambari_user).pw_uid gid = pwd.getpwnam(ambari_user).pw_gid os.chown(tempFilePath, uid, gid) else: os.chmod(tempFilePath, stat.S_IREAD | stat.S_IWRITE) if tempFilePath is not None: environ[SECURITY_MASTER_KEY_LOCATION] = tempFilePath return environ
def verify_setup_allowed(options): if get_silent(): properties = get_ambari_properties() if properties == -1: print_error_msg("Error getting ambari properties") return -1 isSecure = get_is_secure(properties) if isSecure: (isPersisted, masterKeyFile) = get_is_persisted(properties) if not isPersisted: print "ERROR: Cannot run silent 'setup' with password encryption enabled " \ "and Master Key not persisted." print "Ambari Server 'setup' exiting." return 1 factory = DBMSConfigFactory() default_dbms = factory.get_default_dbms_name() if default_dbms: valid = True if options.dbms is not None \ and options.database_host is not None \ and options.database_port is not None \ and options.database_name is not None \ and options.database_username is not None \ and options.database_password is not None: if default_dbms == "sqlanywhere" and options.sqla_server_name is None: valid = False else: valid = False if not valid: print "ERROR: Cannot run silent setup without database connection properties provided." print "Ambari Server 'setup' exiting." return 2 return 0
def setup_master_key(): if not is_root(): err = 'Ambari-server setup should be run with ' \ 'root-level privileges' raise FatalException(4, err) properties = get_ambari_properties() if properties == -1: raise FatalException(1, "Failed to read properties file.") db_windows_auth_prop = properties.get_property(JDBC_USE_INTEGRATED_AUTH_PROPERTY) db_sql_auth = False if db_windows_auth_prop and db_windows_auth_prop.lower() == 'true' else True db_password = properties.get_property(JDBC_PASSWORD_PROPERTY) # Encrypt passwords cannot be called before setup if db_sql_auth and not db_password: print 'Please call "setup" before "encrypt-passwords". Exiting...' return 1 # Check configuration for location of master key isSecure = get_is_secure(properties) (isPersisted, masterKeyFile) = get_is_persisted(properties) # Read clear text DB password from file if db_sql_auth and not is_alias_string(db_password) and os.path.isfile(db_password): with open(db_password, 'r') as passwdfile: db_password = passwdfile.read() ldap_password = properties.get_property(LDAP_MGR_PASSWORD_PROPERTY) if ldap_password: # Read clear text LDAP password from file if not is_alias_string(ldap_password) and os.path.isfile(ldap_password): with open(ldap_password, 'r') as passwdfile: ldap_password = passwdfile.read() ts_password = properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY) resetKey = False masterKey = None if isSecure: print "Password encryption is enabled." resetKey = get_YN_input("Do you want to reset Master Key? [y/n] (n): ", False) # For encrypting of only unencrypted passwords without resetting the key ask # for master key if not persisted. if isSecure and not isPersisted and not resetKey: print "Master Key not persisted." masterKey = get_original_master_key(properties) pass # Make sure both passwords are clear-text if master key is lost if resetKey: if not isPersisted: print "Master Key not persisted." masterKey = get_original_master_key(properties) # Unable get the right master key or skipped question <enter> if not masterKey: print "To disable encryption, do the following:" print "- Edit " + find_properties_file() + \ " and set " + SECURITY_IS_ENCRYPTION_ENABLED + " = " + "false." err = "{0} is already encrypted. Please call {1} to store unencrypted" \ " password and call 'encrypt-passwords' again." if db_sql_auth and db_password and is_alias_string(db_password): print err.format('- Database password', "'" + SETUP_ACTION + "'") if ldap_password and is_alias_string(ldap_password): print err.format('- LDAP manager password', "'" + LDAP_SETUP_ACTION + "'") if ts_password and is_alias_string(ts_password): print err.format('TrustStore password', "'" + LDAP_SETUP_ACTION + "'") return 1 pass pass pass # Read back any encrypted passwords if db_sql_auth and db_password and is_alias_string(db_password): db_password = read_passwd_for_alias(JDBC_RCA_PASSWORD_ALIAS, masterKey) if ldap_password and is_alias_string(ldap_password): ldap_password = read_passwd_for_alias(LDAP_MGR_PASSWORD_ALIAS, masterKey) if ts_password and is_alias_string(ts_password): ts_password = read_passwd_for_alias(SSL_TRUSTSTORE_PASSWORD_ALIAS, masterKey) # Read master key, if non-secure or reset is true if resetKey or not isSecure: masterKey = read_master_key(resetKey) persist = get_YN_input("Do you want to persist master key. If you choose " \ "not to persist, you need to provide the Master " \ "Key while starting the ambari server as an env " \ "variable named " + SECURITY_KEY_ENV_VAR_NAME + \ " or the start will prompt for the master key." " Persist [y/n] (y)? ", True) if persist: save_master_key(masterKey, get_master_key_location(properties) + os.sep + SECURITY_MASTER_KEY_FILENAME, persist) elif not persist and masterKeyFile: try: os.remove(masterKeyFile) print_info_msg("Deleting master key file at location: " + str( masterKeyFile)) except Exception, e: print 'ERROR: Could not remove master key file. %s' % e # Blow up the credential store made with previous key, if any store_file = get_credential_store_location(properties) if os.path.exists(store_file): try: os.remove(store_file) except: print_warning_msg("Failed to remove credential store file.") pass pass
def generate_child_process_param_list(ambari_user, current_user, java_exe, class_path, debug_start, suspend_mode): from ambari_commons.os_linux import ULIMIT_CMD properties = get_ambari_properties() isSecure = get_is_secure(properties) (isPersisted, masterKeyFile) = get_is_persisted(properties) environ = os.environ.copy() # Need to handle master key not persisted scenario if isSecure and not masterKeyFile: prompt = False masterKey = environ.get(SECURITY_KEY_ENV_VAR_NAME) if masterKey is not None and masterKey != "": pass else: keyLocation = environ.get(SECURITY_MASTER_KEY_LOCATION) if keyLocation is not None: try: # Verify master key can be read by the java process with open(keyLocation, 'r'): pass except IOError: print_warning_msg( "Cannot read Master key from path specified in " "environemnt.") prompt = True else: # Key not provided in the environment prompt = True if prompt: import pwd masterKey = get_original_master_key(properties) tempDir = tempfile.gettempdir() tempFilePath = tempDir + os.sep + "masterkey" save_master_key(masterKey, tempFilePath, True) if ambari_user != current_user: uid = pwd.getpwnam(ambari_user).pw_uid gid = pwd.getpwnam(ambari_user).pw_gid os.chown(tempFilePath, uid, gid) else: os.chmod(tempFilePath, stat.S_IREAD | stat.S_IWRITE) if tempFilePath is not None: environ[SECURITY_MASTER_KEY_LOCATION] = tempFilePath command_base = SERVER_START_CMD_DEBUG if debug_start else SERVER_START_CMD ulimit_cmd = "%s %s" % (ULIMIT_CMD, str(get_ulimit_open_files(properties))) command = command_base.format( java_exe, ambari_provider_module_option, jvm_args, class_path, configDefaults.SERVER_OUT_FILE, os.path.join(configDefaults.PID_DIR, EXITCODE_NAME), suspend_mode) # required to start properly server instance os.chdir(configDefaults.ROOT_FS_PATH) #For properly daemonization server should be started using shell as parent param_list = [locate_file('sh', '/bin'), "-c"] if is_root() and ambari_user != "root": # To inherit exported environment variables (especially AMBARI_PASSPHRASE), # from subprocess, we have to skip --login option of su command. That's why # we change dir to / (otherwise subprocess can face with 'permission denied' # errors while trying to list current directory cmd = "{ulimit_cmd} ; {su} {ambari_user} -s {sh_shell} -c '{command}'".format( ulimit_cmd=ulimit_cmd, su=locate_file('su', '/bin'), ambari_user=ambari_user, sh_shell=locate_file('sh', '/bin'), command=command) else: cmd = "{ulimit_cmd} ; {command}".format(ulimit_cmd=ulimit_cmd, command=command) param_list.append(cmd) return (param_list, environ)
def generate_child_process_param_list(ambari_user, current_user, java_exe, class_path, debug_start, suspend_mode): from ambari_commons.os_linux import ULIMIT_CMD properties = get_ambari_properties() isSecure = get_is_secure(properties) (isPersisted, masterKeyFile) = get_is_persisted(properties) environ = os.environ.copy() # Need to handle master key not persisted scenario if isSecure and not masterKeyFile: prompt = False masterKey = environ.get(SECURITY_KEY_ENV_VAR_NAME) if masterKey is not None and masterKey != "": pass else: keyLocation = environ.get(SECURITY_MASTER_KEY_LOCATION) if keyLocation is not None: try: # Verify master key can be read by the java process with open(keyLocation, 'r'): pass except IOError: print_warning_msg("Cannot read Master key from path specified in " "environemnt.") prompt = True else: # Key not provided in the environment prompt = True if prompt: import pwd masterKey = get_original_master_key(properties) tempDir = tempfile.gettempdir() tempFilePath = tempDir + os.sep + "masterkey" save_master_key(masterKey, tempFilePath, True) if ambari_user != current_user: uid = pwd.getpwnam(ambari_user).pw_uid gid = pwd.getpwnam(ambari_user).pw_gid os.chown(tempFilePath, uid, gid) else: os.chmod(tempFilePath, stat.S_IREAD | stat.S_IWRITE) if tempFilePath is not None: environ[SECURITY_MASTER_KEY_LOCATION] = tempFilePath command_base = SERVER_START_CMD_DEBUG if debug_start else SERVER_START_CMD ulimit_cmd = "%s %s" % (ULIMIT_CMD, str(get_ulimit_open_files(properties))) command = command_base.format(java_exe, ambari_provider_module_option, jvm_args, class_path, configDefaults.SERVER_OUT_FILE, os.path.join(configDefaults.PID_DIR, EXITCODE_NAME), suspend_mode) # required to start properly server instance os.chdir(configDefaults.ROOT_FS_PATH) #For properly daemonization server should be started using shell as parent param_list = [locate_file('sh', '/bin'), "-c"] if is_root() and ambari_user != "root": # To inherit exported environment variables (especially AMBARI_PASSPHRASE), # from subprocess, we have to skip --login option of su command. That's why # we change dir to / (otherwise subprocess can face with 'permission denied' # errors while trying to list current directory cmd = "{ulimit_cmd} ; {su} {ambari_user} -s {sh_shell} -c '{command}'".format(ulimit_cmd=ulimit_cmd, su=locate_file('su', '/bin'), ambari_user=ambari_user, sh_shell=locate_file('sh', '/bin'), command=command) else: cmd = "{ulimit_cmd} ; {command}".format(ulimit_cmd=ulimit_cmd, command=command) param_list.append(cmd) return (param_list, environ)