def create_base_accounts(self, env, fi):
"""
fi: a FreeIPA object
"""
import params
rm = freeipa.RobotAdmin()
fi.create_user_principal(
rm.get_login(),
groups=['admins'],
password=freeipa.generate_random_password(),
password_file=rm.get_password_file())
fi.set_user_shell(rm.get_login(), params.admin_user_shell)
# Always create the hadoop group
fi.create_group('hadoop', 'the hadoop user group')
# Create ldap bind user
expiry_date = (datetime.datetime.now() + datetime.timedelta(weeks=52 * 10)).strftime('%Y%m%d%H%M%SZ')
File("/tmp/bind_user.ldif",
content=Template("bind_user.ldif.j2", expiry_date=expiry_date),
mode=0600
)
import kavecommon as kc
_stat, _stdout, _stderr = kc.shell_call_wrapper(
'ldapsearch -x -D "cn=directory manager" -w %s "uid=%s"'
% (params.directory_password, params.ldap_bind_user))
# is this user already added?
if "dn: uid=" + params.ldap_bind_user not in _stdout:
Execute('ldapadd -x -D "cn=directory manager" -w %s -f /tmp/bind_user.ldif'
% params.directory_password)
for group in params.ldap_bind_services:
fi.create_group(group, group + ' user group', ['--nonposix'])
def install(self, env):
import params
env.set_params(params)
import subprocess
p0 = subprocess.Popen(["hostname", "-f"], stdout=subprocess.PIPE)
_hostname = p0.communicate()[0].strip()
if p0.returncode:
raise OSError("Failed to determine hostname!")
import kavecommon as kc
tos = kc.detect_linux_version()
# Check that all known FreeIPA ports are available
needed_ports = [88, 123, 389, 464, 636]
if tos.lower() in ["centos7"]:
needed_ports = [params.pki_secure_port, params.pki_insecure_port] + needed_ports
for port in needed_ports:
self.checkport(port)
self.install_packages(env)
for package in self.packages:
Package(package)
# Always generate new portchanges file for automated tests
if not os.path.exists('/etc/kave'):
Execute('mkdir -p /etc/kave')
if not os.path.exists('/etc/kave/portchanges_new.json'):
Execute('python ' + os.path.dirname(__file__) +
'/sed_ports.py --create /etc/kave/portchanges_new.json --debug')
File("/etc/kave/portchanges_static.json",
content=Template(tos.lower() + "_server.json.j2"),
mode=0600
)
# Always use static file
Execute('python ' + os.path.dirname(__file__)
+ '/sed_ports.py --apply /etc/kave/portchanges_static.json --debug')
admin_password = freeipa.generate_random_password()
Logger.sensitive_strings[admin_password] = "[PROTECTED]"
install_command = 'ipa-server-install -U --realm="%s" \
--ds-password="******" --admin-password="******" --hostname="%s"' \
% (params.realm, params.directory_password, admin_password, _hostname)
# ipa-server install command. Currently --selfsign is mandatory because
# of some anoying centos6.5 problems. The underling installer uses an
# outdated method for the dogtag system which fails.
# however, on centos7, this option does not exist!
if tos.lower() in ["centos6"]:
install_command += " --selfsign"
if params.install_with_dns:
if tos.lower() in ["centos7"]:
Package("ipa-server-dns")
install_command += ' --setup-dns --domain="%s"' % params.domain
if params.forwarders:
for forwarder in params.forwarders:
install_command += ' --forwarder="%s"' % forwarder
else:
install_command += ' --no-forwarders'
# Crude check to avoid reinstalling during debugging
if not os.path.exists(self.admin_password_file):
# patch for long domain names!
if params.long_domain_patch:
freeipa.sed_ca_longdomain_patch()
# This is a time-consuming command, better to log the output
Execute(install_command, logoutput=True)
# write password file
File("/root/admin-password",
content=Template("admin-password.j2", admin_password=admin_password),
mode=0600
)
# Ensure service is started before trying to interact with it!
Execute('service ipa start')
with freeipa.FreeIPA(self.admin_login, self.admin_password_file, False) as fi:
# set the default shell
fi.set_default_shell(params.default_shell)
# Set the admin user shell
fi.set_user_shell(self.admin_login, params.admin_user_shell)
# make base accounts
self.create_base_accounts(env, fi)
# create initial users and groups
if "Users" in params.initial_users_and_groups:
for user in params.initial_users_and_groups["Users"]:
if type(user) is str or type(user) is not dict:
user = {"username": user}
username = user["username"]
password = None
if username in params.initial_user_passwords:
password = params.initial_user_passwords[username]
firstname = username
lastname = 'auto_generated'
if 'firstname' in user:
firstname = user['firstname']
if 'lastname' in user:
lastname = user['lastname']
fi.create_user_principal(identity=username, firstname=firstname,
lastname=lastname, password=password)
if "email" in user:
fi.set_user_email(username, user["email"])
if "Groups" in params.initial_users_and_groups:
groups = params.initial_users_and_groups["Groups"]
if type(groups) is dict:
groups = [{"name": gname, "members": groups[gname]} for gname in groups]
for group in groups:
freeipa.create_group(group["name"])
for user in group["members"]:
fi.group_add_member(group["name"], user)
fi.create_sudorule('allsudo', **(params.initial_sudoers))
# create robot admin
self.reset_robot_admin_expire_date(env)
# if FreeIPA server is not started properly, then the clients will not install
self.start(env)
def install(self, env):
import params
env.set_params(params)
# Execute('/etc/init.d/ambari-server stop')
# Execute('yum -y remove ambari-server')
p0 = subprocess.Popen(["hostname", "-f"], stdout=subprocess.PIPE)
_hostname = p0.communicate()[0].strip()
if p0.returncode:
raise OSError("Failed to determine hostname!")
import kavecommon as kc
tos = kc.detect_linux_version()
# Check that all known FreeIPA ports are available
needed_ports = [88, 123, 389, 464, 636, 8080, 8443]
for port in needed_ports:
self.checkport(port)
self.install_packages(env)
for package in self.packages:
Package(package)
admin_password = freeipa.generate_random_password()
Logger.sensitive_strings[admin_password] = "[PROTECTED]"
# This should not be needed but somehow something reverts the v6 enable recipe.
Execute("sysctl -w net.ipv6.conf.lo.disable_ipv6=0; ifconfig | grep -q ::1; if [ $? = 1 ]; "
"then ifconfig lo inet6 add ::1; fi")
# Try to reload dbus configuration due to a bug in dbus
Execute("systemctl stop dbus")
Execute("systemctl start dbus")
install_command = 'ipa-server-install -U --realm="%s" \
--ds-password="******" --admin-password="******" --hostname="%s"' \
% (params.realm, params.directory_password, admin_password, _hostname)
# ipa-server install command. Currently --selfsign is mandatory because
# of some anoying centos6.5 problems. The underling installer uses an
# outdated method for the dogtag system which fails.
# however, on centos7, this option does not exist!
if params.install_with_dns:
if tos.lower() in ["centos7"]:
Package("ipa-server-dns")
install_command += ' --setup-dns --domain="%s"' % params.domain
# install_command += ' --setup-dns --domain=freeipa.kave.io'
if params.forwarders:
for forwarder in params.forwarders:
install_command += ' --forwarder="%s"' % forwarder
else:
install_command += ' --no-forwarders'
p0 = subprocess.Popen(["ipactl", "status"], stdout=subprocess.PIPE)
p0.communicate()
ipacheck = p0.returncode
if ipacheck == 4 or ipacheck == 127:
# This is a time-consuming command, better to log the output
Execute(install_command, logoutput=True)
# write password file
File("/root/admin-password",
content=Template("admin-password.j2", admin_password=admin_password),
mode=0600
)
# Ensure service is started before trying to interact with it!
Execute('systemctl start ipa')
with freeipa.FreeIPA(self.admin_login, self.admin_password_file, False) as fi:
# set the default shell
fi.set_default_shell(params.default_shell)
# Set the admin user shell
fi.set_user_shell(self.admin_login, params.admin_user_shell)
# make base accounts
self.create_base_accounts(env, fi)
# create initial users and groups
if "Users" in params.initial_users_and_groups:
for user in params.initial_users_and_groups["Users"]:
if type(user) is str or type(user) is not dict:
user = {"username": user}
username = user["username"]
password = None
if username in params.initial_user_passwords:
password = params.initial_user_passwords[username]
firstname = username
lastname = 'auto_generated'
if 'firstname' in user:
firstname = user['firstname']
if 'lastname' in user:
lastname = user['lastname']
fi.create_user_principal(identity=username, firstname=firstname,
lastname=lastname, password=password)
if "email" in user:
fi.set_user_email(username, user["email"])
if "Groups" in params.initial_users_and_groups:
groups = params.initial_users_and_groups["Groups"]
if type(groups) is dict:
groups = [{"name": gname, "members": groups[gname]} for gname in groups]
for group in groups:
freeipa.create_group(group["name"])
for user in group["members"]:
fi.group_add_member(group["name"], user)
fi.create_sudorule('allsudo', **(params.initial_sudoers))
# create robot admin
self.reset_robot_admin_expire_date(env)
# Enable security options for Apache
with open("/etc/httpd/conf/httpd.conf", "a") as httpd_conf:
httpd_conf.write("TraceEnable Off\nServerSignature Off\nServerTokens Prod")
Execute('systemctl restart httpd')
# if FreeIPA server is not started properly, then the clients will not install
self.start(env)
def install(self, env):
import params
env.set_params(params)
# Execute('/etc/init.d/ambari-server stop')
# Execute('yum -y remove ambari-server')
p0 = subprocess.Popen(["hostname", "-f"], stdout=subprocess.PIPE)
_hostname = p0.communicate()[0].strip()
if p0.returncode:
raise OSError("Failed to determine hostname!")
needed_ports = [88, 123, 389, 464, 636, 8080, 8443]
self.install_packages(env)
Package(self.packages)
admin_password = freeipa.generate_random_password()
Logger.sensitive_strings[admin_password] = "[PROTECTED]"
install_command = 'ipa-server-install -U --realm="%s" \
--ds-password="******" --admin-password="******" --hostname="%s"' % (
params.realm, params.directory_password, admin_password, _hostname)
# ipa-server install command. Currently --selfsign is mandatory because
# of some anoying centos6.5 problems. The underling installer uses an
# outdated method for the dogtag system which fails.
# however, on centos7, this option does not exist!
if params.install_with_dns:
Package("ipa-server-dns")
install_command += ' --setup-dns --domain="%s"' % params.domain
# install_command += ' --setup-dns --domain=freeipa.kave.io'
if params.forwarders:
for forwarder in params.forwarders:
install_command += ' --forwarder="%s"' % forwarder
else:
install_command += ' --no-forwarders'
p0 = subprocess.Popen(["ipactl", "status"], stdout=subprocess.PIPE)
p0.communicate()
ipacheck = p0.returncode
if ipacheck == 4 or ipacheck == 127:
# This is a time-consuming command, better to log the output
Execute(install_command, logoutput=True)
# write password file
File("/root/admin-password",
content=Template("admin-password.j2",
admin_password=admin_password),
mode=0600)
# Ensure service is started before trying to interact with it!
Execute('service ipa start')
with freeipa.FreeIPA(self.admin_login, self.admin_password_file,
False) as fi:
# set the default shell
fi.set_default_shell(params.default_shell)
# Set the admin user shell
fi.set_user_shell(self.admin_login, params.admin_user_shell)
# make base accounts
self.create_base_accounts(env, fi)
# create initial users and groups
if "Users" in params.initial_users_and_groups:
for user in params.initial_users_and_groups["Users"]:
if type(user) is str or type(user) is not dict:
user = {"username": user}
username = user["username"]
password = None
if username in params.initial_user_passwords:
password = params.initial_user_passwords[username]
firstname = username
lastname = 'auto_generated'
if 'firstname' in user:
firstname = user['firstname']
if 'lastname' in user:
lastname = user['lastname']
fi.create_user_principal(identity=username,
firstname=firstname,
lastname=lastname,
password=password)
if "email" in user:
fi.set_user_email(username, user["email"])
if "Groups" in params.initial_users_and_groups:
groups = params.initial_users_and_groups["Groups"]
if type(groups) is dict:
groups = [{
"name": gname,
"members": groups[gname]
} for gname in groups]
for group in groups:
freeipa.create_group(group["name"])
for user in group["members"]:
fi.group_add_member(group["name"], user)
fi.create_sudorule('allsudo', **(params.initial_sudoers))
# create robot admin
self.reset_robot_admin_expire_date(env)
# if FreeIPA server is not started properly, then the clients will not install
self.start(env)