def install(self, env): import params import status_params self.install_packages(env) #Be sure ca script is in cache nifi_toolkit_util.get_toolkit_script('tls-toolkit.sh')
def start(self, env, upgrade_type=None): import params import status_params nifi_toolkit_util.copy_toolkit_scripts(params.toolkit_files_dir, params.toolkit_tmp_dir, params.nifi_user, params.nifi_group, upgrade_type=None) self.configure(env) ca_server_script = nifi_toolkit_util.get_toolkit_script( 'tls-toolkit.sh', params.toolkit_tmp_dir) run_ca_script = os.path.join(params.toolkit_tmp_dir, 'run_ca.sh') Directory([params.nifi_config_dir], owner=params.nifi_user, group=params.nifi_group, create_parents=True, recursive_ownership=True) File(ca_server_script, mode=0755) File(run_ca_script, mode=0755) Execute( (run_ca_script, params.jdk64_home, ca_server_script, params.nifi_config_dir + '/nifi-certificate-authority.json', params.nifi_ca_log_file_stdout, params.nifi_ca_log_file_stderr, status_params.nifi_ca_pid_file), user=params.nifi_user) if not os.path.isfile(status_params.nifi_ca_pid_file): raise Exception('Expected pid file to exist')
def check_nifi_registry_portal_with_toolkit(url, jdk64_home, nifi_registry_dir, nifi_registry_bootstrap): Logger.info("Checking Nifi Registry portal with toolkit") tls_toolkit_script = nifi_toolkit_util.get_toolkit_script( 'tls-toolkit.sh') File(tls_toolkit_script, mode=0755) nifi_registry_props_file = nifi_registry_dir + '/conf/nifi-registry.properties' nifi_registry_props = NifiRegistryServiceCheck.convert_properties_to_dict( jdk64_home, nifi_registry_props_file, nifi_registry_bootstrap) if len(nifi_registry_props) == 0: raise Fail('Unable to read properties from {0}'.format( nifi_registry_props_file)) else: keystore = nifi_registry_props['nifi.registry.security.keystore'] keystoreType = nifi_registry_props[ 'nifi.registry.security.keystoreType'] keystorePasswd = nifi_registry_props[ 'nifi.registry.security.keystorePasswd'] keyPasswd = nifi_registry_props['nifi.registry.security.keyPasswd'] truststore = nifi_registry_props[ 'nifi.registry.security.truststore'] truststoreType = nifi_registry_props[ 'nifi.registry.security.truststoreType'] truststorePasswd = nifi_registry_props[ 'nifi.registry.security.truststorePasswd'] command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + tls_toolkit_script + ' status -u ' + url + ' -ks ' + keystore + ' -kst ' + keystoreType + ' -ksp ' + keystorePasswd + ' -kp ' + keyPasswd + ' -ts ' + truststore + ' -tst ' + truststoreType + ' -tsp ' + truststorePasswd # Only uncomment for debugging, otherwise the passwords will get logged #Logger.info("Executing: " + command) code, out = shell.call(command, quiet=True, logoutput=False) if code > 0: raise Fail( "Call to tls-toolkit encountered error: {0}".format(out)) else: if out.find('Error communicating with') > -1: raise Fail( "Error connecting to NiFi Registry: {0}".format(out))
def check_nifi_portal_with_toolkit(urls, jdk64_home, nifi_dir, nifi_bootstrap): node_manager_script = nifi_toolkit_util.get_toolkit_script( 'node-manager.sh') File(node_manager_script, mode=0755) command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + node_manager_script + ' -d ' + nifi_dir + ' -b ' + nifi_bootstrap + ' -o status -u "' + ','.join( urls) + '"' code, out = shell.call(command, quiet=True, logoutput=False) if code > 0: raise Fail( "Call to admin-toolkit encountered error: {0}".format(out)) else: if out.find('did not complete due to exception') > -1: raise Fail( "Error connecting to one or more nifi nodes: {0}".format( out))
def convert_properties_to_dict(jdk64_home, nifi_registry_props_file, nifi_registry_bootstrap): dict = {} if sudo.path_isfile(nifi_registry_props_file): encrypt_tool_script = nifi_toolkit_util.get_toolkit_script( 'encrypt-config.sh') File(encrypt_tool_script, mode=0755) command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + encrypt_tool_script + ' --nifiRegistry --decrypt -r ' + nifi_registry_props_file + ' -b ' + nifi_registry_bootstrap code, out = shell.call(command, quiet=True, logoutput=False) lines = out.split('\n') for line in lines: props = line.rstrip().split('=') if len(props) == 2: dict[props[0]] = props[1] elif len(props) == 1: dict[props[0]] = '' return dict
def encrypt_sensitive_properties(self, config_version_file, current_version, nifi_config_dir, jdk64_home, nifi_user, nifi_group, master_key_password, nifi_flow_config_dir, nifi_sensitive_props_key, is_starting): Logger.info("Encrypting NiFi sensitive configuration properties") encrypt_config_script = nifi_toolkit_util.get_toolkit_script('encrypt-config.sh') encrypt_config_script_prefix = ('JAVA_HOME=' + jdk64_home, encrypt_config_script) File(encrypt_config_script, mode=0755) if is_starting: last_master_key_password = None last_config_version = nifi_toolkit_util.get_config_version(config_version_file, 'encrypt') encrypt_config_script_params = ('-v', '-b', nifi_config_dir + '/bootstrap.conf') encrypt_config_script_params = encrypt_config_script_params + ('-n', nifi_config_dir + '/nifi.properties') if sudo.path_isfile(nifi_flow_config_dir + '/flow.xml.gz') and len( sudo.read_file(nifi_flow_config_dir + '/flow.xml.gz')) > 0: encrypt_config_script_params = encrypt_config_script_params + ( '-f', nifi_flow_config_dir + '/flow.xml.gz', '-s', PasswordString(nifi_sensitive_props_key)) if nifi_toolkit_util.contains_providers(nifi_config_dir + '/login-identity-providers.xml'): encrypt_config_script_params = encrypt_config_script_params + ( '-l', nifi_config_dir + '/login-identity-providers.xml') if last_config_version: last_config = nifi_toolkit_util.get_config_by_version('/var/lib/ambari-agent/data', 'nifi-ambari-config', last_config_version) last_master_key_password = last_config['configurations']['nifi-ambari-config'][ 'nifi.security.encrypt.configuration.password'] if last_master_key_password and last_master_key_password != master_key_password: encrypt_config_script_params = encrypt_config_script_params + ( '-m', '-w', PasswordString(last_master_key_password)) encrypt_config_script_params = encrypt_config_script_params + ('-p', PasswordString(master_key_password)) encrypt_config_script_prefix = encrypt_config_script_prefix + encrypt_config_script_params Execute(encrypt_config_script_prefix, user=nifi_user, logoutput=False) nifi_toolkit_util.save_config_version(config_version_file, 'encrypt', current_version, nifi_user, nifi_group)
def run_toolkit_client(self, ca_client_dict, nifi_config_dir, jdk64_home, nifi_user, nifi_group, no_client_file=False): Logger.info("Generating NiFi Keystore and Truststore") ca_client_script = nifi_toolkit_util.get_toolkit_script('tls-toolkit.sh') File(ca_client_script, mode=0755) if no_client_file: cert_command = 'echo \'' + json.dumps( ca_client_dict) + '\' | ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + ca_client_script + ' client -f /dev/stdout --configJsonIn /dev/stdin' code, out = shell.call(cert_command, quiet=True, logoutput=False) if code > 0: raise Fail("Call to tls-toolkit encountered error: {0}".format(out)) else: json_out = out[out.index('{'):len(out)] updated_properties = json.loads(json_out) shell.call(['chown', nifi_user + ':' + nifi_group, updated_properties['keyStore']], sudo=True) shell.call(['chown', nifi_user + ':' + nifi_group, updated_properties['trustStore']], sudo=True) else: ca_client_json = os.path.realpath(os.path.join(nifi_config_dir, 'nifi-certificate-authority-client.json')) nifi_toolkit_util.dump(ca_client_json, ca_client_dict, nifi_user, nifi_group) Execute('JAVA_HOME=' + jdk64_home + ' ' + ca_client_script + ' client -F -f ' + ca_client_json, user=nifi_user) updated_properties = nifi_toolkit_util.load(ca_client_json) return updated_properties
def install(self, env): install_nifi() # Be sure ca script is in cache nifi_toolkit_util.get_toolkit_script('tls-toolkit.sh')