def invalidate_ca_server(self, env):
import params
ca_json = os.path.join(params.nifi_config_dir,
'nifi-certificate-authority.json')
nifi_toolkit_util.move_store(nifi_toolkit_util.load(ca_json),
'keyStore')
unlink(ca_json)
def configure(self, env):
import params
import status_params
env.set_params(params)
env.set_params(status_params)
#create the log, pid, conf dirs if not already present
Directory([
status_params.nifi_pid_dir, params.nifi_node_log_dir,
params.nifi_config_dir
],
owner=params.nifi_user,
group=params.nifi_group,
create_parents=True)
ca_json = os.path.join(params.nifi_config_dir,
'nifi-certificate-authority.json')
ca_dict = nifi_toolkit_util.load(ca_json)
nifi_toolkit_util.overlay(ca_dict, params.nifi_ca_config)
nifi_toolkit_util.dump(ca_json, ca_dict, params.nifi_user,
params.nifi_group)
Directory([params.nifi_config_dir],
owner=params.nifi_user,
group=params.nifi_group,
create_parents=True,
recursive_ownership=True)
def setup_keystore_truststore(self, is_starting, params, config_version_file):
if is_starting:
# check against last version to determine if key/trust has changed
last_config_version = nifi_toolkit_util.get_config_version(config_version_file, 'ssl')
last_config = nifi_toolkit_util.get_config_by_version('/var/lib/ambari-agent/data',
'nifi-ambari-ssl-config', last_config_version)
ca_client_dict = nifi_toolkit_util.get_nifi_ca_client_dict(last_config, params)
using_client_json = len(ca_client_dict) == 0 and sudo.path_isfile(
params.nifi_config_dir + '/nifi-certificate-authority-client.json')
if using_client_json:
ca_client_dict = nifi_toolkit_util.load(
params.nifi_config_dir + '/nifi-certificate-authority-client.json')
changed_keystore_truststore = nifi_toolkit_util.changed_keystore_truststore(ca_client_dict,
params.nifi_ca_client_config,
using_client_json) if not len(
ca_client_dict) == 0 else True
if params.nifi_toolkit_tls_regenerate:
nifi_toolkit_util.move_keystore_truststore(ca_client_dict)
ca_client_dict = {}
elif changed_keystore_truststore:
nifi_toolkit_util.move_keystore_truststore(ca_client_dict)
if changed_keystore_truststore or params.nifi_toolkit_tls_regenerate:
nifi_toolkit_util.overlay(ca_client_dict, params.nifi_ca_client_config)
updated_properties = self.run_toolkit_client(ca_client_dict, params.nifi_config_dir, params.jdk64_home,
params.nifi_user, params.nifi_group,
params.stack_support_toolkit_update)
nifi_toolkit_util.update_nifi_properties(updated_properties, params.nifi_properties)
nifi_toolkit_util.save_config_version(config_version_file, 'ssl', params.nifi_ambari_ssl_config_version,
params.nifi_user, params.nifi_group)
elif using_client_json:
nifi_toolkit_util.save_config_version(config_version_file, 'ssl', params.nifi_ambari_ssl_config_version,
params.nifi_user, params.nifi_group)
old_nifi_properties = nifi_toolkit_util.convert_properties_to_dict(
params.nifi_config_dir + '/nifi.properties')
return nifi_toolkit_util.populate_ssl_properties(old_nifi_properties, params.nifi_properties, params)
else:
return params.nifi_properties
def run_toolkit_client(self, ca_client_dict, nifi_config_dir, jdk64_home, nifi_user, nifi_group,
no_client_file=False):
Logger.info("Generating NiFi Keystore and Truststore")
ca_client_script = nifi_toolkit_util.get_toolkit_script('tls-toolkit.sh')
File(ca_client_script, mode=0755)
if no_client_file:
cert_command = 'echo \'' + json.dumps(
ca_client_dict) + '\' | ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + ca_client_script + ' client -f /dev/stdout --configJsonIn /dev/stdin'
code, out = shell.call(cert_command, quiet=True, logoutput=False)
if code > 0:
raise Fail("Call to tls-toolkit encountered error: {0}".format(out))
else:
json_out = out[out.index('{'):len(out)]
updated_properties = json.loads(json_out)
shell.call(['chown', nifi_user + ':' + nifi_group, updated_properties['keyStore']], sudo=True)
shell.call(['chown', nifi_user + ':' + nifi_group, updated_properties['trustStore']], sudo=True)
else:
ca_client_json = os.path.realpath(os.path.join(nifi_config_dir, 'nifi-certificate-authority-client.json'))
nifi_toolkit_util.dump(ca_client_json, ca_client_dict, nifi_user, nifi_group)
Execute('JAVA_HOME=' + jdk64_home + ' ' + ca_client_script + ' client -F -f ' + ca_client_json,
user=nifi_user)
updated_properties = nifi_toolkit_util.load(ca_client_json)
return updated_properties