def _store_password_property(self, properties, property_name): properties.process_pair(property_name, store_password_file(self.database_password, JDBC_PASSWORD_FILENAME)) if self.isSecure: encrypted_password = encrypt_password(JDBC_RCA_PASSWORD_ALIAS, self.database_password) if encrypted_password != self.database_password: properties.process_pair(property_name, encrypted_password)
def _store_password_property(self, properties, property_name): properties.process_pair(property_name, store_password_file(self.database_password, JDBC_PASSWORD_FILENAME)) if self.isSecure: encrypted_password = encrypt_password(JDBC_RCA_PASSWORD_ALIAS, self.database_password) if encrypted_password != self.database_password: properties.process_pair(property_name, encrypted_password)
def populate_sso_public_cert(options, properties): if not options.sso_public_cert_file: cert_path = properties.get_property(JWT_PUBLIC_KEY) cert_string = get_multi_line_input( "Public Certificate pem ({0})".format( 'stored' if cert_path else 'empty')) store_new_cert = False if cert_string is not None: store_new_cert = True if store_new_cert: full_cert = JWT_PUBLIC_KEY_HEADER + cert_string + JWT_PUBLIC_KEY_FOOTER cert_path = store_password_file(full_cert, JWT_PUBLIC_KEY_FILENAME) else: cert_path = options.sso_public_cert_file properties.process_pair(JWT_PUBLIC_KEY, cert_path)
def _store_db_auth_config(self, properties, keys, options): if (self.use_windows_authentication): properties.process_pair(keys.integrated_auth_key, "True") properties.removeProp(keys.password_key) else: properties.process_pair(keys.integrated_auth_key, "False") properties.process_pair(keys.user_name_key, self.database_username) if self.isSecure: encrypted_password = encrypt_password(keys.password_alias, self.database_password, options) if self.database_password != encrypted_password: properties.process_pair(keys.password_key, encrypted_password) else: passwordFile = store_password_file(self.database_password, keys.password_filename) properties.process_pair(keys.password_key, passwordFile)
def _store_db_auth_config(self, properties, keys): if (self.use_windows_authentication): properties.process_pair(keys.integrated_auth_key, "True") properties.removeProp(keys.password_key) else: properties.process_pair(keys.integrated_auth_key, "False") properties.process_pair(keys.user_name_key, self.database_username) if self.isSecure: encrypted_password = encrypt_password(keys.password_alias, self.database_password) if self.database_password != encrypted_password: properties.process_pair(keys.password_key, encrypted_password) else: passwordFile = store_password_file(self.database_password, keys.password_filename) properties.process_pair(keys.password_key, passwordFile)
def setup_sso(args): logger.info("Setup SSO.") if not is_root(): err = 'ambari-server setup-sso should be run with ' \ 'root-level privileges' raise FatalException(4, err) if not get_silent(): properties = get_ambari_properties() must_setup_params = False store_new_cert = False sso_enabled = properties.get_property(JWT_AUTH_ENBABLED).lower() in [ 'true' ] if sso_enabled: if get_YN_input( "Do you want to disable SSO authentication [y/n] (n)?", False): properties.process_pair(JWT_AUTH_ENBABLED, "false") else: if get_YN_input( "Do you want to configure SSO authentication [y/n] (y)?", True): properties.process_pair(JWT_AUTH_ENBABLED, "true") must_setup_params = True else: return False if must_setup_params: provider_url = get_value_from_properties( properties, JWT_AUTH_PROVIDER_URL, JWT_AUTH_PROVIDER_URL_DEFAULT) provider_url = get_validated_string_input( "Provider URL [URL] ({0}):".format(provider_url), provider_url, REGEX_ANYTHING, "Invalid provider URL", False) properties.process_pair(JWT_AUTH_PROVIDER_URL, provider_url) cert_path = properties.get_property(JWT_PUBLIC_KEY) cert_string = get_multi_line_input( "Public Certificate pem ({0})".format( 'stored' if cert_path else 'empty')) if cert_string is not None: store_new_cert = True if get_YN_input( "Do you want to configure advanced properties [y/n] (n) ?", False): cookie_name = get_value_from_properties( properties, JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT) cookie_name = get_validated_string_input( "JWT Cookie name ({0}):".format(cookie_name), cookie_name, REGEX_ANYTHING, "Invalid cookie name", False) properties.process_pair(JWT_COOKIE_NAME, cookie_name) audiences = properties.get_property(JWT_AUDIENCES) audiences = get_validated_string_input( "JWT audiences list (comma-separated), empty for any ({0}):" .format(audiences), audiences, REGEX_ANYTHING, "Invalid value", False) properties.process_pair(JWT_AUDIENCES, audiences) # TODO not required for now as we support Knox only # orig_query_param = get_value_from_properties(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT) # orig_query_param = get_validated_string_input("Original URL query parameter name ({}):".format(orig_query_param), # orig_query_param, # REGEX_ANYTHING, # "Invalid value", # False) # properties.process_pair(JWT_ORIGINAL_URL_QUERY_PARAM, orig_query_param) if store_new_cert: full_cert = JWT_PUBLIC_KEY_HEADER + cert_string + JWT_PUBLIC_KEY_FOOTER cert_path = store_password_file(full_cert, JWT_PUBLIC_KEY_FILENAME) properties.process_pair(JWT_PUBLIC_KEY, cert_path) update_properties(properties) pass else: warning = "setup-sso is not enabled in silent mode." raise NonFatalException(warning) pass
def setup_ldap(): if not is_root(): err = 'Ambari-server setup-ldap should be run with ' \ 'root-level privileges' raise FatalException(4, err) properties = get_ambari_properties() isSecure = get_is_secure(properties) ldap_property_list_reqd = init_ldap_properties_list_reqd(properties) ldap_property_list_opt = ["authentication.ldap.managerDn", LDAP_MGR_PASSWORD_PROPERTY, SSL_TRUSTSTORE_TYPE_PROPERTY, SSL_TRUSTSTORE_PATH_PROPERTY, SSL_TRUSTSTORE_PASSWORD_PROPERTY] ldap_property_list_truststore=[SSL_TRUSTSTORE_TYPE_PROPERTY, SSL_TRUSTSTORE_PATH_PROPERTY, SSL_TRUSTSTORE_PASSWORD_PROPERTY] ldap_property_list_passwords=[LDAP_MGR_PASSWORD_PROPERTY, SSL_TRUSTSTORE_PASSWORD_PROPERTY] LDAP_MGR_DN_DEFAULT = get_value_from_properties(properties, ldap_property_list_opt[0]) SSL_TRUSTSTORE_TYPE_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_TYPE_PROPERTY, "jks") SSL_TRUSTSTORE_PATH_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_PATH_PROPERTY) ldap_property_value_map = {} for ldap_prop in ldap_property_list_reqd: input = get_validated_string_input(ldap_prop.ldap_prop_val_prompt, ldap_prop.ldap_prop_name, ldap_prop.prompt_regex, "Invalid characters in the input!", False, ldap_prop.allow_empty_prompt) if input is not None and input != "": ldap_property_value_map[ldap_prop.prop_name] = input bindAnonymously = ldap_property_value_map["authentication.ldap.bindAnonymously"] anonymous = (bindAnonymously and bindAnonymously.lower() == 'true') mgr_password = None # Ask for manager credentials only if bindAnonymously is false if not anonymous: username = get_validated_string_input("Manager DN* {0}: ".format( get_prompt_default(LDAP_MGR_DN_DEFAULT)), LDAP_MGR_DN_DEFAULT, ".*", "Invalid characters in the input!", False, False) ldap_property_value_map[LDAP_MGR_USERNAME_PROPERTY] = username mgr_password = configure_ldap_password() ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = mgr_password useSSL = ldap_property_value_map["authentication.ldap.useSSL"] ldaps = (useSSL and useSSL.lower() == 'true') ts_password = None if ldaps: truststore_default = "n" truststore_set = bool(SSL_TRUSTSTORE_PATH_DEFAULT) if truststore_set: truststore_default = "y" custom_trust_store = get_YN_input("Do you want to provide custom TrustStore for Ambari [y/n] ({0})?". format(truststore_default), truststore_set) if custom_trust_store: ts_type = get_validated_string_input( "TrustStore type [jks/jceks/pkcs12] {0}:".format(get_prompt_default(SSL_TRUSTSTORE_TYPE_DEFAULT)), SSL_TRUSTSTORE_TYPE_DEFAULT, "^(jks|jceks|pkcs12)?$", "Wrong type", False) ts_path = None while True: ts_path = get_validated_string_input( "Path to TrustStore file {0}:".format(get_prompt_default(SSL_TRUSTSTORE_PATH_DEFAULT)), SSL_TRUSTSTORE_PATH_DEFAULT, ".*", False, False) if os.path.exists(ts_path): break else: print 'File not found.' ts_password = read_password("", ".*", "Password for TrustStore:", "Invalid characters in password") ldap_property_value_map[SSL_TRUSTSTORE_TYPE_PROPERTY] = ts_type ldap_property_value_map[SSL_TRUSTSTORE_PATH_PROPERTY] = ts_path ldap_property_value_map[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = ts_password pass else: properties.removeOldProp(SSL_TRUSTSTORE_TYPE_PROPERTY) properties.removeOldProp(SSL_TRUSTSTORE_PATH_PROPERTY) properties.removeOldProp(SSL_TRUSTSTORE_PASSWORD_PROPERTY) pass pass print '=' * 20 print 'Review Settings' print '=' * 20 for property in ldap_property_list_reqd: if property in ldap_property_value_map: print("%s: %s" % (property, ldap_property_value_map[property])) for property in ldap_property_list_opt: if ldap_property_value_map.has_key(property): if property not in ldap_property_list_passwords: print("%s: %s" % (property, ldap_property_value_map[property])) else: print("%s: %s" % (property, BLIND_PASSWORD)) save_settings = get_YN_input("Save settings [y/n] (y)? ", True) if save_settings: ldap_property_value_map[CLIENT_SECURITY_KEY] = 'ldap' if isSecure: if mgr_password: encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password) if mgr_password != encrypted_passwd: ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = encrypted_passwd pass if ts_password: encrypted_passwd = encrypt_password(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password) if ts_password != encrypted_passwd: ldap_property_value_map[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = encrypted_passwd pass pass # Persisting values ldap_property_value_map[IS_LDAP_CONFIGURED] = "true" if mgr_password: ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME) update_properties_2(properties, ldap_property_value_map) print 'Saving...done' return 0
def setup_ldap(options): logger.info("Setup LDAP.") properties = get_ambari_properties() server_status, pid = is_server_runing() if not server_status: err = 'Ambari Server is not running.' raise FatalException(1, err) current_client_security = get_value_from_properties(properties,CLIENT_SECURITY,"no auth method") if current_client_security != 'ldap': query = "Currently '" + current_client_security + "' is configured, do you wish to use LDAP instead [y/n] (n)? " if get_YN_input(query, False): pass else: err = "Currently '" + current_client_security + "' configured. Can not setup LDAP." raise FatalException(1, err) isSecure = get_is_secure(properties) ldap_property_list_reqd = init_ldap_properties_list_reqd(properties, options) ldap_property_list_opt = [LDAP_MGR_USERNAME_PROPERTY, LDAP_MGR_PASSWORD_PROPERTY, SSL_TRUSTSTORE_TYPE_PROPERTY, SSL_TRUSTSTORE_PATH_PROPERTY, SSL_TRUSTSTORE_PASSWORD_PROPERTY] ldap_property_list_passwords=[LDAP_MGR_PASSWORD_PROPERTY, SSL_TRUSTSTORE_PASSWORD_PROPERTY] LDAP_MGR_DN_DEFAULT = None SSL_TRUSTSTORE_TYPE_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_TYPE_PROPERTY, "jks") SSL_TRUSTSTORE_PATH_DEFAULT = get_value_from_properties(properties, SSL_TRUSTSTORE_PATH_PROPERTY) ldap_property_value_map = {} for ldap_prop in ldap_property_list_reqd: input = get_validated_string_input(ldap_prop.ldap_prop_val_prompt, ldap_prop.ldap_prop_name, ldap_prop.prompt_regex, "Invalid characters in the input!", False, ldap_prop.allow_empty_prompt, answer = ldap_prop.option) if input is not None and input != "": ldap_property_value_map[ldap_prop.prop_name] = input bindAnonymously = ldap_property_value_map[LDAP_ANONYMOUS_BIND] anonymous = (bindAnonymously and bindAnonymously.lower() == 'true') mgr_password = None # Ask for manager credentials only if bindAnonymously is false if not anonymous: username = get_validated_string_input("Manager DN* {0}: ".format( get_prompt_default(LDAP_MGR_DN_DEFAULT)), LDAP_MGR_DN_DEFAULT, ".*", "Invalid characters in the input!", False, False, answer = options.ldap_manager_dn) ldap_property_value_map[LDAP_MGR_USERNAME_PROPERTY] = username mgr_password = configure_ldap_password(options) ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = mgr_password useSSL = ldap_property_value_map[LDAP_USE_SSL] ldaps = (useSSL and useSSL.lower() == 'true') ts_password = None if ldaps: truststore_default = "n" truststore_set = bool(SSL_TRUSTSTORE_PATH_DEFAULT) if truststore_set: truststore_default = "y" custom_trust_store = True if options.trust_store_path is not None and options.trust_store_path else False if not custom_trust_store: custom_trust_store = get_YN_input("Do you want to provide custom TrustStore for Ambari [y/n] ({0})?". format(truststore_default), truststore_set) if custom_trust_store: ts_type = get_validated_string_input("TrustStore type [jks/jceks/pkcs12] {0}:".format(get_prompt_default(SSL_TRUSTSTORE_TYPE_DEFAULT)), SSL_TRUSTSTORE_TYPE_DEFAULT, "^(jks|jceks|pkcs12)?$", "Wrong type", False, answer=options.trust_store_type) ts_path = None while True: ts_path = get_validated_string_input("Path to TrustStore file {0}:".format(get_prompt_default(SSL_TRUSTSTORE_PATH_DEFAULT)), SSL_TRUSTSTORE_PATH_DEFAULT, ".*", False, False, answer = options.trust_store_path) if os.path.exists(ts_path): break else: print 'File not found.' hasAnswer = options.trust_store_path is not None and options.trust_store_path quit_if_has_answer(hasAnswer) ts_password = read_password("", ".*", "Password for TrustStore:", "Invalid characters in password", options.trust_store_password) ldap_property_value_map[SSL_TRUSTSTORE_TYPE_PROPERTY] = ts_type ldap_property_value_map[SSL_TRUSTSTORE_PATH_PROPERTY] = ts_path ldap_property_value_map[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = ts_password pass elif properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY): print 'The TrustStore is already configured: ' print ' ' + SSL_TRUSTSTORE_TYPE_PROPERTY + ' = ' + properties.get_property(SSL_TRUSTSTORE_TYPE_PROPERTY) print ' ' + SSL_TRUSTSTORE_PATH_PROPERTY + ' = ' + properties.get_property(SSL_TRUSTSTORE_PATH_PROPERTY) print ' ' + SSL_TRUSTSTORE_PASSWORD_PROPERTY + ' = ' + properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY) if get_YN_input("Do you want to remove these properties [y/n] (y)? ", True, options.trust_store_reconfigure): properties.removeOldProp(SSL_TRUSTSTORE_TYPE_PROPERTY) properties.removeOldProp(SSL_TRUSTSTORE_PATH_PROPERTY) properties.removeOldProp(SSL_TRUSTSTORE_PASSWORD_PROPERTY) pass pass print '=' * 20 print 'Review Settings' print '=' * 20 for property in ldap_property_list_reqd: if ldap_property_value_map.has_key(property): print("%s: %s" % (property, ldap_property_value_map[property])) for property in ldap_property_list_opt: if ldap_property_value_map.has_key(property): if property not in ldap_property_list_passwords: print("%s: %s" % (property, ldap_property_value_map[property])) else: print("%s: %s" % (property, BLIND_PASSWORD)) save_settings = True if options.ldap_save_settings is not None else get_YN_input("Save settings [y/n] (y)? ", True) if save_settings: if isSecure: if mgr_password: encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password, options) if mgr_password != encrypted_passwd: ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = encrypted_passwd pass if ts_password: encrypted_passwd = encrypt_password(SSL_TRUSTSTORE_PASSWORD_ALIAS, ts_password, options) if ts_password != encrypted_passwd: ldap_property_value_map[SSL_TRUSTSTORE_PASSWORD_PROPERTY] = encrypted_passwd pass pass # Persisting values if mgr_password: ldap_property_value_map[LDAP_MGR_PASSWORD_PROPERTY] = store_password_file(mgr_password, LDAP_MGR_PASSWORD_FILENAME) print 'Saving LDAP properties...' ldap_property_value_map[IS_LDAP_CONFIGURED] = "true" #Saving LDAP configuration in Ambari DB using the REST API update_ldap_configuration(properties, ldap_property_value_map) #The only property we want to write out in Ambari.properties is the client.security type being LDAP ldap_property_value_map.clear() ldap_property_value_map[CLIENT_SECURITY] = 'ldap' update_properties_2(properties, ldap_property_value_map) print 'Saving LDAP properties finished' return 0