def install(self, env):
import params
import status_params
self.install_packages(env)
#Be sure ca script is in cache
nifi_toolkit_util.get_toolkit_script('tls-toolkit.sh')
def start(self, env, upgrade_type=None):
import params
import status_params
nifi_toolkit_util.copy_toolkit_scripts(params.toolkit_files_dir,
params.toolkit_tmp_dir,
params.nifi_user,
params.nifi_group,
upgrade_type=None)
self.configure(env)
ca_server_script = nifi_toolkit_util.get_toolkit_script(
'tls-toolkit.sh', params.toolkit_tmp_dir)
run_ca_script = os.path.join(params.toolkit_tmp_dir, 'run_ca.sh')
Directory([params.nifi_config_dir],
owner=params.nifi_user,
group=params.nifi_group,
create_parents=True,
recursive_ownership=True)
File(ca_server_script, mode=0755)
File(run_ca_script, mode=0755)
Execute(
(run_ca_script, params.jdk64_home, ca_server_script,
params.nifi_config_dir + '/nifi-certificate-authority.json',
params.nifi_ca_log_file_stdout, params.nifi_ca_log_file_stderr,
status_params.nifi_ca_pid_file),
user=params.nifi_user)
if not os.path.isfile(status_params.nifi_ca_pid_file):
raise Exception('Expected pid file to exist')
def check_nifi_registry_portal_with_toolkit(url, jdk64_home,
nifi_registry_dir,
nifi_registry_bootstrap):
Logger.info("Checking Nifi Registry portal with toolkit")
tls_toolkit_script = nifi_toolkit_util.get_toolkit_script(
'tls-toolkit.sh')
File(tls_toolkit_script, mode=0755)
nifi_registry_props_file = nifi_registry_dir + '/conf/nifi-registry.properties'
nifi_registry_props = NifiRegistryServiceCheck.convert_properties_to_dict(
jdk64_home, nifi_registry_props_file, nifi_registry_bootstrap)
if len(nifi_registry_props) == 0:
raise Fail('Unable to read properties from {0}'.format(
nifi_registry_props_file))
else:
keystore = nifi_registry_props['nifi.registry.security.keystore']
keystoreType = nifi_registry_props[
'nifi.registry.security.keystoreType']
keystorePasswd = nifi_registry_props[
'nifi.registry.security.keystorePasswd']
keyPasswd = nifi_registry_props['nifi.registry.security.keyPasswd']
truststore = nifi_registry_props[
'nifi.registry.security.truststore']
truststoreType = nifi_registry_props[
'nifi.registry.security.truststoreType']
truststorePasswd = nifi_registry_props[
'nifi.registry.security.truststorePasswd']
command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + tls_toolkit_script + ' status -u ' + url + ' -ks ' + keystore + ' -kst ' + keystoreType + ' -ksp ' + keystorePasswd + ' -kp ' + keyPasswd + ' -ts ' + truststore + ' -tst ' + truststoreType + ' -tsp ' + truststorePasswd
# Only uncomment for debugging, otherwise the passwords will get logged
#Logger.info("Executing: " + command)
code, out = shell.call(command, quiet=True, logoutput=False)
if code > 0:
raise Fail(
"Call to tls-toolkit encountered error: {0}".format(out))
else:
if out.find('Error communicating with') > -1:
raise Fail(
"Error connecting to NiFi Registry: {0}".format(out))
def check_nifi_portal_with_toolkit(urls, jdk64_home, nifi_dir,
nifi_bootstrap):
node_manager_script = nifi_toolkit_util.get_toolkit_script(
'node-manager.sh')
File(node_manager_script, mode=0755)
command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + node_manager_script + ' -d ' + nifi_dir + ' -b ' + nifi_bootstrap + ' -o status -u "' + ','.join(
urls) + '"'
code, out = shell.call(command, quiet=True, logoutput=False)
if code > 0:
raise Fail(
"Call to admin-toolkit encountered error: {0}".format(out))
else:
if out.find('did not complete due to exception') > -1:
raise Fail(
"Error connecting to one or more nifi nodes: {0}".format(
out))
def convert_properties_to_dict(jdk64_home, nifi_registry_props_file,
nifi_registry_bootstrap):
dict = {}
if sudo.path_isfile(nifi_registry_props_file):
encrypt_tool_script = nifi_toolkit_util.get_toolkit_script(
'encrypt-config.sh')
File(encrypt_tool_script, mode=0755)
command = 'ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + encrypt_tool_script + ' --nifiRegistry --decrypt -r ' + nifi_registry_props_file + ' -b ' + nifi_registry_bootstrap
code, out = shell.call(command, quiet=True, logoutput=False)
lines = out.split('\n')
for line in lines:
props = line.rstrip().split('=')
if len(props) == 2:
dict[props[0]] = props[1]
elif len(props) == 1:
dict[props[0]] = ''
return dict
def encrypt_sensitive_properties(self, config_version_file, current_version, nifi_config_dir, jdk64_home, nifi_user,
nifi_group, master_key_password, nifi_flow_config_dir, nifi_sensitive_props_key,
is_starting):
Logger.info("Encrypting NiFi sensitive configuration properties")
encrypt_config_script = nifi_toolkit_util.get_toolkit_script('encrypt-config.sh')
encrypt_config_script_prefix = ('JAVA_HOME=' + jdk64_home, encrypt_config_script)
File(encrypt_config_script, mode=0755)
if is_starting:
last_master_key_password = None
last_config_version = nifi_toolkit_util.get_config_version(config_version_file, 'encrypt')
encrypt_config_script_params = ('-v', '-b', nifi_config_dir + '/bootstrap.conf')
encrypt_config_script_params = encrypt_config_script_params + ('-n', nifi_config_dir + '/nifi.properties')
if sudo.path_isfile(nifi_flow_config_dir + '/flow.xml.gz') and len(
sudo.read_file(nifi_flow_config_dir + '/flow.xml.gz')) > 0:
encrypt_config_script_params = encrypt_config_script_params + (
'-f', nifi_flow_config_dir + '/flow.xml.gz', '-s', PasswordString(nifi_sensitive_props_key))
if nifi_toolkit_util.contains_providers(nifi_config_dir + '/login-identity-providers.xml'):
encrypt_config_script_params = encrypt_config_script_params + (
'-l', nifi_config_dir + '/login-identity-providers.xml')
if last_config_version:
last_config = nifi_toolkit_util.get_config_by_version('/var/lib/ambari-agent/data',
'nifi-ambari-config', last_config_version)
last_master_key_password = last_config['configurations']['nifi-ambari-config'][
'nifi.security.encrypt.configuration.password']
if last_master_key_password and last_master_key_password != master_key_password:
encrypt_config_script_params = encrypt_config_script_params + (
'-m', '-w', PasswordString(last_master_key_password))
encrypt_config_script_params = encrypt_config_script_params + ('-p', PasswordString(master_key_password))
encrypt_config_script_prefix = encrypt_config_script_prefix + encrypt_config_script_params
Execute(encrypt_config_script_prefix, user=nifi_user, logoutput=False)
nifi_toolkit_util.save_config_version(config_version_file, 'encrypt', current_version, nifi_user,
nifi_group)
def run_toolkit_client(self, ca_client_dict, nifi_config_dir, jdk64_home, nifi_user, nifi_group,
no_client_file=False):
Logger.info("Generating NiFi Keystore and Truststore")
ca_client_script = nifi_toolkit_util.get_toolkit_script('tls-toolkit.sh')
File(ca_client_script, mode=0755)
if no_client_file:
cert_command = 'echo \'' + json.dumps(
ca_client_dict) + '\' | ambari-sudo.sh JAVA_HOME=' + jdk64_home + ' ' + ca_client_script + ' client -f /dev/stdout --configJsonIn /dev/stdin'
code, out = shell.call(cert_command, quiet=True, logoutput=False)
if code > 0:
raise Fail("Call to tls-toolkit encountered error: {0}".format(out))
else:
json_out = out[out.index('{'):len(out)]
updated_properties = json.loads(json_out)
shell.call(['chown', nifi_user + ':' + nifi_group, updated_properties['keyStore']], sudo=True)
shell.call(['chown', nifi_user + ':' + nifi_group, updated_properties['trustStore']], sudo=True)
else:
ca_client_json = os.path.realpath(os.path.join(nifi_config_dir, 'nifi-certificate-authority-client.json'))
nifi_toolkit_util.dump(ca_client_json, ca_client_dict, nifi_user, nifi_group)
Execute('JAVA_HOME=' + jdk64_home + ' ' + ca_client_script + ' client -F -f ' + ca_client_json,
user=nifi_user)
updated_properties = nifi_toolkit_util.load(ca_client_json)
return updated_properties
def install(self, env):
install_nifi()
# Be sure ca script is in cache
nifi_toolkit_util.get_toolkit_script('tls-toolkit.sh')