def setup_master_key(): if not is_root(): err = 'Ambari-server setup should be run with ' \ 'root-level privileges' raise FatalException(4, err) properties = get_ambari_properties() if properties == -1: raise FatalException(1, "Failed to read properties file.") db_windows_auth_prop = properties.get_property(JDBC_USE_INTEGRATED_AUTH_PROPERTY) db_sql_auth = False if db_windows_auth_prop and db_windows_auth_prop.lower() == 'true' else True db_password = properties.get_property(JDBC_PASSWORD_PROPERTY) # Encrypt passwords cannot be called before setup if db_sql_auth and not db_password: print 'Please call "setup" before "encrypt-passwords". Exiting...' return 1 # Check configuration for location of master key isSecure = get_is_secure(properties) (isPersisted, masterKeyFile) = get_is_persisted(properties) # Read clear text DB password from file if db_sql_auth and not is_alias_string(db_password) and os.path.isfile(db_password): with open(db_password, 'r') as passwdfile: db_password = passwdfile.read() ldap_password = properties.get_property(LDAP_MGR_PASSWORD_PROPERTY) if ldap_password: # Read clear text LDAP password from file if not is_alias_string(ldap_password) and os.path.isfile(ldap_password): with open(ldap_password, 'r') as passwdfile: ldap_password = passwdfile.read() ts_password = properties.get_property(SSL_TRUSTSTORE_PASSWORD_PROPERTY) resetKey = False masterKey = None if isSecure: print "Password encryption is enabled." resetKey = get_YN_input("Do you want to reset Master Key? [y/n] (n): ", False) # For encrypting of only unencrypted passwords without resetting the key ask # for master key if not persisted. if isSecure and not isPersisted and not resetKey: print "Master Key not persisted." masterKey = get_original_master_key(properties) pass # Make sure both passwords are clear-text if master key is lost if resetKey: if not isPersisted: print "Master Key not persisted." masterKey = get_original_master_key(properties) # Unable get the right master key or skipped question <enter> if not masterKey: print "To disable encryption, do the following:" print "- Edit " + find_properties_file() + \ " and set " + SECURITY_IS_ENCRYPTION_ENABLED + " = " + "false." err = "{0} is already encrypted. Please call {1} to store unencrypted" \ " password and call 'encrypt-passwords' again." if db_sql_auth and db_password and is_alias_string(db_password): print err.format('- Database password', "'" + SETUP_ACTION + "'") if ldap_password and is_alias_string(ldap_password): print err.format('- LDAP manager password', "'" + LDAP_SETUP_ACTION + "'") if ts_password and is_alias_string(ts_password): print err.format('TrustStore password', "'" + LDAP_SETUP_ACTION + "'") return 1 pass pass pass # Read back any encrypted passwords if db_sql_auth and db_password and is_alias_string(db_password): db_password = read_passwd_for_alias(JDBC_RCA_PASSWORD_ALIAS, masterKey) if ldap_password and is_alias_string(ldap_password): ldap_password = read_passwd_for_alias(LDAP_MGR_PASSWORD_ALIAS, masterKey) if ts_password and is_alias_string(ts_password): ts_password = read_passwd_for_alias(SSL_TRUSTSTORE_PASSWORD_ALIAS, masterKey) # Read master key, if non-secure or reset is true if resetKey or not isSecure: masterKey = read_master_key(resetKey) persist = get_YN_input("Do you want to persist master key. If you choose " \ "not to persist, you need to provide the Master " \ "Key while starting the ambari server as an env " \ "variable named " + SECURITY_KEY_ENV_VAR_NAME + \ " or the start will prompt for the master key." " Persist [y/n] (y)? ", True) if persist: save_master_key(masterKey, get_master_key_location(properties) + os.sep + SECURITY_MASTER_KEY_FILENAME, persist) elif not persist and masterKeyFile: try: os.remove(masterKeyFile) print_info_msg("Deleting master key file at location: " + str( masterKeyFile)) except Exception, e: print 'ERROR: Could not remove master key file. %s' % e # Blow up the credential store made with previous key, if any store_file = get_credential_store_location(properties) if os.path.exists(store_file): try: os.remove(store_file) except: print_warning_msg("Failed to remove credential store file.") pass pass
if not os.path.exists(bootstrap_dir): try: os.makedirs(bootstrap_dir) except Exception, ex: print_warning_msg("Failed recreating the bootstrap directory: {0}".format(str(ex))) pass else: print_warning_msg("Bootstrap directory lingering around after 5s. Unable to complete the cleanup.") pass # Add master key and credential store if exists keyLocation = get_master_key_location(properties) masterKeyFile = search_file(SECURITY_MASTER_KEY_FILENAME, keyLocation) if masterKeyFile: configDefaults.NR_ADJUST_OWNERSHIP_LIST.append((masterKeyFile, configDefaults.MASTER_KEY_FILE_PERMISSIONS, "{0}", False)) credStoreFile = get_credential_store_location(properties) if os.path.exists(credStoreFile): configDefaults.NR_ADJUST_OWNERSHIP_LIST.append((credStoreFile, configDefaults.CREDENTIALS_STORE_FILE_PERMISSIONS, "{0}", False)) trust_store_location = properties[SSL_TRUSTSTORE_PATH_PROPERTY] if trust_store_location: configDefaults.NR_ADJUST_OWNERSHIP_LIST.append((trust_store_location, configDefaults.TRUST_STORE_LOCATION_PERMISSIONS, "{0}", False)) # Update JDK and JCE permissions resources_dir = get_resources_location(properties) jdk_file_name = properties.get_property(JDK_NAME_PROPERTY) jce_file_name = properties.get_property(JCE_NAME_PROPERTY) java_home = properties.get_property(JAVA_HOME_PROPERTY) if jdk_file_name: jdk_file_path = os.path.abspath(os.path.join(resources_dir, jdk_file_name)) if(os.path.exists(jdk_file_path)): configDefaults.NR_ADJUST_OWNERSHIP_LIST.append((jdk_file_path, "644", "{0}", False))