Updated Branches: refs/heads/trunk 22b35866e -> 048ce9271
AMBARI-3252. Setup the krb5 Jaas configuration using ambari-server setup-security. (swagle) Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/048ce927 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/048ce927 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/048ce927 Branch: refs/heads/trunk Commit: 048ce92712402f780a4ff4f92fe14094cbbdbd48 Parents: 22b3586 Author: Siddharth Wagle <[email protected]> Authored: Tue Sep 17 10:16:10 2013 -0700 Committer: Siddharth Wagle <[email protected]> Committed: Tue Sep 17 10:16:10 2013 -0700 ---------------------------------------------------------------------- ambari-server/sbin/ambari-server | 19 +---- ambari-server/src/main/python/ambari-server.py | 75 +++++++++++++++--- .../src/test/python/TestAmbariServer.py | 82 +++++++++++++++----- 3 files changed, 134 insertions(+), 42 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/048ce927/ambari-server/sbin/ambari-server ---------------------------------------------------------------------- diff --git a/ambari-server/sbin/ambari-server b/ambari-server/sbin/ambari-server index 6de9c67..6489f9f 100644 --- a/ambari-server/sbin/ambari-server +++ b/ambari-server/sbin/ambari-server @@ -116,24 +116,13 @@ case "$1" in echo -e "Setting up LDAP properties..." $PYTHON /usr/sbin/ambari-server.py $@ ;; - encrypt-passwords) - echo -e "Setting up password encryption..." - $PYTHON /usr/sbin/ambari-server.py $@ - ;; - setup-https) - echo -e "Setting up HTTPS properties..." - $PYTHON /usr/sbin/ambari-server.py $@ - ;; - setup-ganglia-https) - echo -e "Setting up HTTPS properties for Ganglia..." - $PYTHON /usr/sbin/ambari-server.py $@ - ;; - setup-nagios-https) - echo -e "Setting up HTTPS properties for Nagios..." + setup-security) + echo -e "Security setup options..." $PYTHON /usr/sbin/ambari-server.py $@ ;; *) - echo "Usage: /usr/sbin/ambari-server {start|stop|restart|setup|upgrade|status|upgradestack|setup-ldap|setup-https|setup-ganglia-https|setup-nagios-https|encrypt-passwords} [options]" + echo "Usage: /usr/sbin/ambari-server + {start|stop|restart|setup|upgrade|status|upgradestack|setup-ldap|setup-security} [options]" exit 1 esac http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/048ce927/ambari-server/src/main/python/ambari-server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py index 7301826..72cf3fe 100755 --- a/ambari-server/src/main/python/ambari-server.py +++ b/ambari-server/src/main/python/ambari-server.py @@ -61,8 +61,10 @@ LDAP_SETUP_ACTION = "setup-ldap" SETUP_GANGLIA_HTTPS_ACTION = "setup-ganglia-https" SETUP_NAGIOS_HTTPS_ACTION = "setup-nagios-https" ENCRYPT_PASSWORDS_ACTION = "encrypt-passwords" +SETUP_SECURITY_ACTION = "setup-security" -ACTION_REQUIRE_RESTART = [RESET_ACTION, UPGRADE_ACTION, UPGRADE_STACK_ACTION, SETUP_HTTPS_ACTION, LDAP_SETUP_ACTION] +ACTION_REQUIRE_RESTART = [RESET_ACTION, UPGRADE_ACTION, UPGRADE_STACK_ACTION, + SETUP_HTTPS_ACTION, LDAP_SETUP_ACTION] # selinux commands GET_SE_LINUX_ST_CMD = "/usr/sbin/sestatus" @@ -178,6 +180,7 @@ SECURITY_KEY_IS_PERSISTED = "security.master.key.ispersisted" SECURITY_KEY_ENV_VAR_NAME = "AMBARI_SECURITY_MASTER_KEY" SECURITY_MASTER_KEY_FILENAME = "master" SECURITY_IS_ENCRYPTION_ENABLED = "security.passwords.encryption.enabled" +SECURITY_KERBEROS_JASS_FILENAME = "krb5JAASLogin.conf" SSL_KEY_DIR = 'security.server.keys_dir' SSL_API_PORT = 'client.api.ssl.port' @@ -3596,6 +3599,66 @@ def get_fqdn(): except Exception, e: return socket.getfqdn() + +def is_valid_filepath(filepath): + if not filepath or not os.path.exists(filepath): + print 'Invalid path, please provide the absolute file path.' + return False + else: + return True + +def setup_ambari_krb5_jaas(): + jaas_conf_file = search_file(SECURITY_KERBEROS_JASS_FILENAME, get_conf_dir()) + if os.path.exists(jaas_conf_file): + print 'Setting up Ambari kerberos JAAS configuration to access ' +\ + 'secured Hadoop daemons...' + principal = get_validated_string_input('Enter ambari server\'s kerberos ' + 'principal name: ', '[email protected]', '.*', '', False, + False) + keytab = get_validated_string_input('Enter keytab path for ambari ' + 'server\'s kerberos principal: ', + '/etc/security/keytabs/ambari.keytab', '.*', False, False, + validatorFunction = is_valid_filepath) + + for line in fileinput.FileInput(jaas_conf_file, inplace=1): + line = re.sub('keyTab=.*$', 'keyTab="' + keytab + '"', line) + line = re.sub('principal=.*$', 'principal="' + principal + '"', line) + print line, + + else: + raise NonFatalException('No jaas config file found at location: ' + + jaas_conf_file) + +def setup_security(args): + need_restart = True + #Print menu options + print '=' * 75 + print 'Choose one of the following options: ' + print ' [1] Enable HTTPS for Ambari server.' + print ' [2] Enable HTTPS for Ganglia service.' + print ' [3] Enable HTTPS for Nagios service.' + print ' [4] Encrypt passwords stored in ambari.properties file.' + print ' [5] Setup Ambari kerberos JAAS configuration.' + print '=' * 75 + choice = get_validated_string_input('Enter choice, (1-5): ', '0', '[1-5]', + 'Invalid choice', False, False) + + if choice == '1': + need_restart = setup_https(args) + elif choice == '2': + setup_component_https("Ganglia", "setup-ganglia-https", GANGLIA_HTTPS, + "ganglia_cert") + elif choice == '3': + setup_component_https("Nagios", "setup-nagios-https", NAGIOS_HTTPS, + "nagios_cert") + elif choice == '4': + setup_master_key() + elif choice == '5': + setup_ambari_krb5_jaas() + else: + raise FatalException('Unknown option for setup-security command.') + + return need_restart # # Main. # @@ -3749,16 +3812,10 @@ def main(): upgrade_stack(options, stack_id) elif action == LDAP_SETUP_ACTION: setup_ldap() - elif action == ENCRYPT_PASSWORDS_ACTION: - setup_master_key() elif action == UPDATE_METAINFO_ACTION: update_metainfo(options) - elif action == SETUP_HTTPS_ACTION: - need_restart = setup_https(options) - elif action == SETUP_GANGLIA_HTTPS_ACTION: - setup_component_https("Ganglia", "setup-ganglia-https", GANGLIA_HTTPS, "ganglia_cert") - elif action == SETUP_NAGIOS_HTTPS_ACTION: - setup_component_https("Nagios", "setup-nagios-https", NAGIOS_HTTPS, "nagios_cert") + elif action == SETUP_SECURITY_ACTION: + need_restart = setup_security(options) else: parser.error("Invalid action") http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/048ce927/ambari-server/src/test/python/TestAmbariServer.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/TestAmbariServer.py b/ambari-server/src/test/python/TestAmbariServer.py index b62252c..fdf4e07 100644 --- a/ambari-server/src/test/python/TestAmbariServer.py +++ b/ambari-server/src/test/python/TestAmbariServer.py @@ -202,36 +202,82 @@ class TestAmbariServer(TestCase): pass - @patch.object(ambari_server, 'is_server_runing') - @patch.object(ambari_server, 'setup_https') - @patch.object(ambari_server, 'setup') - @patch.object(ambari_server, 'start') - @patch.object(ambari_server, 'stop') - @patch.object(ambari_server, 'reset') + @patch.object(ambari_server, 'setup_security') @patch('optparse.OptionParser') - def test_main_test_setup_https(self, OptionParserMock, reset_method, stop_method, - start_method, setup_method, setup_https_method, is_server_runing_method): + def test_main_test_setup_security(self, OptionParserMock, + setup_security_method): opm = OptionParserMock.return_value options = MagicMock() - args = ["setup-https"] + args = ["setup-security"] opm.parse_args.return_value = (options, args) - setup_https_method.return_value = False - is_server_runing_method.return_value = (False, None) - options.database = None options.sid_or_sname = "sid" + setup_security_method.return_value = None + ambari_server.main() - self.assertTrue(setup_https_method.called) - self.assertEqual(is_server_runing_method.call_count, 0) - is_server_runing_method.reset() - setup_https_method.return_value = True ambari_server.main() - self.assertTrue(setup_https_method.called) - self.assertEqual(is_server_runing_method.call_count, 1) + self.assertTrue(setup_security_method.called) self.assertFalse(False, ambari_server.VERBOSE) self.assertFalse(False, ambari_server.SILENT) + @patch.object(ambari_server, 'setup_ambari_krb5_jaas') + @patch.object(ambari_server, 'setup_master_key') + @patch.object(ambari_server, 'setup_component_https') + @patch.object(ambari_server, 'setup_https') + @patch.object(ambari_server, 'get_validated_string_input') + def test_setup_security(self, get_validated_string_input_mock, setup_https, + setup_component_https, setup_master_key, + setup_ambari_krb5_jaas): + + args = {} + get_validated_string_input_mock.return_value = '1' + ambari_server.setup_security(args) + self.assertTrue(setup_https.called) + + get_validated_string_input_mock.return_value = '2' + ambari_server.setup_security(args) + self.assertTrue(setup_component_https.called) + setup_component_https.assert_called_with("Ganglia", "setup-ganglia-https", + ambari_server.GANGLIA_HTTPS, "ganglia_cert") + + get_validated_string_input_mock.return_value = '3' + ambari_server.setup_security(args) + self.assertTrue(setup_component_https.called) + setup_component_https.assert_called_with("Nagios", "setup-nagios-https", + ambari_server.NAGIOS_HTTPS, "nagios_cert") + + get_validated_string_input_mock.return_value = '4' + ambari_server.setup_security(args) + self.assertTrue(setup_master_key.called) + + get_validated_string_input_mock.return_value = '5' + ambari_server.setup_security(args) + self.assertTrue(setup_ambari_krb5_jaas.called) + + + @patch('re.sub') + @patch('fileinput.FileInput') + @patch.object(ambari_server, 'get_validated_string_input') + @patch.object(ambari_server, 'search_file') + @patch('os.path.exists') + def test_setup_ambari_krb5_jaas(self, exists_mock, search_mock, + get_validated_string_input_mock, + fileinput_mock, re_sub_mock): + exists_mock.return_value = True + search_mock.return_value = 'filepath' + get_validated_string_input_mock.side_effect = ['[email protected]', + 'pathtokeytab'] + + fileinput_mock.return_value = [ 'keyTab=xyz', 'principal=xyz' ] + + ambari_server.setup_ambari_krb5_jaas() + + self.assertTrue(fileinput_mock.called) + self.assertTrue(re_sub_mock.called) + self.assertTrue(re_sub_mock.call_args_list, [('[email protected]'), + ('pathtokeytab')]) + @patch.object(ambari_server, 'setup') @patch.object(ambari_server, 'start') @patch.object(ambari_server, 'stop')
