Repository: ambari Updated Branches: refs/heads/trunk 52346faba -> 9fae285c6
AMBARI-13342. Allow access to callers with valid Knox authorization cookie. Additional fixes. (mpapirkovskyy) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9fae285c Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9fae285c Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9fae285c Branch: refs/heads/trunk Commit: 9fae285c60f48489ed6a521d3c2c5742092fda25 Parents: 52346fa Author: Myroslav Papirkovskyy <[email protected]> Authored: Fri Nov 13 14:21:06 2015 +0200 Committer: Myroslav Papirkovskyi <[email protected]> Committed: Fri Nov 13 17:42:51 2015 +0200 ---------------------------------------------------------------------- ambari-server/sbin/ambari-server | 6 +++- .../ambari/server/api/AmbariErrorHandler.java | 3 +- .../src/main/python/ambari_server/setupSso.py | 34 +++++++++++--------- .../src/main/python/ambari_server/userInput.py | 18 +++++++++++ .../src/main/windows/ambari-server.ps1 | 8 ++++- 5 files changed, 51 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/9fae285c/ambari-server/sbin/ambari-server ---------------------------------------------------------------------- diff --git a/ambari-server/sbin/ambari-server b/ambari-server/sbin/ambari-server index c773718..0f17c0d 100755 --- a/ambari-server/sbin/ambari-server +++ b/ambari-server/sbin/ambari-server @@ -152,9 +152,13 @@ case "$1" in echo -e "Enabling stack(s)..." $PYTHON /usr/sbin/ambari-server.py $@ ;; + setup-sso) + echo -e "Setting up SSO authentication properties..." + $PYTHON /usr/sbin/ambari-server.py $@ + ;; *) echo "Usage: /usr/sbin/ambari-server - {start|stop|restart|setup|setup-jce|upgrade|status|upgradestack|setup-ldap|sync-ldap|set-current|setup-security|refresh-stack-hash|backup|restore|update-host-names|enable-stack} [options] + {start|stop|restart|setup|setup-jce|upgrade|status|upgradestack|setup-ldap|sync-ldap|set-current|setup-security|setup-sso|refresh-stack-hash|backup|restore|update-host-names|enable-stack} [options] Use usr/sbin/ambari-server <action> --help to get details on options available. Or, simply invoke ambari-server.py --help to print the options." exit 1 http://git-wip-us.apache.org/repos/asf/ambari/blob/9fae285c/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java index 6ec3ceb..c4a80f2 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/api/AmbariErrorHandler.java @@ -68,7 +68,8 @@ public class AmbariErrorHandler extends ErrorHandler { //if SSO is configured we should provide info about it in case of access error JwtAuthenticationProperties jwtProperties = configuration.getJwtProperties(); if (jwtProperties != null) { - errorMap.put("jwtProviderUrl", jwtProperties.getAuthenticationProviderUrl()); + errorMap.put("jwtProviderUrl", jwtProperties.getAuthenticationProviderUrl() + "?" + + jwtProperties.getOriginalUrlQueryParam() + "="); } } http://git-wip-us.apache.org/repos/asf/ambari/blob/9fae285c/ambari-server/src/main/python/ambari_server/setupSso.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/python/ambari_server/setupSso.py b/ambari-server/src/main/python/ambari_server/setupSso.py index a7c9108..2a5e44c 100644 --- a/ambari-server/src/main/python/ambari_server/setupSso.py +++ b/ambari-server/src/main/python/ambari_server/setupSso.py @@ -21,7 +21,7 @@ limitations under the License. from ambari_commons.os_utils import is_root, run_os_command, copy_file, set_file_permissions, remove_file from ambari_commons.exceptions import FatalException, NonFatalException from ambari_commons.logging_utils import get_silent, print_warning_msg, print_error_msg -from ambari_server.userInput import get_validated_string_input, get_prompt_default, read_password, get_YN_input +from ambari_server.userInput import get_validated_string_input, get_YN_input, get_multi_line_input from ambari_server.serverConfiguration import get_ambari_properties, get_value_from_properties, update_properties, \ store_password_file @@ -35,12 +35,13 @@ JWT_ORIGINAL_URL_QUERY_PARAM = "authentication.jwt.originalUrlParamName" JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt" JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl" +JWT_AUTH_PROVIDER_URL_DEFAULT = "http://example.com"; REGEX_ANYTHING = ".*" -JWT_PUBLIC_KEY_FILENAME = "jwt-cert.crt" +JWT_PUBLIC_KEY_FILENAME = "jwt-cert.pem" JWT_PUBLIC_KEY_HEADER = "-----BEGIN CERTIFICATE-----\n" -JWT_PUBLIC_KEY_FOOTER = "\n-----END CERTIFICATE-----" +JWT_PUBLIC_KEY_FOOTER = "\n-----END CERTIFICATE-----\n" @@ -53,6 +54,7 @@ def setup_sso(args): properties = get_ambari_properties() must_setup_params = False + store_new_cert = False sso_enabled = properties.get_property(JWT_AUTH_ENBABLED).lower() in ['true'] @@ -61,29 +63,29 @@ def setup_sso(args): properties.process_pair(JWT_AUTH_ENBABLED, "false") else: if get_YN_input("Do you want to configure SSO authentication [y/n] (y)?", True): + properties.process_pair(JWT_AUTH_ENBABLED, "true") must_setup_params = True else: return False if must_setup_params: - provider_url = properties.get_property(JWT_AUTH_PROVIDER_URL) - provider_url = get_validated_string_input("Provider URL [URL] ({}):".format(provider_url), + + provider_url = get_value_from_properties(properties, JWT_AUTH_PROVIDER_URL, JWT_AUTH_PROVIDER_URL_DEFAULT) + provider_url = get_validated_string_input("Provider URL [URL] ({0}):".format(provider_url), provider_url, REGEX_ANYTHING, "Invalid provider URL", False) properties.process_pair(JWT_AUTH_PROVIDER_URL, provider_url) - cert_string = properties.get_property(JWT_PUBLIC_KEY) - cert_string = get_validated_string_input("Public Certificate [BASE64] ({}):".format('stored' if cert_string else 'empty'), - cert_string, - REGEX_ANYTHING, - "Invalid public certificae string", - False) + cert_path = properties.get_property(JWT_PUBLIC_KEY) + cert_string = get_multi_line_input("Public Certificate pem ({0})".format('stored' if cert_path else 'empty')) + if cert_string is not None: + store_new_cert = True if get_YN_input("Do you want to configure advanced properties [y/n] (n) ?", False): cookie_name = get_value_from_properties(properties, JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT) - cookie_name = get_validated_string_input("JWT Cookie name ({}):".format(cookie_name), + cookie_name = get_validated_string_input("JWT Cookie name ({0}):".format(cookie_name), cookie_name, REGEX_ANYTHING, "Invalid cookie name", @@ -91,7 +93,7 @@ def setup_sso(args): properties.process_pair(JWT_COOKIE_NAME, cookie_name) audiences = properties.get_property(JWT_AUDIENCES) - audiences = get_validated_string_input("JWT audiences list (comma-separated), empty for any ({}):".format(audiences), + audiences = get_validated_string_input("JWT audiences list (comma-separated), empty for any ({0}):".format(audiences), audiences, REGEX_ANYTHING, "Invalid value", @@ -107,8 +109,10 @@ def setup_sso(args): # False) # properties.process_pair(JWT_ORIGINAL_URL_QUERY_PARAM, orig_query_param) - full_cert = JWT_PUBLIC_KEY_HEADER + cert_string + JWT_PUBLIC_KEY_FOOTER - cert_path = store_password_file(full_cert, JWT_PUBLIC_KEY_FILENAME) + if store_new_cert: + full_cert = JWT_PUBLIC_KEY_HEADER + cert_string + JWT_PUBLIC_KEY_FOOTER + cert_path = store_password_file(full_cert, JWT_PUBLIC_KEY_FILENAME) + properties.process_pair(JWT_PUBLIC_KEY, cert_path) update_properties(properties) http://git-wip-us.apache.org/repos/asf/ambari/blob/9fae285c/ambari-server/src/main/python/ambari_server/userInput.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/python/ambari_server/userInput.py b/ambari-server/src/main/python/ambari_server/userInput.py index db08dac..247ebec 100644 --- a/ambari-server/src/main/python/ambari_server/userInput.py +++ b/ambari-server/src/main/python/ambari_server/userInput.py @@ -114,6 +114,24 @@ def get_validated_filepath_input(prompt, description, default=None): print description input = False + +def get_multi_line_input(prompt, end_line=""): + full_prompt = prompt + if end_line: + full_prompt += " ([{0}] to finish input):".format(end_line) + else: + full_prompt += " (empty line to finish input):".format(end_line) + + print full_prompt + user_input = None + while True: + line = raw_input() + if line == end_line: # no strip() here for purpose + return user_input + else: + user_input = line if user_input is None else user_input + "\n" + line + + def get_prompt_default(defaultStr=None): if not defaultStr or defaultStr == "": return "" http://git-wip-us.apache.org/repos/asf/ambari/blob/9fae285c/ambari-server/src/main/windows/ambari-server.ps1 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/windows/ambari-server.ps1 b/ambari-server/src/main/windows/ambari-server.ps1 index e50ff26..c77663f 100644 --- a/ambari-server/src/main/windows/ambari-server.ps1 +++ b/ambari-server/src/main/windows/ambari-server.ps1 @@ -311,9 +311,15 @@ switch ($($args[0])){ _pstart $args echo "Refreshing stack hash finished" } + "setup-sso" + { + echo "Setting up SSO authentication for Ambari Server" + _pstart $args + echo "Ambari Server SSO authentication setup finished" + } default { - echo "Usage: ambari-server {start|stop|restart|setup|upgrade|status|upgradestack|setup-ldap|setup-security|refresh-stack-hash} [options]" + echo "Usage: ambari-server {start|stop|restart|setup|upgrade|status|upgradestack|setup-ldap|setup-security|setup-sso|refresh-stack-hash} [options]" echo "Use ambari-server <action> --help to get details on options available." echo "Or, simply invoke ambari-server.py --help to print the options." $retcode=1
