[jira] [Created] (AMBARI-24581) Enable Oozie SSL config setup with hidden password

Fri, 31 Aug 2018 08:38:05 -0700 

Christian Danner created AMBARI-24581:
-----------------------------------------

             Summary: Enable Oozie SSL config setup with hidden password
                 Key: AMBARI-24581
                 URL: https://issues.apache.org/jira/browse/AMBARI-24581
             Project: Ambari
          Issue Type: Improvement
          Components: ambari-server
    Affects Versions: 2.6.2
         Environment: Ambari 2.6.2.2

HDP 2.6.5.0
            Reporter: Christian Danner


Currently it is not possible to enable Oozie SSL with all parameters being 
entered in Ambari without showing the password for the keystore in clear text 
in the oozie-env file.

Since non admin users should be able to get on Ambari to use e.g. Ambari Views, 
users are able to see the configuration. With the keystore password in clear 
text in the oozie-env file this is no desired approach.

Therefore I suggest three new variables in the oozie-site.xml.
{code:java}
<property>
<name>oozie.https.port</name>
<value>11443</value>
<display-name>Oozie HTTPS Port</display-name>
<description>Oozie HTTPS Port</description>
<on-ambari-upgrade add="false"/>
</property>
<property>
<name>oozie.https.keystore.file</name>
<value/>
<display-name>Oozie HTTPS Keystore</display-name>
<description>Keystore to be used for SSL</description>
<on-ambari-upgrade add="false"/>
</property>
<property>
<name>oozie.https.keystore.pass</name>
<value/>
<display-name>Oozie HTTPS Keystore Passphrase</display-name>
<property-type>PASSWORD</property-type>
<description>Passphrase to be used for the provided keystore</description>
<on-ambari-upgrade add="false"/>
</property>
{code}
The params_linux.py should be able to read those variables in.
{code:java}
oozie_https_port = config['configurations']['oozie-site']['oozie.https.port']
oozie_https_keystore_file = 
config['configurations']['oozie-site']['oozie.https.keystore.file']
oozie_https_keystore_pass = 
config['configurations']['oozie-site']['oozie.https.keystore.pass']
{code}
After all the oozie-env.sh should have an extension in case all three varables 
are set in oozie-site.xml that the environment variables are being set. 
{code:java}
{% if oozie_https_port and oozie_https_keystore_file and 
oozie_https_keystore_pass%}
# Export SSL Config
export OOZIE_HTTPS_PORT={{oozie_https_port}}
export OOZIE_HTTPS_KEYSTORE_FILE={{oozie_https_keystore_file}}
export OOZIE_HTTPS_KEYSTORE_PASS='{{oozie_https_keystore_pass}}'
{% endif %}
{code}
With this approach it is possible to hide the password within the UI of Ambari 
and also use Oozie with HTTPS enabled.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to