Repository: ambari Updated Branches: refs/heads/trunk ae1438007 -> 52d7b7ef6
AMBARI-19266. Command line support for setting configuration options to support Kerberos token authentication. (Laszlo Puskas via stoader) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/52d7b7ef Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/52d7b7ef Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/52d7b7ef Branch: refs/heads/trunk Commit: 52d7b7ef624b8866428f0b0b5f3f8f5157193350 Parents: ae14380 Author: Laszlo Puskas <lpus...@hortonworks.com> Authored: Wed Dec 21 20:28:28 2016 +0100 Committer: Toader, Sebastian <stoa...@hortonworks.com> Committed: Wed Dec 21 20:30:42 2016 +0100 ---------------------------------------------------------------------- ambari-server/sbin/ambari-server | 6 +- ambari-server/src/main/python/ambari-server.py | 14 ++- .../main/python/ambari_server/kerberos_setup.py | 99 ++++++++++++++++++++ .../main/python/ambari_server/setupActions.py | 1 + 4 files changed, 117 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/52d7b7ef/ambari-server/sbin/ambari-server ---------------------------------------------------------------------- diff --git a/ambari-server/sbin/ambari-server b/ambari-server/sbin/ambari-server index 8afabb1..5f97299 100755 --- a/ambari-server/sbin/ambari-server +++ b/ambari-server/sbin/ambari-server @@ -196,9 +196,13 @@ case "${1:-}" in echo -e "Upgrading management pack" $PYTHON "$AMBARI_PYTHON_EXECUTABLE" $@ ;; + setup-kerberos) + echo -e "Setting up Kerberos authentication" + $PYTHON "$AMBARI_PYTHON_EXECUTABLE" $@ + ;; *) echo "Usage: $AMBARI_EXECUTABLE - {start|stop|reset|restart|upgrade|status|upgradestack|setup|setup-jce|setup-ldap|sync-ldap|set-current|setup-security|refresh-stack-hash|backup|restore|update-host-names|check-database|enable-stack|setup-sso|db-cleanup|install-mpack|uninstall-mpack|upgrade-mpack} [options] + {start|stop|reset|restart|upgrade|status|upgradestack|setup|setup-jce|setup-ldap|sync-ldap|set-current|setup-security|refresh-stack-hash|backup|restore|update-host-names|check-database|enable-stack|setup-sso|db-cleanup|install-mpack|uninstall-mpack|upgrade-mpack|setup-kerberos} [options] Use $AMBARI_PYTHON_EXECUTABLE <action> --help to get details on options available. Or, simply invoke ambari-server.py --help to print the options." exit 1 http://git-wip-us.apache.org/repos/asf/ambari/blob/52d7b7ef/ambari-server/src/main/python/ambari-server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py index dff4fc3..5d4f5d7 100755 --- a/ambari-server/src/main/python/ambari-server.py +++ b/ambari-server/src/main/python/ambari-server.py @@ -52,9 +52,10 @@ from ambari_server.setupActions import BACKUP_ACTION, LDAP_SETUP_ACTION, LDAP_SY SETUP_ACTION, SETUP_SECURITY_ACTION,START_ACTION, STATUS_ACTION, STOP_ACTION, RESTART_ACTION, UPGRADE_ACTION, \ UPGRADE_STACK_ACTION, SETUP_JCE_ACTION, SET_CURRENT_ACTION, START_ACTION, STATUS_ACTION, STOP_ACTION, UPGRADE_ACTION, \ UPGRADE_STACK_ACTION, SETUP_JCE_ACTION, SET_CURRENT_ACTION, ENABLE_STACK_ACTION, SETUP_SSO_ACTION, \ - DB_CLEANUP_ACTION, INSTALL_MPACK_ACTION, UNINSTALL_MPACK_ACTION, UPGRADE_MPACK_ACTION, PAM_SETUP_ACTION + DB_CLEANUP_ACTION, INSTALL_MPACK_ACTION, UNINSTALL_MPACK_ACTION, UPGRADE_MPACK_ACTION, PAM_SETUP_ACTION, KERBEROS_SETUP_ACTION from ambari_server.setupSecurity import setup_ldap, sync_ldap, setup_master_key, setup_ambari_krb5_jaas, setup_pam from ambari_server.userInput import get_validated_string_input +from ambari_server.kerberos_setup import setup_kerberos from ambari_server_main import server_process_main from ambari_server.ambariPath import AmbariPath @@ -587,6 +588,14 @@ def init_parser_options(parser): parser.add_option('--jaas-principal', default=None, help="Kerberos principal for ambari server", dest="jaas_principal") parser.add_option('--jaas-keytab', default=None, help="Keytab path for Kerberos principal", dest="jaas_keytab") + parser.add_option('--kerberos-setup', default=None, help="Setup Kerberos Authentication", dest="kerberos_setup") + parser.add_option('--kerberos-enabled', default=False, help="Kerberos enabled", dest="kerberos_enabled") + parser.add_option('--kerberos-spnego-principal', default="HTTP/_HOST", help="Kerberos SPNEGO principal", dest="kerberos_spnego_principal") + parser.add_option('--kerberos-spnego-keytab-file', default="/etc/security/keytabs/spnego.service.keytab", help="Kerberos SPNEGO keytab file", dest="kerberos_spnego_keytab_file") + parser.add_option('--kerberos-spnego-user-types', default="LDAP", help="User type search order (comma-delimited)", dest="kerberos_user_types") + parser.add_option('--kerberos-auth-to-local-rules', default="DEFAULT", help="Auth-to-local rules", dest="kerberos_auth_to_local_rules") + + @OsFamilyFuncImpl(OSConst.WINSRV_FAMILY) def are_cmd_line_db_args_blank(options): if (options.database_host is None \ @@ -749,7 +758,8 @@ def create_user_action_map(args, options): INSTALL_MPACK_ACTION: UserAction(install_mpack, options), UNINSTALL_MPACK_ACTION: UserAction(uninstall_mpack, options), UPGRADE_MPACK_ACTION: UserAction(upgrade_mpack, options), - PAM_SETUP_ACTION: UserAction(setup_pam) + PAM_SETUP_ACTION: UserAction(setup_pam), + KERBEROS_SETUP_ACTION: UserAction(setup_kerberos, options) } return action_map http://git-wip-us.apache.org/repos/asf/ambari/blob/52d7b7ef/ambari-server/src/main/python/ambari_server/kerberos_setup.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/python/ambari_server/kerberos_setup.py b/ambari-server/src/main/python/ambari_server/kerberos_setup.py new file mode 100644 index 0000000..74b2d3e --- /dev/null +++ b/ambari-server/src/main/python/ambari_server/kerberos_setup.py @@ -0,0 +1,99 @@ +#!/usr/bin/env python + +''' +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +''' + +import logging +import pprint + +from ambari_server.serverConfiguration import get_value_from_properties, get_ambari_properties, update_properties_2 +from ambari_server.userInput import get_prompt_default,get_validated_string_input, get_YN_input +from ambari_commons.os_family_impl import OsFamilyFuncImpl, OsFamilyImpl +from ambari_commons.exceptions import FatalException +from ambari_commons.os_utils import is_root + +REGEX_TRUE_FALSE = "^(true|false)?$" +REGEX_ANYTHING = ".*" + +logger = logging.getLogger(__name__) + +class KerberosPropertyTemplate: + def __init__(self, properties, i_option, i_prop_name, i_prop_val_pattern, i_prompt_regex, i_allow_empty_prompt, i_prop_name_default=None): + self.prop_name = i_prop_name + self.option = i_option + self.kerberos_prop_name = get_value_from_properties(properties, i_prop_name, i_prop_name_default) + self.kerberos_prop_val_prompt = i_prop_val_pattern.format(get_prompt_default(self.kerberos_prop_name)) + self.prompt_regex = i_prompt_regex + self.allow_empty_prompt = i_allow_empty_prompt + +@OsFamilyFuncImpl(OsFamilyImpl.DEFAULT) +def init_kerberos_properties_list(properties, options): + kerberos_properties = [ + KerberosPropertyTemplate(properties, options.kerberos_enabled, "authentication.kerberos.enabled", "Enable Kerberos authentication [true|false] {0}: ", + REGEX_TRUE_FALSE, False, "false"), + KerberosPropertyTemplate(properties, options.kerberos_spnego_principal, "authentication.kerberos.spnego.principal", "SPNEGO principal {0}: ", + REGEX_ANYTHING, False, "HTTP/_HOST"), + KerberosPropertyTemplate(properties, options.kerberos_spnego_keytab_file, "authentication.kerberos.spnego.keytab.file", "SPNEGO keytab file {0}: ", + REGEX_ANYTHING, False, "/etc/security/keytabs/spnego.service.keytab"), + KerberosPropertyTemplate(properties, options.kerberos_user_types, "authentication.kerberos.user.types", "User type search order [LDAP|LOCAL|JTW] {0}: ", + REGEX_ANYTHING, False, "LDAP"), + KerberosPropertyTemplate(properties, options.kerberos_auth_to_local_rules, "authentication.kerberos.auth_to_local.rules", "Auth-to-local rules {0}: ", + REGEX_ANYTHING, False, "DEFAULT") + ] + return kerberos_properties + +def setup_kerberos(options): + logger.info("Setting up Kerberos authentication...") + if not is_root(): + err = "ambari-server setup-kerberos should be run with root-level privileges" + raise FatalException(4, err) + + properties = get_ambari_properties() + kerberos_property_list_required = init_kerberos_properties_list(properties, options) + + kerberos_property_value_map = {} + for kerberos_property in kerberos_property_list_required: + input = get_validated_string_input( + kerberos_property.kerberos_prop_val_prompt, + kerberos_property.kerberos_prop_name, + kerberos_property.prompt_regex, + "Invalid characters in the input!", + False, + kerberos_property.allow_empty_prompt + ) + if input is not None and input != "": + kerberos_property_value_map[kerberos_property.prop_name] = input + + print "Properties to be updated / written into ambari properties:" + pp = pprint.PrettyPrinter() + pp.pprint(kerberos_property_value_map) + + + save = get_YN_input("Save settings [y/n] (y)? ", True) + if save: + update_properties_2(properties, kerberos_property_value_map) + print "Kerberos authentication settings successfully saved. Please restart the server in order for the new settings to take effect." + else: + print "Kerberos authentication settings aborted." + + return 0; + + + + + http://git-wip-us.apache.org/repos/asf/ambari/blob/52d7b7ef/ambari-server/src/main/python/ambari_server/setupActions.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/python/ambari_server/setupActions.py b/ambari-server/src/main/python/ambari_server/setupActions.py index 7ea0752..358bfc9 100644 --- a/ambari-server/src/main/python/ambari_server/setupActions.py +++ b/ambari-server/src/main/python/ambari_server/setupActions.py @@ -48,3 +48,4 @@ INSTALL_MPACK_ACTION = "install-mpack" UNINSTALL_MPACK_ACTION = "uninstall-mpack" UPGRADE_MPACK_ACTION = "upgrade-mpack" PAM_SETUP_ACTION = "setup-pam" +KERBEROS_SETUP_ACTION = "setup-kerberos"