[
https://issues.apache.org/jira/browse/AMBARI-24646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dmitry Lysnichenko updated AMBARI-24646:
----------------------------------------
Description:
*STR*
Installed ambari-server and configured password encryption, but chose not to
persist master key
{code}
[root@ctr ~]# ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 2
Password encryption is enabled.
Do you want to reset Master Key? [y/n] (n): y
Master Key not persisted.
Enter current Master Key:
Enter new Master Key:
Re-enter master key:
Do you want to persist master key. If you choose not to persist, you need to
provide the Master Key while starting the ambari server as an env variable
named AMBARI_SECURITY_MASTER_KEY or the start will prompt for the master key.
Persist [y/n] (y)? n
Adjusting ambari-server permissions and ownership...
Ambari Server 'setup-security' completed successfully.
{code}
Then export environment variable
export AMBARI_SECURITY_MASTER_KEY=hadoop
Thereafter ran the following:
*Issue #1* - Gave AttributeError after accepting the 'Save settings' prompt,
instead of asking for master key
{code}
[root@ctr ~]# ambari-server setup-ldap -v
Using python /usr/bin/python
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
INFO: about to run command: ps -p 5596
INFO:
process_pid=12677
Please select the type of LDAP you want to use (AD, IPA, Generic LDAP):Generic
LDAP
Primary LDAP Host (ldap.ambari.apache.org): ctr
Primary LDAP Port (389):
Secondary LDAP Host <Optional>:
Secondary LDAP Port <Optional>:
Use SSL [true/false] (false):
User object class (posixUser):
User ID attribute (uid):
Group object class (posixGroup):
Group name attribute (cn):
Group member attribute (memberUid):
Distinguished name attribute (dn):
Search Base (dc=ambari,dc=apache,dc=org): dc=apache,dc=org
Referral method [follow/ignore] (follow):
Bind anonymously [true/false] (false):
Bind DN (uid=ldapbind,cn=users,dc=ambari,dc=apache,dc=org):
uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
Enter Bind DN Password:
Confirm Bind DN Password:
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
Force lower-case user names [true/false]:
Results from LDAP are paginated when requested [true/false]:
====================
Review Settings
====================
Primary LDAP Host (ldap.ambari.apache.org): ctr
Primary LDAP Port (389): 389
Use SSL [true/false] (false): false
User object class (posixUser): posixUser
User ID attribute (uid): uid
Group object class (posixGroup): posixGroup
Group name attribute (cn): cn
Group member attribute (memberUid): memberUid
Distinguished name attribute (dn): dn
Search Base (dc=ambari,dc=apache,dc=org): dc=apache,dc=org
Referral method [follow/ignore] (follow): follow
Bind anonymously [true/false] (false): false
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
skip
ambari.ldap.connectivity.bind_dn: uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
ambari.ldap.connectivity.bind_password: *****
Save settings [y/n] (y)? y
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
Traceback (most recent call last):
File "/usr/sbin/ambari-server.py", line 1060, in <module>
mainBody()
File "/usr/sbin/ambari-server.py", line 1030, in mainBody
main(options, args, parser)
File "/usr/sbin/ambari-server.py", line 980, in main
action_obj.execute()
File "/usr/sbin/ambari-server.py", line 79, in execute
self.fn(*self.args, **self.kwargs)
File "/usr/lib/ambari-server/lib/ambari_server/setupSecurity.py", line 860, in
setup_ldap
encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password,
options)
File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
858, in encrypt_password
return get_encrypted_password(alias, password, properties, options)
File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
867, in get_encrypted_password
masterKey = get_original_master_key(properties, options)
File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
1022, in get_original_master_key
if options is not None and options.master_key is not None and
options.master_key:
AttributeError: Values instance has no attribute 'master_key'
[root@ctr ~]#
{code}
*Issue #2* - Kept asking for Master key on the prompt, despite giving correct
values
{code}
[root@ctr ~]# ambari-server setup
Using python /usr/bin/python
Setup ambari-server
Checking SELinux...
WARNING: Could not run /usr/sbin/sestatus: OK
Customize user account for ambari-server daemon [y/n] (n)?
Adjusting ambari-server permissions and ownership...
Checking firewall status...
Checking JDK...
Do you want to change Oracle JDK [y/n] (n)?
Check JDK version for Ambari Server...
JDK version found: 8
Minimum JDK version is 8 for Ambari. Skipping to setup different JDK for Ambari
Server.
Checking GPL software agreement...
Completing setup...
Configuring database...
Enter advanced database configuration [y/n] (n)?
Configuring database...
Enter current Master Key:
Default properties detected. Using built-in database.
Enter current Master Key:
Configuring ambari database...
Checking PostgreSQL...
Configuring local database...
Configuring PostgreSQL...
Backup for pg_hba found, reconfiguration not required
Creating schema and user...
done.
Creating tables...
done.
Enter current Master Key:
Enter current Master Key:
Enter current Master Key:
{code}
*Issue #3* - Gave an incorrect master key this time and the shell kept on
printing "ERROR: ERROR: Master key does not match." and kept scrolling the page
{code}
[root@ctr ~]# ambari-server setup
Using python /usr/bin/python
Setup ambari-server
Checking SELinux...
WARNING: Could not run /usr/sbin/sestatus: OK
Customize user account for ambari-server daemon [y/n] (n)?
Adjusting ambari-server permissions and ownership...
Checking firewall status...
Checking JDK...
Do you want to change Oracle JDK [y/n] (n)?
Check JDK version for Ambari Server...
JDK version found: 8
Minimum JDK version is 8 for Ambari. Skipping to setup different JDK for Ambari
Server.
Checking GPL software agreement...
Completing setup...
Configuring database...
Enter advanced database configuration [y/n] (n)?
Configuring database...
Enter current Master Key:
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
^C
Aborting ... Keyboard Interrupt.
{code}
*Note/Workaround:* The issues are seen when master key is not persisted as part
of the initial password encryption step
was:
*STR*
Installed ambari-server and configured password encryption, but chose not to
persist master key
{code}
[root@ctr ~]# ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 2
Password encryption is enabled.
Do you want to reset Master Key? [y/n] (n): y
Master Key not persisted.
Enter current Master Key:
Enter new Master Key:
Re-enter master key:
Do you want to persist master key. If you choose not to persist, you need to
provide the Master Key while starting the ambari server as an env variable
named AMBARI_SECURITY_MASTER_KEY or the start will prompt for the master key.
Persist [y/n] (y)? n
Adjusting ambari-server permissions and ownership...
Ambari Server 'setup-security' completed successfully.
{code}
Then export environment variable
export AMBARI_SECURITY_MASTER_KEY=hadoop
Thereafter ran the following:
*Issue #1* - Gave AttributeError after accepting the 'Save settings' prompt,
instead of asking for master key
{code}
[root@ctr ~]# ambari-server setup-ldap -v
Using python /usr/bin/python
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
INFO: about to run command: ps -p 5596
INFO:
process_pid=12677
Please select the type of LDAP you want to use (AD, IPA, Generic LDAP):Generic
LDAP
Primary LDAP Host (ldap.ambari.apache.org): ctr
Primary LDAP Port (389):
Secondary LDAP Host <Optional>:
Secondary LDAP Port <Optional>:
Use SSL [true/false] (false):
User object class (posixUser):
User ID attribute (uid):
Group object class (posixGroup):
Group name attribute (cn):
Group member attribute (memberUid):
Distinguished name attribute (dn):
Search Base (dc=ambari,dc=apache,dc=org): dc=apache,dc=org
Referral method [follow/ignore] (follow):
Bind anonymously [true/false] (false):
Bind DN (uid=ldapbind,cn=users,dc=ambari,dc=apache,dc=org):
uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
Enter Bind DN Password:
Confirm Bind DN Password:
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
Force lower-case user names [true/false]:
Results from LDAP are paginated when requested [true/false]:
====================
Review Settings
====================
Primary LDAP Host (ldap.ambari.apache.org): ctr
Primary LDAP Port (389): 389
Use SSL [true/false] (false): false
User object class (posixUser): posixUser
User ID attribute (uid): uid
Group object class (posixGroup): posixGroup
Group name attribute (cn): cn
Group member attribute (memberUid): memberUid
Distinguished name attribute (dn): dn
Search Base (dc=ambari,dc=apache,dc=org): dc=apache,dc=org
Referral method [follow/ignore] (follow): follow
Bind anonymously [true/false] (false): false
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
skip
ambari.ldap.connectivity.bind_dn: uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
ambari.ldap.connectivity.bind_password: *****
Save settings [y/n] (y)? y
INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
Traceback (most recent call last):
File "/usr/sbin/ambari-server.py", line 1060, in <module>
mainBody()
File "/usr/sbin/ambari-server.py", line 1030, in mainBody
main(options, args, parser)
File "/usr/sbin/ambari-server.py", line 980, in main
action_obj.execute()
File "/usr/sbin/ambari-server.py", line 79, in execute
self.fn(*self.args, **self.kwargs)
File "/usr/lib/ambari-server/lib/ambari_server/setupSecurity.py", line 860, in
setup_ldap
encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password,
options)
File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
858, in encrypt_password
return get_encrypted_password(alias, password, properties, options)
File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
867, in get_encrypted_password
masterKey = get_original_master_key(properties, options)
File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
1022, in get_original_master_key
if options is not None and options.master_key is not None and
options.master_key:
AttributeError: Values instance has no attribute 'master_key'
[root@ctr-e138-1518143905142-473336-01-000002 ~]#
{code}
*Issue #2* - Kept asking for Master key on the prompt, despite giving correct
values
{code}
[root@ctr ~]# ambari-server setup
Using python /usr/bin/python
Setup ambari-server
Checking SELinux...
WARNING: Could not run /usr/sbin/sestatus: OK
Customize user account for ambari-server daemon [y/n] (n)?
Adjusting ambari-server permissions and ownership...
Checking firewall status...
Checking JDK...
Do you want to change Oracle JDK [y/n] (n)?
Check JDK version for Ambari Server...
JDK version found: 8
Minimum JDK version is 8 for Ambari. Skipping to setup different JDK for Ambari
Server.
Checking GPL software agreement...
Completing setup...
Configuring database...
Enter advanced database configuration [y/n] (n)?
Configuring database...
Enter current Master Key:
Default properties detected. Using built-in database.
Enter current Master Key:
Configuring ambari database...
Checking PostgreSQL...
Configuring local database...
Configuring PostgreSQL...
Backup for pg_hba found, reconfiguration not required
Creating schema and user...
done.
Creating tables...
done.
Enter current Master Key:
Enter current Master Key:
Enter current Master Key:
{code}
*Issue #3* - Gave an incorrect master key this time and the shell kept on
printing "ERROR: ERROR: Master key does not match." and kept scrolling the page
{code}
[root@ctr ~]# ambari-server setup
Using python /usr/bin/python
Setup ambari-server
Checking SELinux...
WARNING: Could not run /usr/sbin/sestatus: OK
Customize user account for ambari-server daemon [y/n] (n)?
Adjusting ambari-server permissions and ownership...
Checking firewall status...
Checking JDK...
Do you want to change Oracle JDK [y/n] (n)?
Check JDK version for Ambari Server...
JDK version found: 8
Minimum JDK version is 8 for Ambari. Skipping to setup different JDK for Ambari
Server.
Checking GPL software agreement...
Completing setup...
Configuring database...
Enter advanced database configuration [y/n] (n)?
Configuring database...
Enter current Master Key:
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
ERROR: ERROR: Master key does not match.
^C
Aborting ... Keyboard Interrupt.
{code}
*Note/Workaround:* The issues are seen when master key is not persisted as part
of the initial password encryption step
> 'ambari-server setup-ldap' fails with AttributeError when master_key is not
> persisted
> -------------------------------------------------------------------------------------
>
> Key: AMBARI-24646
> URL: https://issues.apache.org/jira/browse/AMBARI-24646
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.7.0
> Reporter: Dmitry Lysnichenko
> Assignee: Dmitry Lysnichenko
> Priority: Blocker
> Fix For: 2.7.2
>
>
> *STR*
> Installed ambari-server and configured password encryption, but chose not to
> persist master key
> {code}
> [root@ctr ~]# ambari-server setup-security
> Using python /usr/bin/python
> Security setup options...
> ===========================================================================
> Choose one of the following options:
> [1] Enable HTTPS for Ambari server.
> [2] Encrypt passwords stored in ambari.properties file.
> [3] Setup Ambari kerberos JAAS configuration.
> [4] Setup truststore.
> [5] Import certificate to truststore.
> ===========================================================================
> Enter choice, (1-5): 2
> Password encryption is enabled.
> Do you want to reset Master Key? [y/n] (n): y
> Master Key not persisted.
> Enter current Master Key:
> Enter new Master Key:
> Re-enter master key:
> Do you want to persist master key. If you choose not to persist, you need to
> provide the Master Key while starting the ambari server as an env variable
> named AMBARI_SECURITY_MASTER_KEY or the start will prompt for the master key.
> Persist [y/n] (y)? n
> Adjusting ambari-server permissions and ownership...
> Ambari Server 'setup-security' completed successfully.
> {code}
> Then export environment variable
> export AMBARI_SECURITY_MASTER_KEY=hadoop
> Thereafter ran the following:
> *Issue #1* - Gave AttributeError after accepting the 'Save settings' prompt,
> instead of asking for master key
> {code}
> [root@ctr ~]# ambari-server setup-ldap -v
> Using python /usr/bin/python
> INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
> INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
> INFO: about to run command: ps -p 5596
> INFO:
> process_pid=12677
> Please select the type of LDAP you want to use (AD, IPA, Generic
> LDAP):Generic LDAP
> Primary LDAP Host (ldap.ambari.apache.org): ctr
> Primary LDAP Port (389):
> Secondary LDAP Host <Optional>:
> Secondary LDAP Port <Optional>:
> Use SSL [true/false] (false):
> User object class (posixUser):
> User ID attribute (uid):
> Group object class (posixGroup):
> Group name attribute (cn):
> Group member attribute (memberUid):
> Distinguished name attribute (dn):
> Search Base (dc=ambari,dc=apache,dc=org): dc=apache,dc=org
> Referral method [follow/ignore] (follow):
> Bind anonymously [true/false] (false):
> Bind DN (uid=ldapbind,cn=users,dc=ambari,dc=apache,dc=org):
> uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
> Enter Bind DN Password:
> Confirm Bind DN Password:
> Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
> Force lower-case user names [true/false]:
> Results from LDAP are paginated when requested [true/false]:
> ====================
> Review Settings
> ====================
> Primary LDAP Host (ldap.ambari.apache.org): ctr
> Primary LDAP Port (389): 389
> Use SSL [true/false] (false): false
> User object class (posixUser): posixUser
> User ID attribute (uid): uid
> Group object class (posixGroup): posixGroup
> Group name attribute (cn): cn
> Group member attribute (memberUid): memberUid
> Distinguished name attribute (dn): dn
> Search Base (dc=ambari,dc=apache,dc=org): dc=apache,dc=org
> Referral method [follow/ignore] (follow): follow
> Bind anonymously [true/false] (false): false
> Handling behavior for username collisions [convert/skip] for LDAP sync
> (skip): skip
> ambari.ldap.connectivity.bind_dn: uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
> ambari.ldap.connectivity.bind_password: *****
> Save settings [y/n] (y)? y
> INFO: Loading properties from /etc/ambari-server/conf/ambari.properties
> Traceback (most recent call last):
> File "/usr/sbin/ambari-server.py", line 1060, in <module>
> mainBody()
> File "/usr/sbin/ambari-server.py", line 1030, in mainBody
> main(options, args, parser)
> File "/usr/sbin/ambari-server.py", line 980, in main
> action_obj.execute()
> File "/usr/sbin/ambari-server.py", line 79, in execute
> self.fn(*self.args, **self.kwargs)
> File "/usr/lib/ambari-server/lib/ambari_server/setupSecurity.py", line 860,
> in setup_ldap
> encrypted_passwd = encrypt_password(LDAP_MGR_PASSWORD_ALIAS, mgr_password,
> options)
> File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
> 858, in encrypt_password
> return get_encrypted_password(alias, password, properties, options)
> File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
> 867, in get_encrypted_password
> masterKey = get_original_master_key(properties, options)
> File "/usr/lib/ambari-server/lib/ambari_server/serverConfiguration.py", line
> 1022, in get_original_master_key
> if options is not None and options.master_key is not None and
> options.master_key:
> AttributeError: Values instance has no attribute 'master_key'
> [root@ctr ~]#
> {code}
> *Issue #2* - Kept asking for Master key on the prompt, despite giving correct
> values
> {code}
> [root@ctr ~]# ambari-server setup
> Using python /usr/bin/python
> Setup ambari-server
> Checking SELinux...
> WARNING: Could not run /usr/sbin/sestatus: OK
> Customize user account for ambari-server daemon [y/n] (n)?
> Adjusting ambari-server permissions and ownership...
> Checking firewall status...
> Checking JDK...
> Do you want to change Oracle JDK [y/n] (n)?
> Check JDK version for Ambari Server...
> JDK version found: 8
> Minimum JDK version is 8 for Ambari. Skipping to setup different JDK for
> Ambari Server.
> Checking GPL software agreement...
> Completing setup...
> Configuring database...
> Enter advanced database configuration [y/n] (n)?
> Configuring database...
> Enter current Master Key:
> Default properties detected. Using built-in database.
> Enter current Master Key:
> Configuring ambari database...
> Checking PostgreSQL...
> Configuring local database...
> Configuring PostgreSQL...
> Backup for pg_hba found, reconfiguration not required
> Creating schema and user...
> done.
> Creating tables...
> done.
> Enter current Master Key:
> Enter current Master Key:
> Enter current Master Key:
> {code}
> *Issue #3* - Gave an incorrect master key this time and the shell kept on
> printing "ERROR: ERROR: Master key does not match." and kept scrolling the
> page
> {code}
> [root@ctr ~]# ambari-server setup
> Using python /usr/bin/python
> Setup ambari-server
> Checking SELinux...
> WARNING: Could not run /usr/sbin/sestatus: OK
> Customize user account for ambari-server daemon [y/n] (n)?
> Adjusting ambari-server permissions and ownership...
> Checking firewall status...
> Checking JDK...
> Do you want to change Oracle JDK [y/n] (n)?
> Check JDK version for Ambari Server...
> JDK version found: 8
> Minimum JDK version is 8 for Ambari. Skipping to setup different JDK for
> Ambari Server.
> Checking GPL software agreement...
> Completing setup...
> Configuring database...
> Enter advanced database configuration [y/n] (n)?
> Configuring database...
> Enter current Master Key:
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ERROR: ERROR: Master key does not match.
> ^C
> Aborting ... Keyboard Interrupt.
> {code}
> *Note/Workaround:* The issues are seen when master key is not persisted as
> part of the initial password encryption step
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
