You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Christian Danner (JIRA)" <ji...@apache.org> on 2018/09/03 04:07:00 UTC

[jira] [Updated] (AMBARI-24581) Enable Oozie SSL config setup with hidden password

     [ https://issues.apache.org/jira/browse/AMBARI-24581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christian Danner updated AMBARI-24581:
--------------------------------------
    Description: 
Currently it is not possible to enable Oozie SSL with all parameters being entered in Ambari without showing the password for the keystore in clear text in the oozie-env file.

Since non admin users should be able to get on Ambari to use e.g. Ambari Views, users are able to see the configuration. With the keystore password in clear text in the oozie-env file this is no desired approach.

Therefore I suggest three new variables in the oozie-site.xml, params_linux.py and oozie-env.xml (as template values).

In the oozie-site.xml it is possible to mask the password by using the property tag. Port and Keystorepath are regular text boxes.

The corresponding params_linux.py should read those variables from config and make them available for substitution.

Once available they can be used in the oozie-env content and should be already added to the oozie-env.xml for easier setup.

 

With this approach it is possible to hide the password within the UI of Ambari and also use Oozie with HTTPS enabled.

  was:
Currently it is not possible to enable Oozie SSL with all parameters being entered in Ambari without showing the password for the keystore in clear text in the oozie-env file.

Since non admin users should be able to get on Ambari to use e.g. Ambari Views, users are able to see the configuration. With the keystore password in clear text in the oozie-env file this is no desired approach.

Therefore I suggest three new variables in the oozie-site.xml.
{code:java}
<property>
<name>oozie.https.port</name>
<value>11443</value>
<display-name>Oozie HTTPS Port</display-name>
<description>Oozie HTTPS Port</description>
<on-ambari-upgrade add="false"/>
</property>
<property>
<name>oozie.https.keystore.file</name>
<value/>
<display-name>Oozie HTTPS Keystore</display-name>
<description>Keystore to be used for SSL</description>
<on-ambari-upgrade add="false"/>
</property>
<property>
<name>oozie.https.keystore.pass</name>
<value/>
<display-name>Oozie HTTPS Keystore Passphrase</display-name>
<property-type>PASSWORD</property-type>
<description>Passphrase to be used for the provided keystore</description>
<on-ambari-upgrade add="false"/>
</property>
{code}
The params_linux.py should be able to read those variables in.
{code:java}
oozie_https_port = config['configurations']['oozie-site']['oozie.https.port']
oozie_https_keystore_file = config['configurations']['oozie-site']['oozie.https.keystore.file']
oozie_https_keystore_pass = config['configurations']['oozie-site']['oozie.https.keystore.pass']
{code}
After all the oozie-env.sh should have an extension in case all three varables are set in oozie-site.xml that the environment variables are being set. 
{code:java}
{% if oozie_https_port and oozie_https_keystore_file and oozie_https_keystore_pass%}
# Export SSL Config
export OOZIE_HTTPS_PORT={{oozie_https_port}}
export OOZIE_HTTPS_KEYSTORE_FILE={{oozie_https_keystore_file}}
export OOZIE_HTTPS_KEYSTORE_PASS='{{oozie_https_keystore_pass}}'
{% endif %}
{code}
With this approach it is possible to hide the password within the UI of Ambari and also use Oozie with HTTPS enabled.


> Enable Oozie SSL config setup with hidden password
> --------------------------------------------------
>
>                 Key: AMBARI-24581
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24581
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-server
>    Affects Versions: 2.6.2
>         Environment: Ambari 2.6.2.2
> HDP 2.6.5.0
>            Reporter: Christian Danner
>            Priority: Minor
>              Labels: pull-request-available
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Currently it is not possible to enable Oozie SSL with all parameters being entered in Ambari without showing the password for the keystore in clear text in the oozie-env file.
> Since non admin users should be able to get on Ambari to use e.g. Ambari Views, users are able to see the configuration. With the keystore password in clear text in the oozie-env file this is no desired approach.
> Therefore I suggest three new variables in the oozie-site.xml, params_linux.py and oozie-env.xml (as template values).
> In the oozie-site.xml it is possible to mask the password by using the property tag. Port and Keystorepath are regular text boxes.
> The corresponding params_linux.py should read those variables from config and make them available for substitution.
> Once available they can be used in the oozie-env content and should be already added to the oozie-env.xml for easier setup.
>  
> With this approach it is possible to hide the password within the UI of Ambari and also use Oozie with HTTPS enabled.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)