You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by st...@apache.org on 2016/12/21 19:29:17 UTC

ambari git commit: AMBARI-19266. Command line support for setting configuration options to support Kerberos token authentication. (Laszlo Puskas via stoader)

Repository: ambari
Updated Branches:
  refs/heads/branch-2.5 585c2b877 -> f652f61e7


AMBARI-19266. Command line support for setting configuration options to support Kerberos token authentication. (Laszlo Puskas via stoader)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/f652f61e
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/f652f61e
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/f652f61e

Branch: refs/heads/branch-2.5
Commit: f652f61e7bcd2eebe651d8cf96266d2b362bb578
Parents: 585c2b8
Author: Laszlo Puskas <lp...@hortonworks.com>
Authored: Wed Dec 21 20:28:28 2016 +0100
Committer: Toader, Sebastian <st...@hortonworks.com>
Committed: Wed Dec 21 20:29:00 2016 +0100

----------------------------------------------------------------------
 ambari-server/sbin/ambari-server                |  6 +-
 ambari-server/src/main/python/ambari-server.py  | 14 ++-
 .../main/python/ambari_server/kerberos_setup.py | 99 ++++++++++++++++++++
 .../main/python/ambari_server/setupActions.py   |  1 +
 4 files changed, 117 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/f652f61e/ambari-server/sbin/ambari-server
----------------------------------------------------------------------
diff --git a/ambari-server/sbin/ambari-server b/ambari-server/sbin/ambari-server
index e0faf99..b63f128 100755
--- a/ambari-server/sbin/ambari-server
+++ b/ambari-server/sbin/ambari-server
@@ -189,9 +189,13 @@ case "${1:-}" in
         echo -e "Upgrading management pack"
         $PYTHON "$AMBARI_PYTHON_EXECUTABLE" $@
         ;;
+  setup-kerberos)
+        echo -e "Setting up Kerberos authentication"
+        $PYTHON "$AMBARI_PYTHON_EXECUTABLE" $@
+        ;;
   *)
         echo "Usage: $AMBARI_EXECUTABLE
-        {start|stop|reset|restart|upgrade|status|upgradestack|setup|setup-jce|setup-ldap|sync-ldap|set-current|setup-security|refresh-stack-hash|backup|restore|update-host-names|check-database|enable-stack|setup-sso|db-cleanup|install-mpack|uninstall-mpack|upgrade-mpack} [options]
+        {start|stop|reset|restart|upgrade|status|upgradestack|setup|setup-jce|setup-ldap|sync-ldap|set-current|setup-security|refresh-stack-hash|backup|restore|update-host-names|check-database|enable-stack|setup-sso|db-cleanup|install-mpack|uninstall-mpack|upgrade-mpack|setup-kerberos} [options]
         Use $AMBARI_PYTHON_EXECUTABLE <action> --help to get details on options available.
         Or, simply invoke ambari-server.py --help to print the options."
         exit 1

http://git-wip-us.apache.org/repos/asf/ambari/blob/f652f61e/ambari-server/src/main/python/ambari-server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py
index 64962d3..845a9f6 100755
--- a/ambari-server/src/main/python/ambari-server.py
+++ b/ambari-server/src/main/python/ambari-server.py
@@ -52,9 +52,10 @@ from ambari_server.setupActions import BACKUP_ACTION, LDAP_SETUP_ACTION, LDAP_SY
   SETUP_ACTION, SETUP_SECURITY_ACTION,START_ACTION, STATUS_ACTION, STOP_ACTION, RESTART_ACTION, UPGRADE_ACTION, \
   UPGRADE_STACK_ACTION, SETUP_JCE_ACTION, SET_CURRENT_ACTION, START_ACTION, STATUS_ACTION, STOP_ACTION, UPGRADE_ACTION, \
   UPGRADE_STACK_ACTION, SETUP_JCE_ACTION, SET_CURRENT_ACTION, ENABLE_STACK_ACTION, SETUP_SSO_ACTION, \
-  DB_CLEANUP_ACTION, INSTALL_MPACK_ACTION, UNINSTALL_MPACK_ACTION, UPGRADE_MPACK_ACTION, PAM_SETUP_ACTION
+  DB_CLEANUP_ACTION, INSTALL_MPACK_ACTION, UNINSTALL_MPACK_ACTION, UPGRADE_MPACK_ACTION, PAM_SETUP_ACTION, KERBEROS_SETUP_ACTION
 from ambari_server.setupSecurity import setup_ldap, sync_ldap, setup_master_key, setup_ambari_krb5_jaas, setup_pam
 from ambari_server.userInput import get_validated_string_input
+from ambari_server.kerberos_setup import setup_kerberos
 
 from ambari_server_main import server_process_main
 from ambari_server.ambariPath import AmbariPath
@@ -584,6 +585,14 @@ def init_parser_options(parser):
   parser.add_option('--jaas-principal', default=None, help="Kerberos principal for ambari server", dest="jaas_principal")
   parser.add_option('--jaas-keytab', default=None, help="Keytab path for Kerberos principal", dest="jaas_keytab")
 
+  parser.add_option('--kerberos-setup', default=None, help="Setup Kerberos Authentication", dest="kerberos_setup")
+  parser.add_option('--kerberos-enabled', default=False, help="Kerberos enabled", dest="kerberos_enabled")
+  parser.add_option('--kerberos-spnego-principal', default="HTTP/_HOST", help="Kerberos SPNEGO principal", dest="kerberos_spnego_principal")
+  parser.add_option('--kerberos-spnego-keytab-file', default="/etc/security/keytabs/spnego.service.keytab", help="Kerberos SPNEGO keytab file", dest="kerberos_spnego_keytab_file")
+  parser.add_option('--kerberos-spnego-user-types', default="LDAP", help="User type search order (comma-delimited)", dest="kerberos_user_types")
+  parser.add_option('--kerberos-auth-to-local-rules', default="DEFAULT", help="Auth-to-local rules", dest="kerberos_auth_to_local_rules")
+
+
 @OsFamilyFuncImpl(OSConst.WINSRV_FAMILY)
 def are_cmd_line_db_args_blank(options):
   if (options.database_host is None \
@@ -746,7 +755,8 @@ def create_user_action_map(args, options):
         INSTALL_MPACK_ACTION: UserAction(install_mpack, options),
         UNINSTALL_MPACK_ACTION: UserAction(uninstall_mpack, options),
         UPGRADE_MPACK_ACTION: UserAction(upgrade_mpack, options),
-        PAM_SETUP_ACTION: UserAction(setup_pam)
+        PAM_SETUP_ACTION: UserAction(setup_pam),
+        KERBEROS_SETUP_ACTION: UserAction(setup_kerberos, options)
       }
   return action_map
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/f652f61e/ambari-server/src/main/python/ambari_server/kerberos_setup.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/kerberos_setup.py b/ambari-server/src/main/python/ambari_server/kerberos_setup.py
new file mode 100644
index 0000000..74b2d3e
--- /dev/null
+++ b/ambari-server/src/main/python/ambari_server/kerberos_setup.py
@@ -0,0 +1,99 @@
+#!/usr/bin/env python
+
+'''
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+'''
+
+import logging
+import pprint
+
+from ambari_server.serverConfiguration import get_value_from_properties, get_ambari_properties, update_properties_2
+from ambari_server.userInput import get_prompt_default,get_validated_string_input, get_YN_input
+from ambari_commons.os_family_impl import OsFamilyFuncImpl, OsFamilyImpl
+from ambari_commons.exceptions import FatalException
+from ambari_commons.os_utils import is_root
+
+REGEX_TRUE_FALSE = "^(true|false)?$"
+REGEX_ANYTHING = ".*"
+
+logger = logging.getLogger(__name__)
+
+class KerberosPropertyTemplate:
+    def __init__(self, properties, i_option, i_prop_name, i_prop_val_pattern, i_prompt_regex, i_allow_empty_prompt, i_prop_name_default=None):
+        self.prop_name = i_prop_name
+        self.option = i_option
+        self.kerberos_prop_name = get_value_from_properties(properties, i_prop_name, i_prop_name_default)
+        self.kerberos_prop_val_prompt = i_prop_val_pattern.format(get_prompt_default(self.kerberos_prop_name))
+        self.prompt_regex = i_prompt_regex
+        self.allow_empty_prompt = i_allow_empty_prompt
+
+@OsFamilyFuncImpl(OsFamilyImpl.DEFAULT)
+def init_kerberos_properties_list(properties, options):
+    kerberos_properties = [
+        KerberosPropertyTemplate(properties, options.kerberos_enabled, "authentication.kerberos.enabled", "Enable Kerberos authentication [true|false] {0}: ",
+                                 REGEX_TRUE_FALSE, False, "false"),
+        KerberosPropertyTemplate(properties, options.kerberos_spnego_principal, "authentication.kerberos.spnego.principal", "SPNEGO principal {0}: ",
+                                 REGEX_ANYTHING, False, "HTTP/_HOST"),
+        KerberosPropertyTemplate(properties, options.kerberos_spnego_keytab_file, "authentication.kerberos.spnego.keytab.file", "SPNEGO keytab file {0}: ",
+                                 REGEX_ANYTHING, False, "/etc/security/keytabs/spnego.service.keytab"),
+        KerberosPropertyTemplate(properties, options.kerberos_user_types, "authentication.kerberos.user.types", "User type search order [LDAP|LOCAL|JTW] {0}: ",
+                                 REGEX_ANYTHING, False, "LDAP"),
+        KerberosPropertyTemplate(properties, options.kerberos_auth_to_local_rules, "authentication.kerberos.auth_to_local.rules", "Auth-to-local rules {0}: ",
+                                 REGEX_ANYTHING, False, "DEFAULT")
+    ]
+    return kerberos_properties
+
+def setup_kerberos(options):
+    logger.info("Setting up Kerberos authentication...")
+    if not is_root():
+        err = "ambari-server setup-kerberos should be run with root-level privileges"
+        raise FatalException(4, err)
+
+    properties = get_ambari_properties()
+    kerberos_property_list_required = init_kerberos_properties_list(properties, options)
+
+    kerberos_property_value_map = {}
+    for kerberos_property in kerberos_property_list_required:
+        input = get_validated_string_input(
+            kerberos_property.kerberos_prop_val_prompt,
+            kerberos_property.kerberos_prop_name,
+            kerberos_property.prompt_regex,
+            "Invalid characters in the input!",
+            False,
+            kerberos_property.allow_empty_prompt
+            )
+        if input is not None and input != "":
+            kerberos_property_value_map[kerberos_property.prop_name] = input
+
+    print "Properties to be updated / written into ambari properties:"
+    pp = pprint.PrettyPrinter()
+    pp.pprint(kerberos_property_value_map)
+
+
+    save = get_YN_input("Save settings [y/n] (y)? ", True)
+    if save:
+        update_properties_2(properties, kerberos_property_value_map)
+        print "Kerberos authentication settings successfully saved. Please restart the server in order for the new settings to take effect."
+    else:
+        print "Kerberos authentication settings aborted."
+
+    return 0;
+
+
+
+
+

http://git-wip-us.apache.org/repos/asf/ambari/blob/f652f61e/ambari-server/src/main/python/ambari_server/setupActions.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/setupActions.py b/ambari-server/src/main/python/ambari_server/setupActions.py
index 7ea0752..358bfc9 100644
--- a/ambari-server/src/main/python/ambari_server/setupActions.py
+++ b/ambari-server/src/main/python/ambari_server/setupActions.py
@@ -48,3 +48,4 @@ INSTALL_MPACK_ACTION = "install-mpack"
 UNINSTALL_MPACK_ACTION = "uninstall-mpack"
 UPGRADE_MPACK_ACTION = "upgrade-mpack"
 PAM_SETUP_ACTION = "setup-pam"
+KERBEROS_SETUP_ACTION = "setup-kerberos"