You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Lukáš Drbal <lu...@gmail.com> on 2016/03/31 00:01:48 UTC
setup-security in silent mode
Hi,
is there any way how to setup security for ambari (https) in non
interactive mode?
I need update my ansible role for ambari server and use https but all what
i find use comman "ambari-server setup-security" in interactive mode. Its
possible use some args?
Thanks.
--
Save The World - http://www.worldcommunitygrid.org/
http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR
LesTR
Re: setup-security in silent mode
Posted by Henning Kropp <hk...@microlution.de>.
Hi,
your are right. I created an Ansible script around this topic, maybe it
saves you some time.
Here the steps in my ansible script:
- name: Enable SSL
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='api.ssl' line='api.ssl=true' owner=root group=root mode=0644
- name: Set two-way SSL
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='security.server.two_way_ssl'
line='security.server.two_way_ssl=true' owner=root group=root mode=0644
- name: Configure certificate path
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='client.api.ssl.cert_name'
line='client.api.ssl.cert_name=https.crt' owner=root group=root mode=0644
- name: Configure key path
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='client.api.ssl.key_name'
line='client.api.ssl.key_name=https.key' owner=root group=root mode=0644
- name: Keys direcotroy path
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='security.server.keys_dir'
line='security.server.keys_dir=/var/lib/ambari-server/keys' owner=root
group=root mode=0644
- name: Truststore path
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='ssl.trustStore.path'
line='ssl.trustStore.path=/var/lib/ambari-server/keys/keystore.p12'
owner=root group=root mode=0644
- name: Truststore type
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='ssl.trustStore.type' line='ssl.trustStore.type=pkcs12'
owner=root group=root mode=0644
- name: Truststore password
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='ssl.trustStore.password' line='ssl.trustStore.password=horton'
owner=root group=root mode=0644
- name: Client API SSL port
lineinfile: dest=/etc/ambari-server/conf/ambari.properties
regexp='client.api.ssl.port' line='client.api.ssl.port=8443' owner=root
group=root mode=0644
- name: IPTABLES / 8443 / https web UI
command: iptables -I INPUT -p tcp --dport 8443 -s 0.0.0.0/0 -j ACCEPT
- name: Copy Certificate to /root/
copy: src=company-bank-01.cloud.hortonworks.com.crt
dest=/var/lib/ambari-server/keys/https.crt owner=root group=root mode=0600
- name: Copy Private Key to /etc/ambari-server/conf/
copy: src=company-bank-01.cloud.hortonworks.com.key
dest=/var/lib/ambari-server/keys/https.key owner=root group=root mode=0600
- name: Create key password file
copy: src=company-key.pass.txt
dest=/var/lib/ambari-server/keys/https.pass.txt group=root mode=0600
- name: Create key password file
copy: src=company-key.pass.txt
dest=/var/lib/ambari-server/keys/pass.txt group=root mode=0600
- name: Create truststore
command: rm -f /var/lib/ambari-server/keys/https.keystore.p12
- command: rm -f /var/lib/ambari-server/keys/keystore.p12
- command: openssl pkcs12 -export -in
'/var/lib/ambari-server/keys/https.crt' -inkey
'/var/lib/ambari-server/keys/https.key' -certfile
'/var/lib/ambari-server/keys/https.crt' -out
'/var/lib/ambari-server/keys/https.keystore.p12' -password
file:'/var/lib/ambari-server/keys/https.pass.txt' -passin
file:'/var/lib/ambari-server/keys/pass.txt'
- command: /usr/jdk64/jdk1.8.0_40/bin/keytool -import -alias
'company-bank-01' -keystore '/var/lib/ambari-server/keys/keystore.p12'
-storetype pkcs12 -file '/var/lib/ambari-server/keys/https.crt'
-storepass 'horton' -noprompt
- command: chmod 600 /var/lib/ambari-server/keys/https.keystore.p12
- command: chmod 600 /var/lib/ambari-server/keys/keystore.p12
Regards,
Henning
Am 04/04/16 um 18:48 schrieb Lukáš Drbal:
> Hi Dmitry,
>
> thanks for replay, but its not exactly true.
>
> "ambari-server setup-security" do some "magic" with provided SSL
> certs/keys which is stored in my situation here:
> root@<hostname>:/etc/ambari-server/conf# ls -la
> /var/lib/ambari-server/keys/
> total 64
> drwx------ 3 root root 4096 Apr 4 16:34 .
> drwxr-xr-x 5 root root 4096 Mar 30 21:31 ..
> -rw------- 1 root root 779 Mar 10 18:24 ca.config
> -rw------- 1 root root 7153 Mar 30 21:32 ca.crt
> -rw------- 1 root root 1651 Mar 30 21:32 ca.csr
> -rw------- 1 root root 3311 Mar 30 21:32 ca.key
> drwx------ 3 root root 4096 Mar 30 21:32 db
> *-rw------- 1 root root 2698 Apr 4 16:34 https.crt*
> *-rw------- 1 root root 1751 Apr 4 16:34 https.key*
> *-rw------- 1 root root 4917 Apr 4 16:34 https.keystore.p12*
> *-rw------- 1 root root 50 Apr 4 16:34 https.pass.txt*
> *-rw------- 1 root root 5693 Mar 30 21:32 keystore.p12*
> *-rw------- 1 root root 50 Mar 30 21:31 pass.txt*
> *
> *
> https.crt has same md5sum as original certificate, but that's all what
> i know for now. Its maybe time to look into source code.
>
>
> L.
>
> On Thu, Mar 31, 2016 at 12:29 PM, Dmitry Sen <dsen@hortonworks.com
> <ma...@hortonworks.com>> wrote:
>
> Hi,
>
>
> "ambari-server setup-security" just adds some lines to
> /etc/ambari-server/conf/ambari.properties
>
> So you can add them in non-interactive mode and restart ambari-server
>
>
>
> ------------------------------------------------------------------------
> *From:* Lukáš Drbal <lukas.drbal@gmail.com
> <ma...@gmail.com>>
> *Sent:* Thursday, March 31, 2016 1:01 AM
> *To:* user@ambari.apache.org <ma...@ambari.apache.org>
> *Subject:* setup-security in silent mode
> Hi,
>
> is there any way how to setup security for ambari (https) in non
> interactive mode?
> I need update my ansible role for ambari server and use https but
> all what i find use comman "ambari-server setup-security" in
> interactive mode. Its possible use some args?
>
> Thanks.
>
> --
> Save The World - http://www.worldcommunitygrid.org/
> <http://www.worldcommunitygrid.org/>
> http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR
>
> LesTR
>
>
>
>
> --
> Save The World - http://www.worldcommunitygrid.org/
> http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR
>
> LesTR
Re: setup-security in silent mode
Posted by Lukáš Drbal <lu...@gmail.com>.
Hi Dmitry,
thanks for replay, but its not exactly true.
"ambari-server setup-security" do some "magic" with provided SSL certs/keys
which is stored in my situation here:
root@<hostname>:/etc/ambari-server/conf# ls -la /var/lib/ambari-server/keys/
total 64
drwx------ 3 root root 4096 Apr 4 16:34 .
drwxr-xr-x 5 root root 4096 Mar 30 21:31 ..
-rw------- 1 root root 779 Mar 10 18:24 ca.config
-rw------- 1 root root 7153 Mar 30 21:32 ca.crt
-rw------- 1 root root 1651 Mar 30 21:32 ca.csr
-rw------- 1 root root 3311 Mar 30 21:32 ca.key
drwx------ 3 root root 4096 Mar 30 21:32 db
*-rw------- 1 root root 2698 Apr 4 16:34 https.crt*
*-rw------- 1 root root 1751 Apr 4 16:34 https.key*
*-rw------- 1 root root 4917 Apr 4 16:34 https.keystore.p12*
*-rw------- 1 root root 50 Apr 4 16:34 https.pass.txt*
*-rw------- 1 root root 5693 Mar 30 21:32 keystore.p12*
*-rw------- 1 root root 50 Mar 30 21:31 pass.txt*
https.crt has same md5sum as original certificate, but that's all what i
know for now. Its maybe time to look into source code.
L.
On Thu, Mar 31, 2016 at 12:29 PM, Dmitry Sen <ds...@hortonworks.com> wrote:
> Hi,
>
>
> "ambari-server setup-security" just adds some lines to
> /etc/ambari-server/conf/ambari.properties
>
> So you can add them in non-interactive mode and restart ambari-server
>
>
> ------------------------------
> *From:* Lukáš Drbal <lu...@gmail.com>
> *Sent:* Thursday, March 31, 2016 1:01 AM
> *To:* user@ambari.apache.org
> *Subject:* setup-security in silent mode
>
> Hi,
>
> is there any way how to setup security for ambari (https) in non
> interactive mode?
> I need update my ansible role for ambari server and use https but all what
> i find use comman "ambari-server setup-security" in interactive mode. Its
> possible use some args?
>
> Thanks.
>
> --
> Save The World - http://www.worldcommunitygrid.org/
> http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR
>
> LesTR
>
--
Save The World - http://www.worldcommunitygrid.org/
http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR
LesTR
Re: setup-security in silent mode
Posted by Dmitry Sen <ds...@hortonworks.com>.
Hi,
"ambari-server setup-security" just adds some lines to /etc/ambari-server/conf/ambari.properties
So you can add them in non-interactive mode and restart ambari-server
?
________________________________
From: Lukás Drbal <lu...@gmail.com>
Sent: Thursday, March 31, 2016 1:01 AM
To: user@ambari.apache.org
Subject: setup-security in silent mode
Hi,
is there any way how to setup security for ambari (https) in non interactive mode?
I need update my ansible role for ambari server and use https but all what i find use comman "ambari-server setup-security" in interactive mode. Its possible use some args?
Thanks.
--
Save The World - http://www.worldcommunitygrid.org/
http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR
LesTR