You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by nc...@apache.org on 2016/12/22 17:08:21 UTC
[17/26] ambari git commit: AMBARI-19266. Command line support for
setting configuration options to support Kerberos token authentication.
(Laszlo Puskas via stoader)
AMBARI-19266. Command line support for setting configuration options to support Kerberos token authentication. (Laszlo Puskas via stoader)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/52d7b7ef
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/52d7b7ef
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/52d7b7ef
Branch: refs/heads/branch-dev-patch-upgrade
Commit: 52d7b7ef624b8866428f0b0b5f3f8f5157193350
Parents: ae14380
Author: Laszlo Puskas <lp...@hortonworks.com>
Authored: Wed Dec 21 20:28:28 2016 +0100
Committer: Toader, Sebastian <st...@hortonworks.com>
Committed: Wed Dec 21 20:30:42 2016 +0100
----------------------------------------------------------------------
ambari-server/sbin/ambari-server | 6 +-
ambari-server/src/main/python/ambari-server.py | 14 ++-
.../main/python/ambari_server/kerberos_setup.py | 99 ++++++++++++++++++++
.../main/python/ambari_server/setupActions.py | 1 +
4 files changed, 117 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/52d7b7ef/ambari-server/sbin/ambari-server
----------------------------------------------------------------------
diff --git a/ambari-server/sbin/ambari-server b/ambari-server/sbin/ambari-server
index 8afabb1..5f97299 100755
--- a/ambari-server/sbin/ambari-server
+++ b/ambari-server/sbin/ambari-server
@@ -196,9 +196,13 @@ case "${1:-}" in
echo -e "Upgrading management pack"
$PYTHON "$AMBARI_PYTHON_EXECUTABLE" $@
;;
+ setup-kerberos)
+ echo -e "Setting up Kerberos authentication"
+ $PYTHON "$AMBARI_PYTHON_EXECUTABLE" $@
+ ;;
*)
echo "Usage: $AMBARI_EXECUTABLE
- {start|stop|reset|restart|upgrade|status|upgradestack|setup|setup-jce|setup-ldap|sync-ldap|set-current|setup-security|refresh-stack-hash|backup|restore|update-host-names|check-database|enable-stack|setup-sso|db-cleanup|install-mpack|uninstall-mpack|upgrade-mpack} [options]
+ {start|stop|reset|restart|upgrade|status|upgradestack|setup|setup-jce|setup-ldap|sync-ldap|set-current|setup-security|refresh-stack-hash|backup|restore|update-host-names|check-database|enable-stack|setup-sso|db-cleanup|install-mpack|uninstall-mpack|upgrade-mpack|setup-kerberos} [options]
Use $AMBARI_PYTHON_EXECUTABLE <action> --help to get details on options available.
Or, simply invoke ambari-server.py --help to print the options."
exit 1
http://git-wip-us.apache.org/repos/asf/ambari/blob/52d7b7ef/ambari-server/src/main/python/ambari-server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari-server.py b/ambari-server/src/main/python/ambari-server.py
index dff4fc3..5d4f5d7 100755
--- a/ambari-server/src/main/python/ambari-server.py
+++ b/ambari-server/src/main/python/ambari-server.py
@@ -52,9 +52,10 @@ from ambari_server.setupActions import BACKUP_ACTION, LDAP_SETUP_ACTION, LDAP_SY
SETUP_ACTION, SETUP_SECURITY_ACTION,START_ACTION, STATUS_ACTION, STOP_ACTION, RESTART_ACTION, UPGRADE_ACTION, \
UPGRADE_STACK_ACTION, SETUP_JCE_ACTION, SET_CURRENT_ACTION, START_ACTION, STATUS_ACTION, STOP_ACTION, UPGRADE_ACTION, \
UPGRADE_STACK_ACTION, SETUP_JCE_ACTION, SET_CURRENT_ACTION, ENABLE_STACK_ACTION, SETUP_SSO_ACTION, \
- DB_CLEANUP_ACTION, INSTALL_MPACK_ACTION, UNINSTALL_MPACK_ACTION, UPGRADE_MPACK_ACTION, PAM_SETUP_ACTION
+ DB_CLEANUP_ACTION, INSTALL_MPACK_ACTION, UNINSTALL_MPACK_ACTION, UPGRADE_MPACK_ACTION, PAM_SETUP_ACTION, KERBEROS_SETUP_ACTION
from ambari_server.setupSecurity import setup_ldap, sync_ldap, setup_master_key, setup_ambari_krb5_jaas, setup_pam
from ambari_server.userInput import get_validated_string_input
+from ambari_server.kerberos_setup import setup_kerberos
from ambari_server_main import server_process_main
from ambari_server.ambariPath import AmbariPath
@@ -587,6 +588,14 @@ def init_parser_options(parser):
parser.add_option('--jaas-principal', default=None, help="Kerberos principal for ambari server", dest="jaas_principal")
parser.add_option('--jaas-keytab', default=None, help="Keytab path for Kerberos principal", dest="jaas_keytab")
+ parser.add_option('--kerberos-setup', default=None, help="Setup Kerberos Authentication", dest="kerberos_setup")
+ parser.add_option('--kerberos-enabled', default=False, help="Kerberos enabled", dest="kerberos_enabled")
+ parser.add_option('--kerberos-spnego-principal', default="HTTP/_HOST", help="Kerberos SPNEGO principal", dest="kerberos_spnego_principal")
+ parser.add_option('--kerberos-spnego-keytab-file', default="/etc/security/keytabs/spnego.service.keytab", help="Kerberos SPNEGO keytab file", dest="kerberos_spnego_keytab_file")
+ parser.add_option('--kerberos-spnego-user-types', default="LDAP", help="User type search order (comma-delimited)", dest="kerberos_user_types")
+ parser.add_option('--kerberos-auth-to-local-rules', default="DEFAULT", help="Auth-to-local rules", dest="kerberos_auth_to_local_rules")
+
+
@OsFamilyFuncImpl(OSConst.WINSRV_FAMILY)
def are_cmd_line_db_args_blank(options):
if (options.database_host is None \
@@ -749,7 +758,8 @@ def create_user_action_map(args, options):
INSTALL_MPACK_ACTION: UserAction(install_mpack, options),
UNINSTALL_MPACK_ACTION: UserAction(uninstall_mpack, options),
UPGRADE_MPACK_ACTION: UserAction(upgrade_mpack, options),
- PAM_SETUP_ACTION: UserAction(setup_pam)
+ PAM_SETUP_ACTION: UserAction(setup_pam),
+ KERBEROS_SETUP_ACTION: UserAction(setup_kerberos, options)
}
return action_map
http://git-wip-us.apache.org/repos/asf/ambari/blob/52d7b7ef/ambari-server/src/main/python/ambari_server/kerberos_setup.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/kerberos_setup.py b/ambari-server/src/main/python/ambari_server/kerberos_setup.py
new file mode 100644
index 0000000..74b2d3e
--- /dev/null
+++ b/ambari-server/src/main/python/ambari_server/kerberos_setup.py
@@ -0,0 +1,99 @@
+#!/usr/bin/env python
+
+'''
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+'''
+
+import logging
+import pprint
+
+from ambari_server.serverConfiguration import get_value_from_properties, get_ambari_properties, update_properties_2
+from ambari_server.userInput import get_prompt_default,get_validated_string_input, get_YN_input
+from ambari_commons.os_family_impl import OsFamilyFuncImpl, OsFamilyImpl
+from ambari_commons.exceptions import FatalException
+from ambari_commons.os_utils import is_root
+
+REGEX_TRUE_FALSE = "^(true|false)?$"
+REGEX_ANYTHING = ".*"
+
+logger = logging.getLogger(__name__)
+
+class KerberosPropertyTemplate:
+ def __init__(self, properties, i_option, i_prop_name, i_prop_val_pattern, i_prompt_regex, i_allow_empty_prompt, i_prop_name_default=None):
+ self.prop_name = i_prop_name
+ self.option = i_option
+ self.kerberos_prop_name = get_value_from_properties(properties, i_prop_name, i_prop_name_default)
+ self.kerberos_prop_val_prompt = i_prop_val_pattern.format(get_prompt_default(self.kerberos_prop_name))
+ self.prompt_regex = i_prompt_regex
+ self.allow_empty_prompt = i_allow_empty_prompt
+
+@OsFamilyFuncImpl(OsFamilyImpl.DEFAULT)
+def init_kerberos_properties_list(properties, options):
+ kerberos_properties = [
+ KerberosPropertyTemplate(properties, options.kerberos_enabled, "authentication.kerberos.enabled", "Enable Kerberos authentication [true|false] {0}: ",
+ REGEX_TRUE_FALSE, False, "false"),
+ KerberosPropertyTemplate(properties, options.kerberos_spnego_principal, "authentication.kerberos.spnego.principal", "SPNEGO principal {0}: ",
+ REGEX_ANYTHING, False, "HTTP/_HOST"),
+ KerberosPropertyTemplate(properties, options.kerberos_spnego_keytab_file, "authentication.kerberos.spnego.keytab.file", "SPNEGO keytab file {0}: ",
+ REGEX_ANYTHING, False, "/etc/security/keytabs/spnego.service.keytab"),
+ KerberosPropertyTemplate(properties, options.kerberos_user_types, "authentication.kerberos.user.types", "User type search order [LDAP|LOCAL|JTW] {0}: ",
+ REGEX_ANYTHING, False, "LDAP"),
+ KerberosPropertyTemplate(properties, options.kerberos_auth_to_local_rules, "authentication.kerberos.auth_to_local.rules", "Auth-to-local rules {0}: ",
+ REGEX_ANYTHING, False, "DEFAULT")
+ ]
+ return kerberos_properties
+
+def setup_kerberos(options):
+ logger.info("Setting up Kerberos authentication...")
+ if not is_root():
+ err = "ambari-server setup-kerberos should be run with root-level privileges"
+ raise FatalException(4, err)
+
+ properties = get_ambari_properties()
+ kerberos_property_list_required = init_kerberos_properties_list(properties, options)
+
+ kerberos_property_value_map = {}
+ for kerberos_property in kerberos_property_list_required:
+ input = get_validated_string_input(
+ kerberos_property.kerberos_prop_val_prompt,
+ kerberos_property.kerberos_prop_name,
+ kerberos_property.prompt_regex,
+ "Invalid characters in the input!",
+ False,
+ kerberos_property.allow_empty_prompt
+ )
+ if input is not None and input != "":
+ kerberos_property_value_map[kerberos_property.prop_name] = input
+
+ print "Properties to be updated / written into ambari properties:"
+ pp = pprint.PrettyPrinter()
+ pp.pprint(kerberos_property_value_map)
+
+
+ save = get_YN_input("Save settings [y/n] (y)? ", True)
+ if save:
+ update_properties_2(properties, kerberos_property_value_map)
+ print "Kerberos authentication settings successfully saved. Please restart the server in order for the new settings to take effect."
+ else:
+ print "Kerberos authentication settings aborted."
+
+ return 0;
+
+
+
+
+
http://git-wip-us.apache.org/repos/asf/ambari/blob/52d7b7ef/ambari-server/src/main/python/ambari_server/setupActions.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/setupActions.py b/ambari-server/src/main/python/ambari_server/setupActions.py
index 7ea0752..358bfc9 100644
--- a/ambari-server/src/main/python/ambari_server/setupActions.py
+++ b/ambari-server/src/main/python/ambari_server/setupActions.py
@@ -48,3 +48,4 @@ INSTALL_MPACK_ACTION = "install-mpack"
UNINSTALL_MPACK_ACTION = "uninstall-mpack"
UPGRADE_MPACK_ACTION = "upgrade-mpack"
PAM_SETUP_ACTION = "setup-pam"
+KERBEROS_SETUP_ACTION = "setup-kerberos"