You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ao...@apache.org on 2016/03/01 13:43:26 UTC
ambari git commit: AMBARI-15245. [Ambari tarballs] non-root server
setup: setup permissions and jdk (aonishuk)
Repository: ambari
Updated Branches:
refs/heads/trunk 61be6b22e -> 4019afa25
AMBARI-15245. [Ambari tarballs] non-root server setup: setup permissions and jdk (aonishuk)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/4019afa2
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/4019afa2
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/4019afa2
Branch: refs/heads/trunk
Commit: 4019afa252244d21f17d10473196ee283678ee2c
Parents: 61be6b2
Author: Andrew Onishuk <ao...@hortonworks.com>
Authored: Tue Mar 1 14:43:21 2016 +0200
Committer: Andrew Onishuk <ao...@hortonworks.com>
Committed: Tue Mar 1 14:43:21 2016 +0200
----------------------------------------------------------------------
ambari-server/conf/unix/ambari-sudo.sh | 54 ++++++++++++--------
ambari-server/conf/unix/ambari.properties | 5 +-
.../ambari_server/dbConfiguration_linux.py | 8 +--
.../python/ambari_server/serverConfiguration.py | 16 +++---
.../main/python/ambari_server/serverSetup.py | 13 +++--
.../main/python/ambari_server/setupSecurity.py | 11 ++--
.../src/test/python/TestAmbariServer.py | 1 -
7 files changed, 59 insertions(+), 49 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/4019afa2/ambari-server/conf/unix/ambari-sudo.sh
----------------------------------------------------------------------
diff --git a/ambari-server/conf/unix/ambari-sudo.sh b/ambari-server/conf/unix/ambari-sudo.sh
index a4682f6..ba76f25 100644
--- a/ambari-server/conf/unix/ambari-sudo.sh
+++ b/ambari-server/conf/unix/ambari-sudo.sh
@@ -13,29 +13,39 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# since ambari-server doesn't have sudo permissions this file is just a mock file
-# which always runs commands without sudo.
-ENV=()
-SUDO_ARGS=()
+SUDO_BINARY="/usr/bin/sudo"
-for i ; do
- if [[ "$i" == *"="* ]] ; then
- ENV+=("$i")
- shift
- elif [[ "$i" == "-"* ]] ; then
- SUDO_ARGS+=("$i")
- shift
- else
- break
- fi
-done
+if [[ $# -eq 0 ]] ; then
+ echo 'usage: ambari-sudo.sh [sudo_arg1, sudo_arg2 ...] command [arg1, arg2 ...]'
+ exit 1
+fi
+
+# if user is non-root
+if [ "$EUID" -ne 0 ] ; then
+ $SUDO_BINARY "$@"
+else
+ ENV=()
+ SUDO_ARGS=()
+
+ for i ; do
+ if [[ "$i" == *"="* ]] ; then
+ ENV+=("$i")
+ shift
+ elif [[ "$i" == "-"* ]] ; then
+ SUDO_ARGS+=("$i")
+ shift
+ else
+ break
+ fi
+ done
-#echo "sudo arguments: ${SUDO_ARGS[@]}"
-#echo "env: ${ENV[@]}"
-#echo "args: $@"
+ #echo "sudo arguments: ${SUDO_ARGS[@]}"
+ #echo "env: ${ENV[@]}"
+ #echo "args: $@"
-if [ "$ENV" ] ; then
- export "${ENV[@]}"
-fi
+ if [ "$ENV" ] ; then
+ export "${ENV[@]}"
+ fi
-"$@"
\ No newline at end of file
+ "$@"
+fi
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/4019afa2/ambari-server/conf/unix/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties
index 81ef446..ba5090c 100644
--- a/ambari-server/conf/unix/ambari.properties
+++ b/ambari-server/conf/unix/ambari.properties
@@ -29,14 +29,14 @@ jdk1.7.url=http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-7u67-linux-x64.tar
jdk1.7.dest-file=jdk-7u67-linux-x64.tar.gz
jdk1.7.jcpol-url=http://public-repo-1.hortonworks.com/ARTIFACTS/UnlimitedJCEPolicyJDK7.zip
jdk1.7.jcpol-file=UnlimitedJCEPolicyJDK7.zip
-jdk1.7.home=/usr/jdk64/
+jdk1.7.home=$ROOT/usr/jdk64/
jdk1.7.re=(jdk.*)/jre
jdk1.8.desc=Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8
jdk1.8.url=http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-8u60-linux-x64.tar.gz
jdk1.8.dest-file=jdk-8u60-linux-x64.tar.gz
jdk1.8.jcpol-url=http://public-repo-1.hortonworks.com/ARTIFACTS/jce_policy-8.zip
jdk1.8.jcpol-file=jce_policy-8.zip
-jdk1.8.home=/usr/jdk64/
+jdk1.8.home=$ROOT/usr/jdk64/
jdk1.8.re=(jdk.*)/jre
jdk.download.supported=true
jce.download.supported=true
@@ -52,7 +52,6 @@ recommendations.dir=$ROOT/var/run/ambari-server/stack-recommendations
stackadvisor.script=$ROOT/var/lib/ambari-server/resources/scripts/stack_advisor.py
server.tmp.dir=$ROOT/var/lib/ambari-server/data/tmp
ambari.python.wrap=ambari-python-wrap
-ambari-server.user=root
server.connection.max.idle.millis=900000
server.fqdn.service.url=http://169.254.169.254/latest/meta-data/public-hostname
http://git-wip-us.apache.org/repos/asf/ambari/blob/4019afa2/ambari-server/src/main/python/ambari_server/dbConfiguration_linux.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/dbConfiguration_linux.py b/ambari-server/src/main/python/ambari_server/dbConfiguration_linux.py
index 3ebebae..6ecc64d 100644
--- a/ambari-server/src/main/python/ambari_server/dbConfiguration_linux.py
+++ b/ambari-server/src/main/python/ambari_server/dbConfiguration_linux.py
@@ -47,6 +47,8 @@ from ambari_server.serverConfiguration import encrypt_password, store_password_f
JDBC_CONNECTION_POOL_IDLE_TEST_INTERVAL, JDBC_CONNECTION_POOL_MAX_AGE, JDBC_CONNECTION_POOL_MAX_IDLE_TIME, \
JDBC_CONNECTION_POOL_MAX_IDLE_TIME_EXCESS, JDBC_SQLA_SERVER_NAME
+from ambari_commons.constants import AMBARI_SUDO_BINARY
+
from ambari_server.userInput import get_YN_input, get_validated_string_input, read_password
from ambari_server.utils import get_postgre_hba_dir, get_postgre_running_status
from ambari_server.ambariPath import AmbariPath
@@ -312,12 +314,12 @@ class LinuxDBMSConfig(DBMSConfig):
# PostgreSQL configuration and setup
class PGConfig(LinuxDBMSConfig):
# PostgreSQL settings
- SETUP_DB_CMD = ['su', '-', 'postgres',
+ SETUP_DB_CMD = [AMBARI_SUDO_BINARY, 'su', 'postgres', '-',
'--command=psql -f {0} -v username=\'"{1}"\' -v password="\'{2}\'" -v dbname="{3}"']
- UPGRADE_STACK_CMD = ['su', 'postgres',
+ UPGRADE_STACK_CMD = [AMBARI_SUDO_BINARY, 'su', 'postgres',
'--command=psql -f {0} -v stack_name="\'{1}\'" -v stack_version="\'{2}\'" -v dbname="{3}"']
- CHANGE_OWNER_COMMAND = ['su', '-', 'postgres',
+ CHANGE_OWNER_COMMAND = [AMBARI_SUDO_BINARY, 'su', 'postgres', '-',
'--command=' + AmbariPath.get("/var/lib/ambari-server/resources/scripts/change_owner.sh") + ' -d {0} -s {1} -o {2}']
PG_ERROR_BLOCKED = "is being accessed by other users"
http://git-wip-us.apache.org/repos/asf/ambari/blob/4019afa2/ambari-server/src/main/python/ambari_server/serverConfiguration.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/serverConfiguration.py b/ambari-server/src/main/python/ambari_server/serverConfiguration.py
index 3df1663..26a0098 100644
--- a/ambari-server/src/main/python/ambari_server/serverConfiguration.py
+++ b/ambari-server/src/main/python/ambari_server/serverConfiguration.py
@@ -326,7 +326,7 @@ class ServerConfigDefaults(object):
#Standard messages
self.MESSAGE_SERVER_RUNNING_AS_ROOT = ""
- self.MESSAGE_ERROR_SETUP_NOT_ROOT = ""
+ self.MESSAGE_WARN_SETUP_NOT_ROOT = ""
self.MESSAGE_ERROR_RESET_NOT_ROOT = ""
self.MESSAGE_ERROR_UPGRADE_NOT_ROOT = ""
self.MESSAGE_CHECK_FIREWALL = ""
@@ -381,7 +381,7 @@ class ServerConfigDefaultsWindows(ServerConfigDefaults):
#Standard messages
self.MESSAGE_SERVER_RUNNING_AS_ROOT = "Ambari Server running with 'root' privileges."
- self.MESSAGE_ERROR_SETUP_NOT_ROOT = "Ambari-server setup must be run with administrator-level privileges"
+ self.MESSAGE_WARN_SETUP_NOT_ROOT = "Ambari-server setup is run with root-level privileges, passwordless sudo access for some commands commands may be required"
self.MESSAGE_ERROR_RESET_NOT_ROOT = "Ambari-server reset must be run with administrator-level privileges"
self.MESSAGE_ERROR_UPGRADE_NOT_ROOT = "Ambari-server upgrade must be run with administrator-level privileges"
self.MESSAGE_CHECK_FIREWALL = "Checking firewall status..."
@@ -391,7 +391,7 @@ class ServerConfigDefaultsLinux(ServerConfigDefaults):
def __init__(self):
super(ServerConfigDefaultsLinux, self).__init__()
# JDK
- self.JDK_INSTALL_DIR = "/usr/jdk64"
+ self.JDK_INSTALL_DIR = AmbariPath.get("/usr/jdk64")
self.JDK_SEARCH_PATTERN = "jdk*"
self.JAVA_EXE_SUBPATH = "bin/java"
@@ -410,12 +410,12 @@ class ServerConfigDefaultsLinux(ServerConfigDefaults):
self.NR_ADJUST_OWNERSHIP_LIST = [
(AmbariPath.get("/var/log/ambari-server/"), "644", "{0}", True),
(AmbariPath.get("/var/log/ambari-server/"), "755", "{0}", False),
- (AmbariPath.get("/var/run/ambari-server/"), "644", "{0}", True),
+ (AmbariPath.get("/var/run/ambari-server/*"), "644", "{0}", True),
(AmbariPath.get("/var/run/ambari-server/"), "755", "{0}", False),
(AmbariPath.get("/var/run/ambari-server/bootstrap"), "755", "{0}", False),
(AmbariPath.get("/var/lib/ambari-server/ambari-env.sh"), "700", "{0}", False),
(AmbariPath.get("/var/lib/ambari-server/ambari-sudo.sh"), "700", "{0}", False),
- (AmbariPath.get("/var/lib/ambari-server/keys/"), "600", "{0}", True),
+ (AmbariPath.get("/var/lib/ambari-server/keys/*"), "600", "{0}", True),
(AmbariPath.get("/var/lib/ambari-server/keys/"), "700", "{0}", False),
(AmbariPath.get("/var/lib/ambari-server/keys/db/"), "700", "{0}", False),
(AmbariPath.get("/var/lib/ambari-server/keys/db/newcerts/"), "700", "{0}", False),
@@ -424,10 +424,10 @@ class ServerConfigDefaultsLinux(ServerConfigDefaults):
(AmbariPath.get("/var/lib/ambari-server/resources/stacks/"), "755", "{0}", True),
(AmbariPath.get("/var/lib/ambari-server/resources/custom_actions/"), "755", "{0}", True),
(AmbariPath.get("/var/lib/ambari-server/resources/host_scripts/"), "755", "{0}", True),
- (AmbariPath.get("/var/lib/ambari-server/resources/views/"), "644", "{0}", True),
+ (AmbariPath.get("/var/lib/ambari-server/resources/views/*"), "644", "{0}", True),
(AmbariPath.get("/var/lib/ambari-server/resources/views/"), "755", "{0}", False),
(AmbariPath.get("/var/lib/ambari-server/resources/views/work/"), "755", "{0}", True),
- (AmbariPath.get("/etc/ambari-server/conf/"), "644", "{0}", True),
+ (AmbariPath.get("/etc/ambari-server/conf/*"), "644", "{0}", True),
(AmbariPath.get("/etc/ambari-server/conf/"), "755", "{0}", False),
(AmbariPath.get("/etc/ambari-server/conf/password.dat"), "640", "{0}", False),
(AmbariPath.get("/var/lib/ambari-server/keys/pass.txt"), "600", "{0}", False),
@@ -463,7 +463,7 @@ class ServerConfigDefaultsLinux(ServerConfigDefaults):
#Standard messages
self.MESSAGE_SERVER_RUNNING_AS_ROOT = "Ambari Server running with administrator privileges."
- self.MESSAGE_ERROR_SETUP_NOT_ROOT = "Ambari-server setup should be run with root-level privileges"
+ self.MESSAGE_WARN_SETUP_NOT_ROOT = "Ambari-server setup is run with root-level privileges, passwordless sudo access for some commands commands may be required"
self.MESSAGE_ERROR_RESET_NOT_ROOT = "Ambari-server reset should be run with root-level privileges"
self.MESSAGE_ERROR_UPGRADE_NOT_ROOT = "Ambari-server upgrade must be run with root-level privileges"
self.MESSAGE_CHECK_FIREWALL = "Checking firewall status..."
http://git-wip-us.apache.org/repos/asf/ambari/blob/4019afa2/ambari-server/src/main/python/ambari_server/serverSetup.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/serverSetup.py b/ambari-server/src/main/python/ambari_server/serverSetup.py
index 643aebd..7f6a7e3 100644
--- a/ambari-server/src/main/python/ambari_server/serverSetup.py
+++ b/ambari-server/src/main/python/ambari_server/serverSetup.py
@@ -24,6 +24,7 @@ import re
import shutil
import sys
import subprocess
+import getpass
from ambari_commons.exceptions import FatalException
from ambari_commons.firewall import Firewall
@@ -47,6 +48,8 @@ from ambari_server.utils import locate_file
from ambari_server.serverClassPath import ServerClassPath
from ambari_server.ambariPath import AmbariPath
+from ambari_commons.constants import AMBARI_SUDO_BINARY
+
# selinux commands
GET_SE_LINUX_ST_CMD = locate_file('sestatus', '/usr/sbin')
SE_SETENFORCE_CMD = "setenforce 0"
@@ -307,14 +310,14 @@ class AmbariUserChecksLinux(AmbariUserChecks):
self.NR_USER_CHANGE_PROMPT = "Ambari-server daemon is configured to run under user '{0}'. Change this setting [y/n] ({1})? "
self.NR_USER_CUSTOMIZE_PROMPT = "Customize user account for ambari-server daemon [y/n] ({0})? "
- self.NR_DEFAULT_USER = "root"
+ self.NR_DEFAULT_USER = getpass.getuser()
self.NR_USERADD_CMD = 'useradd -M --comment "{1}" ' \
'--shell %s ' % locate_file('nologin', '/sbin') + '-d ' + AmbariPath.get('/var/lib/ambari-server/keys/') + ' {0}'
def _create_custom_user(self):
user = get_validated_string_input(
- "Enter user account for ambari-server daemon (root):",
+ "Enter user account for ambari-server daemon ({0}):".format(self.user),
self.user,
"^[a-z_][a-z0-9_-]{1,31}$",
"Invalid username.",
@@ -731,7 +734,7 @@ class JDKSetupLinux(JDKSetup):
JDKRelease("jdk1.8", "Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8",
"http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-8u60-linux-x64.tar.gz", "jdk-8u60-linux-x64.tar.gz",
"http://public-repo-1.hortonworks.com/ARTIFACTS/jce_policy-8.zip", "jce_policy-8.zip",
- "/usr/jdk64/jdk1.8.0_40",
+ AmbariPath.get("/usr/jdk64/jdk1.8.0_40"),
"(jdk.*)/jre")
]
@@ -1065,8 +1068,8 @@ def setup(options):
raise FatalException(1, None)
if not is_root():
- err = configDefaults.MESSAGE_ERROR_SETUP_NOT_ROOT
- raise FatalException(4, err)
+ warn_msg = configDefaults.MESSAGE_WARN_SETUP_NOT_ROOT
+ print warn_msg
# proceed jdbc properties if they were set
if _check_jdbc_options(options):
http://git-wip-us.apache.org/repos/asf/ambari/blob/4019afa2/ambari-server/src/main/python/ambari_server/setupSecurity.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/python/ambari_server/setupSecurity.py b/ambari-server/src/main/python/ambari_server/setupSecurity.py
index 36f6fa9..27a6ba5 100644
--- a/ambari-server/src/main/python/ambari_server/setupSecurity.py
+++ b/ambari-server/src/main/python/ambari_server/setupSecurity.py
@@ -120,12 +120,9 @@ def adjust_directory_permissions(ambari_user):
bootstrap_dir = os.path.abspath(get_value_from_properties(properties, BOOTSTRAP_DIR_PROPERTY))
print_info_msg("Cleaning bootstrap directory ({0}) contents...".format(bootstrap_dir))
- shutil.rmtree(bootstrap_dir, True) #Ignore the non-existent dir error
- #Protect against directories lingering around
- del_attempts = 0
- while os.path.exists(bootstrap_dir) and del_attempts < 100:
- time.sleep(50)
- del_attempts += 1
+ if os.path.exists(bootstrap_dir):
+ shutil.rmtree(bootstrap_dir) #Ignore the non-existent dir error
+
if not os.path.exists(bootstrap_dir):
try:
os.makedirs(bootstrap_dir)
@@ -164,7 +161,7 @@ def adjust_directory_permissions(ambari_user):
if java_home:
jdk_security_dir = os.path.abspath(os.path.join(java_home, configDefaults.JDK_SECURITY_DIR))
if(os.path.exists(jdk_security_dir)):
- configDefaults.NR_ADJUST_OWNERSHIP_LIST.append((jdk_security_dir, "644", "{0}", True))
+ configDefaults.NR_ADJUST_OWNERSHIP_LIST.append((jdk_security_dir + "/*", "644", "{0}", True))
configDefaults.NR_ADJUST_OWNERSHIP_LIST.append((jdk_security_dir, "755", "{0}", False))
# Grant read permissions to all users. This is required when a non-admin user is configured to setup ambari-server.
http://git-wip-us.apache.org/repos/asf/ambari/blob/4019afa2/ambari-server/src/test/python/TestAmbariServer.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/TestAmbariServer.py b/ambari-server/src/test/python/TestAmbariServer.py
index c47cc67..901867c 100644
--- a/ambari-server/src/test/python/TestAmbariServer.py
+++ b/ambari-server/src/test/python/TestAmbariServer.py
@@ -1202,7 +1202,6 @@ class TestAmbariServer(TestCase):
get_resources_location_mock.return_value = "dummy_resources_dir"
exists_mock.return_value = False
adjust_directory_permissions("user")
- self.assertEquals(rmtree_mock.call_args_list[0][0][0], os.path.join(os.getcwd(), "dummy_bootstrap_dir"))
self.assertTrue(mkdir_mock.called)
set_file_permissions_mock.reset_mock()