You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Olivér Szabó (JIRA)" <ji...@apache.org> on 2016/05/30 12:49:12 UTC
[jira] [Updated] (AMBARI-14627) Ability to automate setup-security
and setup-ldap/sync-ldap
[ https://issues.apache.org/jira/browse/AMBARI-14627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Olivér Szabó updated AMBARI-14627:
----------------------------------
Description:
Currently the ambari-server setup-security command does not have any options thus it's interactive. This makes it really hard to automate this process. For kerberos 1 option should be enough for setting the master key.
Same for setup-ldap and sync-ldap
Example usage:
{code:java}
1.) LDAP setup:
ambari-server setup-ldap \
--ldap-url="ldap.apache.org389" \
--ldap-secondary-url="" \
--ldap-ssl="false" \
--ldap-user-class="person" \
--ldap-user-attr="sAMAccountName" \
--ldap-group-class="group" \
--ldap-group-attr="cn" \
--ldap-member-attr="member" \
--ldap-dn="distunguishedName" \
--ldap-base-dn="dc=ambari01,dc=local" \
--ldap-referral="" \
--ldap-bind-anonym=false \
--ldap-manager-dn="cn=hdfs,ou=ambari,dc=ambari01,dc=local" \
--ldap-manager-password="myldappassword" \
--ldap-save-settings \
--truststore-type="jks" \
--truststore-path="/var/lib/ambari-server/keys/jkskeystore.jks" \
--truststore-password="mypass"
2.) Ldap sync:
ambari-server sync-ldap --groups=groups.txt --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin
3.) Setup Https:
ambari-server setup-security \
--security-option=setup-https \
--api-ssl=true --client-api-ssl-port=8443 \
--import-cert-path=/var/lib/ambari-server/keys/my.crt \
--import-key-path=/var/lib/ambari-server/keys/my.key \
--pem-password=password
4.) Encrypt passwords:
ambari-server setup-security --security-option=encrypt-passwords --master-key=masterkey --master-key-persist=true
5.) Setup Kerberos JAAS:
ambari-server setup-security --security-option=setup-kerberos-jaas --jaas-principal="ambari@EXAMPLE.COM" --jaas-keytab="/etc/security/keytabs/ambari.keytab"
6.) Setup TrustStore:
ambari-server setup-security \
--security-option=setup-truststore \
--truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
--truststore-type=pkcs12 \
--truststore-password=password \
--truststore-reconfigure
7.) Import certificate to TrustStore:
ambari-server setup-security \
--security-option=import-certificate \
--truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
--truststore-type=pkcs12 \
--truststore-password=password \
--import-cert-path=/var/lib/ambari-server/my.crt \
--import-cert-alias=myalias \
--truststore-reconfigure
{code}
was:
Currently the ambari-server setup-security command does not have any options thus it's interactive. This makes it really hard to automate this process. For kerberos 1 option should be enough for setting the master key.
Same for setup-ldap and sync-ldap
Example usage:
{code:java}
1.) LDAP setup:
ambari-server setup-ldap \
--ldap-url="ldap.apache.org389" \
--ldap-secondary-url="" \
--ldap-ssl="false" \
--ldap-user-class="person" \
--ldap-user-attr="sAMAccountName" \
--ldap-group-class="group" \
--ldap-group-attr="cn" \
--ldap-member-attr="member" \
--ldap-dn="distunguishedName" \
--ldap-base-dn="dc=ambari01,dc=local" \
--ldap-referral="" \
--ldap-bind-anonym=false \
--ldap-manager-dn="cn=hdfs,ou=ambari,dc=ambari01,dc=local" \
--ldap-manager-password="myldappassword" \
--ldap-save-settings \
--truststore-type="jks" \
--truststore-path="/var/lib/ambari-server/keys/jkskeystore.jks" \
--truststore-password="mypass"
2.) Ldap sync:
ambari-server sync-ldap --groups=groups.txt --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin
3.) Setup Https:
ambari-server setup-security \
--security-option=setup-https \
--api-ssl=true --client-api-ssl-port=8443 \
--import-cert-path=/var/lib/ambari-server/keys/my.crt \
--import-key-path=/var/lib/ambari-server/keys/my.key \
--pem-password=password
4.) Encrypt passwords:
ambari-server setup-security --security-option=encrypt-password --master-key=masterkey --master-key-persist=true
5.) Setup Kerberos JAAS:
ambari-server setup-security --security-option=setup-kerberos-jaas --jaas-principal="ambari@EXAMPLE.COM" --jaas-keytab="/etc/security/keytabs/ambari.keytab"
6.) Setup TrustStore:
ambari-server setup-security \
--security-option=setup-truststore \
--truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
--truststore-type=pkcs12 \
--truststore-password=password \
--truststore-reconfigure
7.) Import certificate to TrustStore:
ambari-server setup-security \
--security-option=import-certificate \
--truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
--truststore-type=pkcs12 \
--truststore-password=password \
--import-cert-path=/var/lib/ambari-server/my.crt \
--import-cert-alias=myalias \
--truststore-reconfigure
{code}
> Ability to automate setup-security and setup-ldap/sync-ldap
> -----------------------------------------------------------
>
> Key: AMBARI-14627
> URL: https://issues.apache.org/jira/browse/AMBARI-14627
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.2.1
> Reporter: Krisztian Horvath
> Assignee: Olivér Szabó
> Fix For: 2.4.0
>
> Attachments: AMBARI-14627_v5.patch
>
>
> Currently the ambari-server setup-security command does not have any options thus it's interactive. This makes it really hard to automate this process. For kerberos 1 option should be enough for setting the master key.
> Same for setup-ldap and sync-ldap
> Example usage:
> {code:java}
> 1.) LDAP setup:
> ambari-server setup-ldap \
> --ldap-url="ldap.apache.org389" \
> --ldap-secondary-url="" \
> --ldap-ssl="false" \
> --ldap-user-class="person" \
> --ldap-user-attr="sAMAccountName" \
> --ldap-group-class="group" \
> --ldap-group-attr="cn" \
> --ldap-member-attr="member" \
> --ldap-dn="distunguishedName" \
> --ldap-base-dn="dc=ambari01,dc=local" \
> --ldap-referral="" \
> --ldap-bind-anonym=false \
> --ldap-manager-dn="cn=hdfs,ou=ambari,dc=ambari01,dc=local" \
> --ldap-manager-password="myldappassword" \
> --ldap-save-settings \
> --truststore-type="jks" \
> --truststore-path="/var/lib/ambari-server/keys/jkskeystore.jks" \
> --truststore-password="mypass"
> 2.) Ldap sync:
> ambari-server sync-ldap --groups=groups.txt --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin
> 3.) Setup Https:
> ambari-server setup-security \
> --security-option=setup-https \
> --api-ssl=true --client-api-ssl-port=8443 \
> --import-cert-path=/var/lib/ambari-server/keys/my.crt \
> --import-key-path=/var/lib/ambari-server/keys/my.key \
> --pem-password=password
> 4.) Encrypt passwords:
> ambari-server setup-security --security-option=encrypt-passwords --master-key=masterkey --master-key-persist=true
> 5.) Setup Kerberos JAAS:
> ambari-server setup-security --security-option=setup-kerberos-jaas --jaas-principal="ambari@EXAMPLE.COM" --jaas-keytab="/etc/security/keytabs/ambari.keytab"
> 6.) Setup TrustStore:
> ambari-server setup-security \
> --security-option=setup-truststore \
> --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
> --truststore-type=pkcs12 \
> --truststore-password=password \
> --truststore-reconfigure
> 7.) Import certificate to TrustStore:
> ambari-server setup-security \
> --security-option=import-certificate \
> --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
> --truststore-type=pkcs12 \
> --truststore-password=password \
> --import-cert-path=/var/lib/ambari-server/my.crt \
> --import-cert-alias=myalias \
> --truststore-reconfigure
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)