ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivér Szabó (JIRA) <j...@apache.org>
Subject [jira] [Updated] (AMBARI-14627) Ability to automate setup-security and setup-ldap/sync-ldap
Date Fri, 01 Apr 2016 12:43:25 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-14627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Olivér Szabó updated AMBARI-14627:
----------------------------------
    Description: 
Currently the ambari-server setup-security command does not have any options thus it's interactive.
This makes it really hard to automate this process. For kerberos 1 option should be enough
for setting the master key.

Same for setup-ldap and sync-ldap

Example usage: 
{code:java}
1.) LDAP setup: 
  ambari-server setup-ldap \
  --ldap-url="ldap.apache.org389" \
  --ldap-secondary-url="" \
  --ldap-ssl="false" \
  --ldap-user-class="person" \
  --ldap-user-attr="sAMAccountName" \
  --ldap-group-class="group" \
  --ldap-group-attr="cn" \
  --ldap-member-attr="member" \
  --ldap-dn="distunguishedName" \
  --ldap-base-dn="dc=ambari01,dc=local" \
  --ldap-referral="" \
  --ldap-bind-anonym=false \
  --ldap-manager-dn="cn=hdfs,ou=ambari,dc=ambari01,dc=local" \
  --ldap-manager-password="myldappassword" \
  --ldap-save-settings \
  --truststore-type="jks" \
  --truststore-path="/var/lib/ambari-server/keys/jkskeystore.jks" \
  --truststore-password="mypass"

2.) Ldap sync:
    ambari-server sync-ldap --groups=groups.txt --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin

3.) Setup Https:
  ambari-server setup-security \ 
    --security-option=setup-https \
    --api-ssl=true --client-api-ssl-port=8443 \ 
    --import-cert-path=/var/lib/ambari-server/keys/my.crt \ 
    --import-key-path=/var/lib/ambari-server/keys/my.key \
    --pem-password=password
4.) Encrypt passwords:
  ambari-server setup-security --security-option=encrypt-password --master-key=masterkey --master-key-persist=true

5.) Setup Kerberos JAAS:
  ambari-server setup-security --security-option=setup-kerberos-jaas --jaas-principal="ambari@EXAMPLE.COM"
--jaas-keytab="/etc/security/keytabs/ambari.keytab"

6.) Setup TrustStore:
    ambari-server setup-security \
      --security-option=setup-truststore \ 
      --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
      --truststore-type=pkcs12 \ 
      --truststore-password=password \
      --truststore-reconfigure
7.) Import certificate to TrustStore:
    ambari-server setup-security \ 
      --security-option=import-certificate \ 
      --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \ 
      --truststore-type=pkcs12 \ 
      --truststore-password=password \ 
      --import-cert-path=/var/lib/ambari-server/my.crt \ 
      --import-cert-alias=myalias \ 
      --truststore-reconfigure
{code}

  was:
Currently the ambari-server setup-security command does not have any options thus it's interactive.
This makes it really hard to automate this process. For kerberos 1 option should be enough
for setting the master key.

Same for setup-ldap and sync-ldap

{code:java}
1.) LDAP setup: 
  ambari-server setup-ldap \
  --ldap-url="ldap.apache.org389" \
  --ldap-secondary-url="" \
  --ldap-ssl="false" \
  --ldap-user-class="person" \
  --ldap-user-attr="sAMAccountName" \
  --ldap-group-class="group" \
  --ldap-group-attr="cn" \
  --ldap-member-attr="member" \
  --ldap-dn="distunguishedName" \
  --ldap-base-dn="dc=ambari01,dc=local" \
  --ldap-referral="" \
  --ldap-bind-anonym=false \
  --ldap-manager-dn="cn=hdfs,ou=ambari,dc=ambari01,dc=local" \
  --ldap-manager-password="myldappassword" \
  --ldap-save-settings \
  --truststore-type="jks" \
  --truststore-path="/var/lib/ambari-server/keys/jkskeystore.jks" \
  --truststore-password="mypass"

2.) Ldap sync:
    ambari-server sync-ldap --groups=groups.txt --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin

3.) Setup Https:
  ambari-server setup-security \ 
    --security-option=setup-https \
    --api-ssl=true --client-api-ssl-port=8443 \ 
    --import-cert-path=/var/lib/ambari-server/keys/my.crt \ 
    --import-key-path=/var/lib/ambari-server/keys/my.key \
    --pem-password=password
4.) Encrypt passwords:
  ambari-server setup-security --security-option=encrypt-password --master-key=masterkey --master-key-persist=true

5.) Setup Kerberos JAAS:
  ambari-server setup-security --security-option=setup-kerberos-jaas --jaas-principal="ambari@EXAMPLE.COM"
--jaas-keytab="/etc/security/keytabs/ambari.keytab"

6.) Setup TrustStore:
    ambari-server setup-security \
      --security-option=setup-truststore \ 
      --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
      --truststore-type=pkcs12 \ 
      --truststore-password=password \
      --truststore-reconfigure
7.) Import certificate to TrustStore:
    ambari-server setup-security \ 
      --security-option=import-certificate \ 
      --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \ 
      --truststore-type=pkcs12 \ 
      --truststore-password=password \ 
      --import-cert-path=/var/lib/ambari-server/my.crt \ 
      --import-cert-alias=myalias \ 
      --truststore-reconfigure
{code}


> Ability to automate setup-security and setup-ldap/sync-ldap
> -----------------------------------------------------------
>
>                 Key: AMBARI-14627
>                 URL: https://issues.apache.org/jira/browse/AMBARI-14627
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.2.1
>            Reporter: Krisztian Horvath
>            Assignee: Olivér Szabó
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-14627_v5.patch
>
>
> Currently the ambari-server setup-security command does not have any options thus it's
interactive. This makes it really hard to automate this process. For kerberos 1 option should
be enough for setting the master key.
> Same for setup-ldap and sync-ldap
> Example usage: 
> {code:java}
> 1.) LDAP setup: 
>   ambari-server setup-ldap \
>   --ldap-url="ldap.apache.org389" \
>   --ldap-secondary-url="" \
>   --ldap-ssl="false" \
>   --ldap-user-class="person" \
>   --ldap-user-attr="sAMAccountName" \
>   --ldap-group-class="group" \
>   --ldap-group-attr="cn" \
>   --ldap-member-attr="member" \
>   --ldap-dn="distunguishedName" \
>   --ldap-base-dn="dc=ambari01,dc=local" \
>   --ldap-referral="" \
>   --ldap-bind-anonym=false \
>   --ldap-manager-dn="cn=hdfs,ou=ambari,dc=ambari01,dc=local" \
>   --ldap-manager-password="myldappassword" \
>   --ldap-save-settings \
>   --truststore-type="jks" \
>   --truststore-path="/var/lib/ambari-server/keys/jkskeystore.jks" \
>   --truststore-password="mypass"
> 2.) Ldap sync:
>     ambari-server sync-ldap --groups=groups.txt --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin
> 3.) Setup Https:
>   ambari-server setup-security \ 
>     --security-option=setup-https \
>     --api-ssl=true --client-api-ssl-port=8443 \ 
>     --import-cert-path=/var/lib/ambari-server/keys/my.crt \ 
>     --import-key-path=/var/lib/ambari-server/keys/my.key \
>     --pem-password=password
> 4.) Encrypt passwords:
>   ambari-server setup-security --security-option=encrypt-password --master-key=masterkey
--master-key-persist=true
> 5.) Setup Kerberos JAAS:
>   ambari-server setup-security --security-option=setup-kerberos-jaas --jaas-principal="ambari@EXAMPLE.COM"
--jaas-keytab="/etc/security/keytabs/ambari.keytab"
> 6.) Setup TrustStore:
>     ambari-server setup-security \
>       --security-option=setup-truststore \ 
>       --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
>       --truststore-type=pkcs12 \ 
>       --truststore-password=password \
>       --truststore-reconfigure
> 7.) Import certificate to TrustStore:
>     ambari-server setup-security \ 
>       --security-option=import-certificate \ 
>       --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \ 
>       --truststore-type=pkcs12 \ 
>       --truststore-password=password \ 
>       --import-cert-path=/var/lib/ambari-server/my.crt \ 
>       --import-cert-alias=myalias \ 
>       --truststore-reconfigure
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message