ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Kropp <hkr...@microlution.de>
Subject Re: setup-security in silent mode
Date Tue, 05 Apr 2016 15:36:16 GMT
Hi,

your are right. I created an Ansible script around this topic, maybe it 
saves you some time.

Here the steps in my ansible script:

   - name: Enable SSL
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='api.ssl' line='api.ssl=true' owner=root group=root mode=0644

   - name: Set two-way SSL
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='security.server.two_way_ssl' 
line='security.server.two_way_ssl=true' owner=root group=root mode=0644

   - name: Configure certificate path
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='client.api.ssl.cert_name' 
line='client.api.ssl.cert_name=https.crt' owner=root group=root mode=0644

   - name: Configure key path
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='client.api.ssl.key_name' 
line='client.api.ssl.key_name=https.key' owner=root group=root mode=0644

   - name: Keys direcotroy path
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='security.server.keys_dir' 
line='security.server.keys_dir=/var/lib/ambari-server/keys' owner=root 
group=root mode=0644

   - name: Truststore path
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='ssl.trustStore.path' 
line='ssl.trustStore.path=/var/lib/ambari-server/keys/keystore.p12' 
owner=root group=root mode=0644

   - name: Truststore type
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='ssl.trustStore.type' line='ssl.trustStore.type=pkcs12' 
owner=root group=root mode=0644

   - name: Truststore password
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='ssl.trustStore.password' line='ssl.trustStore.password=horton' 
owner=root group=root mode=0644

   - name: Client API SSL port
     lineinfile: dest=/etc/ambari-server/conf/ambari.properties 
regexp='client.api.ssl.port' line='client.api.ssl.port=8443' owner=root 
group=root mode=0644

   - name: IPTABLES / 8443 / https web UI
     command: iptables -I INPUT -p tcp --dport 8443 -s 0.0.0.0/0 -j ACCEPT

   - name: Copy Certificate to /root/
     copy: src=company-bank-01.cloud.hortonworks.com.crt 
dest=/var/lib/ambari-server/keys/https.crt owner=root group=root mode=0600

   - name: Copy Private Key to /etc/ambari-server/conf/
     copy: src=company-bank-01.cloud.hortonworks.com.key 
dest=/var/lib/ambari-server/keys/https.key owner=root group=root mode=0600

   - name: Create key password file
     copy: src=company-key.pass.txt 
dest=/var/lib/ambari-server/keys/https.pass.txt group=root mode=0600

   - name: Create key password file
     copy: src=company-key.pass.txt 
dest=/var/lib/ambari-server/keys/pass.txt group=root mode=0600

   - name: Create truststore
     command: rm -f /var/lib/ambari-server/keys/https.keystore.p12

   - command: rm -f /var/lib/ambari-server/keys/keystore.p12

   - command: openssl pkcs12 -export -in 
'/var/lib/ambari-server/keys/https.crt' -inkey 
'/var/lib/ambari-server/keys/https.key' -certfile 
'/var/lib/ambari-server/keys/https.crt' -out 
'/var/lib/ambari-server/keys/https.keystore.p12' -password 
file:'/var/lib/ambari-server/keys/https.pass.txt' -passin 
file:'/var/lib/ambari-server/keys/pass.txt'

   - command: /usr/jdk64/jdk1.8.0_40/bin/keytool -import -alias 
'company-bank-01' -keystore '/var/lib/ambari-server/keys/keystore.p12' 
-storetype pkcs12 -file '/var/lib/ambari-server/keys/https.crt' 
-storepass 'horton' -noprompt

   - command: chmod 600 /var/lib/ambari-server/keys/https.keystore.p12
   - command: chmod 600 /var/lib/ambari-server/keys/keystore.p12

Regards,
Henning

Am 04/04/16 um 18:48 schrieb Lukáš Drbal:
> Hi Dmitry,
>
> thanks for replay, but its not exactly true.
>
> "ambari-server setup-security" do some "magic" with provided SSL 
> certs/keys which is stored in my situation here:
> root@<hostname>:/etc/ambari-server/conf# ls -la 
> /var/lib/ambari-server/keys/
> total 64
> drwx------ 3 root root 4096 Apr  4 16:34 .
> drwxr-xr-x 5 root root 4096 Mar 30 21:31 ..
> -rw------- 1 root root  779 Mar 10 18:24 ca.config
> -rw------- 1 root root 7153 Mar 30 21:32 ca.crt
> -rw------- 1 root root 1651 Mar 30 21:32 ca.csr
> -rw------- 1 root root 3311 Mar 30 21:32 ca.key
> drwx------ 3 root root 4096 Mar 30 21:32 db
> *-rw------- 1 root root 2698 Apr  4 16:34 https.crt*
> *-rw------- 1 root root 1751 Apr  4 16:34 https.key*
> *-rw------- 1 root root 4917 Apr  4 16:34 https.keystore.p12*
> *-rw------- 1 root root   50 Apr  4 16:34 https.pass.txt*
> *-rw------- 1 root root 5693 Mar 30 21:32 keystore.p12*
> *-rw------- 1 root root   50 Mar 30 21:31 pass.txt*
> *
> *
> https.crt has same md5sum as original certificate, but that's all what 
> i know for now. Its maybe time to look into source code.
>
>
> L.
>
> On Thu, Mar 31, 2016 at 12:29 PM, Dmitry Sen <dsen@hortonworks.com 
> <mailto:dsen@hortonworks.com>> wrote:
>
>     Hi,
>
>
>     "ambari-server setup-security" just adds some lines to
>     /etc/ambari-server/conf/ambari.properties
>
>     So you can add them in non-interactive mode and restart ambari-server
>
>     ​
>
>     ------------------------------------------------------------------------
>     *From:* Lukáš Drbal <lukas.drbal@gmail.com
>     <mailto:lukas.drbal@gmail.com>>
>     *Sent:* Thursday, March 31, 2016 1:01 AM
>     *To:* user@ambari.apache.org <mailto:user@ambari.apache.org>
>     *Subject:* setup-security in silent mode
>     Hi,
>
>     is there any way how to setup security for ambari (https) in non
>     interactive mode?
>     I need update my ansible role for ambari server and use https but
>     all what i find use comman "ambari-server setup-security" in
>     interactive mode. Its possible use some args?
>
>     Thanks.
>
>     -- 
>     Save The World - http://www.worldcommunitygrid.org/
>     <http://www.worldcommunitygrid.org/>
>     http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR
>
>     LesTR
>
>
>
>
> -- 
> Save The World - http://www.worldcommunitygrid.org/
> http://www.worldcommunitygrid.org/stat/viewMemberInfo.do?userName=LesTR
>
> LesTR


Mime
View raw message