AMBARI-2560. Security download CSV should also include ownership information. (srimanth)

git-svn-id: https://svn.apache.org/repos/asf/incubator/ambari/trunk@1499574 13f79535-47bb-0310-9956-ffa450edef68

ambari-server/src/main/resources/scripts/keytabs.sh

@@ -0,0 +1,166 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+usage () {
+echo "Usage: keytabs.sh <HOST_PRINCIPAL_KEYTABLE.csv> ";
+echo "  <HOST_PRINCIPAL_KEYTABLE.csv>: CSV file generated by 'Enable Security Wizard' of Ambari";
+exit 1;
+}
+
+###################
+## processCSVFile()
+###################
+processCSVFile () {
+    csvFile=$1;
+    csvFile=$(printf '%q' "$csvFile")
+     
+    echo "#!/bin/bash"
+    echo "###########################################################################"
+    echo "###########################################################################"
+    echo "## "
+    echo "## Ambari Security Script Generator"
+    echo "## "
+    echo "## Ambari security script is generated which should be run on the" 
+    echo "## Kerberos server machine."
+    echo "## "
+    echo "## Running the generated script will create host specific keytabs folders."
+    echo "## Each of those folders will contain service specific keytab files with "
+    echo "## appropriate permissions. There folders should be copied as the appropriate"
+    echo "## host's '/etc/security/keytabs' folder"
+    echo "###########################################################################"
+    echo "###########################################################################"
+    
+    rm -f commands.mkdir;
+    rm -f commands.chmod;
+    rm -f commands.addprinc;
+    rm -f commands.xst
+    rm -f commands.xst.cp
+    rm -f commands.chown.1
+    rm -f commands.chmod.1
+    rm -f commands.chmod.2
+    rm -f commands.tar
+    
+    seenHosts="";
+    seenPrincipals="";
+    
+    echo "mkdir -p ./tmp_keytabs" >> commands.mkdir;
+    cat $csvFile | while read line; do
+        hostName=`echo $line|cut -d , -f 1`;
+        service=`echo $line|cut -d , -f 2`;
+        principal=`echo $line|cut -d , -f 3`;
+        keytabFile=`echo $line|cut -d , -f 4`;
+        owner=`echo $line|cut -d , -f 5`;
+        group=`echo $line|cut -d , -f 6`;
+        acl=`echo $line|cut -d , -f 7`;
+        
+        if [[ $seenHosts != *$hostName* ]]; then
+              echo "mkdir -p ./keytabs_$hostName" >> commands.mkdir;
+              echo "chmod 755 ./keytabs_$hostName" >> commands.chmod;
+              echo "chown -R root:$group `pwd`/keytabs_$hostName" >> commands.chown.1
+              echo "mkdir -p `pwd`/tmp_tar/etc/security/" >> commands.tar
+              echo "mv  `pwd`/keytabs_$hostName `pwd`/tmp_tar/etc/security/keytabs" >> commands.tar
+              echo "tar -C `pwd`/tmp_tar/ -cf `pwd`/keytabs_$hostName.tar etc" >> commands.tar
+              echo "rm -rf `pwd`/tmp_tar" >> commands.tar
+              seenHosts="$seenHosts$hostName";
+        fi
+        
+        if [[ $seenPrincipals != *$principal* ]]; then
+          echo -e "kadmin.local -q \"addprinc -randkey $principal\"" >> commands.addprinc;
+          seenPrincipals="$seenPrincipals$principal"
+        fi
+        
+        tmpKeytabFile=${keytabFile/\/etc\/security\/keytabs/`pwd`/tmp_keytabs}
+        newKeytabFile=${keytabFile/\/etc\/security\/keytabs/`pwd`/keytabs_$hostName}
+        if [ ! -f $tmpKeytabFile ]; then
+          echo "kadmin.local -q \"xst -k $tmpKeytabFile $principal\"" >> commands.xst;          
+        fi
+        echo "cp $tmpKeytabFile $newKeytabFile" >> commands.xst.cp
+        echo "chmod $acl $newKeytabFile" >> commands.chmod.2
+        echo "chown $owner:$group $newKeytabFile" >> commands.chown.1
+    done;
+    
+    echo ""
+    echo ""
+    echo "###########################################################################"
+    echo "# Making host specific keytab folders"
+    echo "###########################################################################"
+    cat commands.mkdir;
+    echo ""
+    echo "###########################################################################"
+    echo "# Changing permissions for host specific keytab folders"
+    echo "###########################################################################"
+    cat commands.chmod;
+    echo ""
+    echo "###########################################################################"
+    echo "# Creating Kerberos Principals"
+    echo "###########################################################################"
+    cat commands.addprinc;
+    echo ""
+    echo "###########################################################################"
+    echo "# Creating Kerberos Principal keytabs in host specific keytab folders"
+    echo "###########################################################################"
+    cat commands.xst;
+    cat commands.xst.cp;
+    echo ""
+    echo "###########################################################################"
+    echo "# Changing ownerships of host specific keytab files"
+    echo "###########################################################################"
+    cat commands.chown.1
+    echo ""
+    echo "###########################################################################"
+    echo "# Changing access permissions of host specific keytab files"
+    echo "###########################################################################"
+    #cat commands.chmod.1
+    cat commands.chmod.2
+    echo ""
+    echo "###########################################################################"
+    echo "# Packaging keytab folders"
+    echo "###########################################################################"
+    cat commands.tar
+    echo ""
+    echo "###########################################################################"
+    echo "# Cleanup"
+    echo "###########################################################################"
+    echo "#rm -rf ./tmp_keytabs"
+    echo ""
+    echo "echo \"****************************************************************************\""
+    echo "echo \"****************************************************************************\""
+    echo "echo \"** Copy and extract 'keytabs_[hostname].tar' files onto respective hosts. **\""
+    echo "echo \"**                                                                        **\""
+    echo "echo \"** Generated keytab files are preserved in the 'tmp_keytabs' folder.      **\"" 
+    echo "echo \"****************************************************************************\""
+    echo "echo \"****************************************************************************\""
+    
+    rm -f commands.mkdir;
+    rm -f commands.chmod;
+    rm -f commands.addprinc;
+    rm -f commands.xst
+    rm -f commands.xst.cp
+    rm -f commands.chown.1
+    rm -f commands.chmod.1
+    rm -f commands.chmod.2
+    rm -f commands.tar
+}
+
+if (($# != 1)); then
+    usage
+fi
+
+processCSVFile $1

ambari-web/app/controllers/main/admin/security.js

@@ -146,6 +146,26 @@ App.MainAdminSecurityController = Em.Controller.extend({
       name: 'smokeuser',
       value: configs['smokeuser'] ? configs['smokeuser'] : 'ambari-qa'
     });
+    serviceUsers.pushObject({
+      id: 'puppet var',
+      name: 'zk_user',
+      value: configs['zk_user'] ? configs['zk_user'] : 'zookeeper'
+    });
+    serviceUsers.pushObject({
+      id: 'puppet var',
+      name: 'oozie_user',
+      value: configs['oozie_user'] ? configs['oozie_user'] : 'oozie'
+    });
+    serviceUsers.pushObject({
+      id: 'puppet var',
+      name: 'nagios_user',
+      value: configs['nagios_user'] ? configs['nagios_user'] : 'nagios'
+    });
+    serviceUsers.pushObject({
+      id: 'puppet var',
+      name: 'user_group',
+      value: configs['user_group'] ? configs['user_group'] : 'hadoop'
+    });
   },
 
   showSecurityErrorPopup: function () {

ambari-web/app/controllers/main/admin/security/add/step2.js

@@ -330,16 +330,41 @@ App.MainAdminSecurityAddStep2Controller = Em.Controller.extend({
           securityUsers = App.router.get('mainAdminSecurityController').get('serviceUsers');
         }
       }
+      var isHbaseInstalled = App.Service.find().findProperty('serviceName', 'HBASE');
       var generalConfigs = configs.findProperty('serviceName', 'GENERAL').configs;
       var realm = generalConfigs.findProperty('name', 'kerberos_domain').get('value');
-      var smokeUser = securityUsers.findProperty('name', 'smokeuser').value + '@' + realm;
-      var hdfsUser = securityUsers.findProperty('name', 'hdfs_user').value + '@' + realm;
-      var hbaseUser = securityUsers.findProperty('name', 'hbase_user').value + '@' + realm;
+      var smokeUserId = securityUsers.findProperty('name', 'smokeuser').value;
+      var hdfsUserId = securityUsers.findProperty('name', 'hdfs_user').value;
+      var hbaseUserId = securityUsers.findProperty('name', 'hbase_user').value;
+      var mapredUserId = securityUsers.findProperty('name', 'mapred_user').value;
+      var hiveUserId = securityUsers.findProperty('name', 'hive_user').value;
+      var zkUserId = securityUsers.findProperty('name', 'zk_user').value;
+      var oozieUserId = securityUsers.findProperty('name', 'oozie_user').value;
+      var nagiosUserId = securityUsers.findProperty('name', 'nagios_user').value;
+      var hadoopGroupId = securityUsers.findProperty('name', 'user_group').value;
+      
+      var smokeUser = smokeUserId + '@' + realm;
+      var hdfsUser = hdfsUserId + '@' + realm;
+      var hbaseUser = hbaseUserId + '@' + realm;
       var smokeUserKeytabPath = generalConfigs.findProperty('name', 'smokeuser_keytab').get('value');
       var hdfsUserKeytabPath = generalConfigs.findProperty('name', 'keytab_path').get('value') + "/hdfs.headless.keytab";
       var hbaseUserKeytabPath = generalConfigs.findProperty('name', 'keytab_path').get('value') + "/hbase.headless.keytab";
       var httpPrincipal = generalConfigs.findProperty('name', 'hadoop_http_principal_name');
       var httpKeytabPath = generalConfigs.findProperty('name', 'hadoop_http_keytab').get('value');
+      var componentToOwnerMap = {
+          'NAMENODE': hdfsUserId,
+          'SECONDARY_NAMENODE': hdfsUserId,
+          'DATANODE': hdfsUserId,
+          'TASKTRACKER': mapredUserId,
+          'JOBTRACKER': mapredUserId,
+          'ZOOKEEPER_SERVER': zkUserId,
+          'HIVE_SERVER': hiveUserId,
+          'OOZIE_SERVER': oozieUserId,
+          'NAGIOS_SERVER': nagiosUserId,
+          'HBASE_MASTER': hbaseUserId,
+          'HBASE_REGIONSERVER': hbaseUserId
+      };
+      
       var addedPrincipalsHost = {}; //Keys = host_principal, Value = 'true'
       
       hosts.forEach(function(host){
@@ -347,20 +372,31 @@ App.MainAdminSecurityAddStep2Controller = Em.Controller.extend({
           host: host.get('hostName'),
           component: Em.I18n.t('admin.addSecurity.user.smokeUser'),
           principal: smokeUser,
-          keytab: smokeUserKeytabPath
+          keytab: smokeUserKeytabPath,
+          owner: smokeUserId,
+          group: hadoopGroupId,
+          acl: '440'
         });
         result.push({
           host: host.get('hostName'),
           component: Em.I18n.t('admin.addSecurity.user.hdfsUser'),
           principal: hdfsUser,
-          keytab: hdfsUserKeytabPath
-        });
-        result.push({
-          host: host.get('hostName'),
-          component: Em.I18n.t('admin.addSecurity.user.hbaseUser'),
-          principal: hbaseUser,
-          keytab: hbaseUserKeytabPath
+          keytab: hdfsUserKeytabPath,
+          owner: hdfsUserId,
+          group: hadoopGroupId,
+          acl: '440'
         });
+        if (isHbaseInstalled) {
+          result.push({
+            host: host.get('hostName'),
+            component: Em.I18n.t('admin.addSecurity.user.hbaseUser'),
+            principal: hbaseUser,
+            keytab: hbaseUserKeytabPath,
+            owner: hbaseUserId,
+            group: hadoopGroupId,
+            acl: '440'
+          });
+        }
         if(host.get('hostComponents').someProperty('componentName', 'NAMENODE') || 
           host.get('hostComponents').someProperty('componentName', 'SECONDARY_NAMENODE') ||
           host.get('hostComponents').someProperty('componentName', 'WEBHCAT_SERVER') ||
@@ -369,7 +405,10 @@ App.MainAdminSecurityAddStep2Controller = Em.Controller.extend({
             host: host.get('hostName'),
             component: Em.I18n.t('admin.addSecurity.user.httpUser'),
             principal: httpPrincipal.get('value').replace('_HOST', host.get('hostName')) + httpPrincipal.get('unit'),
-            keytab: httpKeytabPath
+            keytab: httpKeytabPath,
+            owner: 'root',
+            group: hadoopGroupId,
+            acl: '440'
           });
         }
         host.get('hostComponents').forEach(function(hostComponent){
@@ -395,11 +434,18 @@ App.MainAdminSecurityAddStep2Controller = Em.Controller.extend({
    
             var key = host.get('hostName') + "--" + principal;
             if (!addedPrincipalsHost[key]) {
+              var owner = componentToOwnerMap[hostComponent.get('componentName')];
+              if(!owner){
+                owner = '';
+              }
               result.push({
                 host: host.get('hostName'),
                 component: hostComponent.get('displayName'),
                 principal: principal,
-                keytab: keytab
+                keytab: keytab,
+                owner: owner,
+                group: hadoopGroupId,
+                acl: '400'
               });
               addedPrincipalsHost[key] = true;
             }