Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Super Mentor

In this article we will talk about one of the best feature of Ambari 2.4 in which we will be doing the ambari "setup-security" in non interactive mode to enable the HTTPs in ambari server.

I assume that you have alredy created the ambari-server keys and certificate using open ssl. So we will see how can we do the HTTPs setup using a single line command:

ambari-server setup-security --security-option=setup-https --api-ssl=true --api-ssl-port=8443 --import-cert-path=/etc/ambari-server/certs/sandbox.hortonworks.com.crt --import-key-path=/etc/ambari-server/certs/sandbox.hortonworks.com.key --pem-password=hadoop

Output of the above command can be as following, Notice that it will run in non interactive mode.

Using python  /usr/bin/python
Security setup options...
Do you want to configure HTTPS [y/n] (y)? 
SSL port [8443] ? 
Please enter password for Private Key: 
Importing and saving Certificate...done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership...
NOTE: Restart Ambari Server to apply changes ("ambari-server restart|stop+start")

.

Now in order to see the configuration changes we will need to restart ambari server.

ambari-server restart

Now we can simply access ambari server using the HTTPs port 8443 as following:

https://localhost:8443/#/main/dashboard/metrics

12804-ambari-with-https.png

.

- This feature in ambari is added as part of JIRA:

Ability to automate setup-security and setup-ldap/sync-ldap:

https://issues.apache.org/jira/browse/AMBARI-14627

- We can see similar examples there (there might be little changes in the argument names though) so use the "ambari-server --help" to explore those arguments. Examples from AMBARI-14627, I have not tested the following options so you might see some small argumant changes there in the actual implementations:

1.) LDAP setup: 
  ambari-server setup-ldap   --ldap-url="ldap.apache.org389"   --ldap-secondary-url=""   --ldap-ssl="false"   --ldap-user-class="person"   --ldap-user-attr="sAMAccountName"   --ldap-group-class="group"   --ldap-group-attr="cn"   --ldap-member-attr="member"   --ldap-dn="distunguishedName"   --ldap-base-dn="dc=ambari01,dc=local"   --ldap-referral=""   --ldap-bind-anonym=false   --ldap-manager-dn="cn=hdfs,ou=ambari,dc=ambari01,dc=local"   --ldap-manager-password="myldappassword"   --ldap-save-settings   --truststore-type="jks"   --truststore-path="/var/lib/ambari-server/keys/jkskeystore.jks"   --truststore-password="mypass"

2.) Ldap sync:
    ambari-server sync-ldap --groups=groups.txt --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin

3.) Setup Https:
  ambari-server setup-security \ 
    --security-option=setup-https     --api-ssl=true --client-api-ssl-port=8443 \ 
    --import-cert-path=/var/lib/ambari-server/keys/my.crt \ 
    --import-key-path=/var/lib/ambari-server/keys/my.key     --pem-password=password
4.) Encrypt passwords:
  ambari-server setup-security --security-option=encrypt-passwords --master-key=masterkey --master-key-persist=true

5.) Setup Kerberos JAAS:
  ambari-server setup-security --security-option=setup-kerberos-jaas --jaas-principal="ambari@EXAMPLE.COM" --jaas-keytab="/etc/security/keytabs/ambari.keytab"

6.) Setup TrustStore:
    ambari-server setup-security       --security-option=setup-truststore \ 
      --truststore-path=/var/lib/ambari-server/keys/keystore.p12       --truststore-type=pkcs12 \ 
      --truststore-password=password       --truststore-reconfigure
7.) Import certificate to TrustStore:
    ambari-server setup-security \ 
      --security-option=import-certificate \ 
      --truststore-path=/var/lib/ambari-server/keys/keystore.p12 \ 
      --truststore-type=pkcs12 \ 
      --truststore-password=password \ 
      --import-cert-path=/var/lib/ambari-server/my.crt \ 
      --import-cert-alias=myalias \ 
      --truststore-reconfigure

.

.

2,553 Views
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
2 of 2
Last update:
‎08-17-2019 02:15 PM
Updated by:
 
Contributors
Top Kudoed Authors