In this article we will talk about one of the best feature of Ambari 2.4 in which we will be doing the ambari "setup-security" in non interactive mode to enable the HTTPs in ambari server.
I assume that you have alredy created the ambari-server keys and certificate using open ssl. So we will see how can we do the HTTPs setup using a single line command:
ambari-server setup-security --security-option=setup-https --api-ssl=true --api-ssl-port=8443 --import-cert-path=/etc/ambari-server/certs/sandbox.hortonworks.com.crt --import-key-path=/etc/ambari-server/certs/sandbox.hortonworks.com.key --pem-password=hadoop
Output of the above command can be as following, Notice that it will run in non interactive mode.
Using python /usr/bin/python
Security setup options...
Do you want to configure HTTPS [y/n] (y)?
SSL port [8443] ?
Please enter password for Private Key:
Importing and saving Certificate...done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership...
NOTE: Restart Ambari Server to apply changes ("ambari-server restart|stop+start").
Now in order to see the configuration changes we will need to restart ambari server.
ambari-server restart
Now we can simply access ambari server using the HTTPs port 8443 as following:
https://localhost:8443/#/main/dashboard/metrics
.
- This feature in ambari is added as part of JIRA:
Ability to automate setup-security and setup-ldap/sync-ldap:
https://issues.apache.org/jira/browse/AMBARI-14627
- We can see similar examples there (there might be little changes in the argument names though) so use the "ambari-server --help" to explore those arguments. Examples from AMBARI-14627, I have not tested the following options so you might see some small argumant changes there in the actual implementations:
1.) LDAP setup:
ambari-server setup-ldap --ldap-url="ldap.apache.org389" --ldap-secondary-url="" --ldap-ssl="false" --ldap-user-class="person" --ldap-user-attr="sAMAccountName" --ldap-group-class="group" --ldap-group-attr="cn" --ldap-member-attr="member" --ldap-dn="distunguishedName" --ldap-base-dn="dc=ambari01,dc=local" --ldap-referral="" --ldap-bind-anonym=false --ldap-manager-dn="cn=hdfs,ou=ambari,dc=ambari01,dc=local" --ldap-manager-password="myldappassword" --ldap-save-settings --truststore-type="jks" --truststore-path="/var/lib/ambari-server/keys/jkskeystore.jks" --truststore-password="mypass"
2.) Ldap sync:
ambari-server sync-ldap --groups=groups.txt --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin
3.) Setup Https:
ambari-server setup-security \
--security-option=setup-https --api-ssl=true --client-api-ssl-port=8443 \
--import-cert-path=/var/lib/ambari-server/keys/my.crt \
--import-key-path=/var/lib/ambari-server/keys/my.key --pem-password=password
4.) Encrypt passwords:
ambari-server setup-security --security-option=encrypt-passwords --master-key=masterkey --master-key-persist=true
5.) Setup Kerberos JAAS:
ambari-server setup-security --security-option=setup-kerberos-jaas --jaas-principal="ambari@EXAMPLE.COM" --jaas-keytab="/etc/security/keytabs/ambari.keytab"
6.) Setup TrustStore:
ambari-server setup-security --security-option=setup-truststore \
--truststore-path=/var/lib/ambari-server/keys/keystore.p12 --truststore-type=pkcs12 \
--truststore-password=password --truststore-reconfigure
7.) Import certificate to TrustStore:
ambari-server setup-security \
--security-option=import-certificate \
--truststore-path=/var/lib/ambari-server/keys/keystore.p12 \
--truststore-type=pkcs12 \
--truststore-password=password \
--import-cert-path=/var/lib/ambari-server/my.crt \
--import-cert-alias=myalias \
--truststore-reconfigure
.
.
