Support Questions

Find answers, ask questions, and share your expertise

Ambari SSO setup automation

avatar
Expert Contributor

I would like to set up Ambari SSO in an automated way, but it seems the 'ambari-server setup-sso' does not support it. If I switch on the silent mode then I got a not supported error message, without silent mode it is quite hard to automate since it asks quite a few questions.

# Silent mode
$> ambari-server setup-sso --silent
Using python  /usr/bin/python
Setting up SSO authentication properties...
WARNING: setup-sso is not enabled in silent mode.
Ambari Server 'setup-sso' completed with warnings.


# Interactive mode
$> ambari-server setup-sso
Using python  /usr/bin/python
Setting up SSO authentication properties...
Do you want to configure SSO authentication [y/n] (y)?
Provider URL [URL] (http://example.com):https://somehost:8443/gw-os06/knoxsso/api/v1/websso
Public Certificate pem (empty) (empty line to finish input):
MIICnTCCAYWgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdzaWdu
aW5nMB4XDTE3MTIwNTE3NDUwMloXDTI3MTIwNTE3NDUwMlowEjEQMA4GA1UEAxMH
...
60v5bHlGkAKgdziCm1DZbxmTjcjLdxZAU7NrOlhSicZl17Yym1nmT8Cq2PkSDRaZ
rA==

Do you want to configure advanced properties [y/n] (n) ?
Ambari Server 'setup-sso' completed successfully.

Is there a simple/elegant way to automate it?

Thanks,

Attila

1 ACCEPTED SOLUTION

avatar
Explorer
$ grep authentication.jwt /etc/ambari-server/conf/ambari.properties
authentication.jwt.enabled=true
authentication.jwt.providerUrl=https://somehost:8443/gw-os06/knoxsso/api/v1/websso
authentication.jwt.publicKey=/etc/ambari-server/conf/jwt-cert.pem
$ cat /etc/ambari-server/conf/jwt-cert.pem
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdzaWdu
aW5nMB4XDTE3MTIwNTE3NDUwMloXDTI3MTIwNTE3NDUwMlowEjEQMA4GA1UEAxMH
...
60v5bHlGkAKgdziCm1DZbxmTjcjLdxZAU7NrOlhSicZl17Yym1nmT8Cq2PkSDRaZ
rA==
-----END CERTIFICATE----

Adding the above to ambari.properties and creating the certificate file jwt-cert.pem has the same effect as running ambari-server setup-sso interactively.

For complete list of properties, including "advanced" ones, see https://github.com/apache/ambari/blob/release-2.6.0/ambari-server/src/main/python/ambari_server/setu...

View solution in original post

6 REPLIES 6

avatar

It appears the ambari-server script does not support setting option via the command line when setting up SSO.

I do not think that there is a workaround for this and the interactive mode must be used to set the SSO options.

avatar
Contributor

@Attila Kanto , I think you can do something like that in a script:

#!/usr/bin/expect
spawn ambari-server setup-sso
expect "Some question:"
send "answer\r"

...

expect eof

avatar
Cloudera Employee

This answer is close to @Olivér Szabó

Even if it not possible to pass arguments to the script, could be used notation as follow:

ambari-server setup-sso <<EOF

....each answer on new line....

EOF

Sample:

read a <<EOF
test out 
EOF

echo $a  

avatar
Explorer
$ grep authentication.jwt /etc/ambari-server/conf/ambari.properties
authentication.jwt.enabled=true
authentication.jwt.providerUrl=https://somehost:8443/gw-os06/knoxsso/api/v1/websso
authentication.jwt.publicKey=/etc/ambari-server/conf/jwt-cert.pem
$ cat /etc/ambari-server/conf/jwt-cert.pem
-----BEGIN CERTIFICATE-----
MIICnTCCAYWgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdzaWdu
aW5nMB4XDTE3MTIwNTE3NDUwMloXDTI3MTIwNTE3NDUwMlowEjEQMA4GA1UEAxMH
...
60v5bHlGkAKgdziCm1DZbxmTjcjLdxZAU7NrOlhSicZl17Yym1nmT8Cq2PkSDRaZ
rA==
-----END CERTIFICATE----

Adding the above to ambari.properties and creating the certificate file jwt-cert.pem has the same effect as running ambari-server setup-sso interactively.

For complete list of properties, including "advanced" ones, see https://github.com/apache/ambari/blob/release-2.6.0/ambari-server/src/main/python/ambari_server/setu...

avatar
Cloudera Employee

i would not recommend to use this hack, as the way in which feature may be configured is subject to change

avatar
Expert Contributor

Thanks, for answers. I voted up all of them, since all of them are very useful, but I have accepted the answer of @Doroszlai, Attila since that is quite simple to automate from Ansible and SaltStack since both of them are providing built-in solutions for file manipulation.