Encrypt Database and LDAP Passwords for Ambari-Server

  • 0

Encrypt Database and LDAP Passwords for Ambari-Server

By default the passwords to access the Ambari database and the LDAP server are stored in a plain text configuration file. To have those passwords encrypted, you need to run a special setup command.

[root@m1 ~]# cd /etc/ambari-server/conf/

[root@m1 conf]# ls -ltrh

total 52K

-rw-r–r– 1 root root 2.8K Mar 31  2015 ambari.properties.rpmsave.20161004015858

-rwxrwxrwx 1 root root  286 Sep 15 19:53 krb5JAASLogin.conf

-rw-r–r– 1 root root 3.9K Oct  4 01:58 ambari.properties.rpmsave.20161005033229

-rw-r–r– 1 root root 4.7K Oct  5 03:32 ambari.properties.rpmsave.20161005065356

-rw-r–r– 1 root root  286 Oct  5 06:45 krb5JAASLogin.conf.rpmsave

-rwxrwxrwx 1 root root 4.9K Oct  5 06:45 log4j.properties

-rw-r–r– 1 root root    9 Jan 31 05:35 users.txt

-rw-r—– 1 root root    7 Feb  8 11:51 password.dat

-rw-rw—- 1 root root   15 Feb  8 11:53 ldap-password.dat

-rwxrwxrwx 1 root root 7.8K Feb  8 11:53 ambari.properties

So to protect these you need to run ambari security setup. Ambari Server should not be running when you do this: either make the edits before you start Ambari Server the first time or bring the server down to make the edits.

Step 1: On the Ambari Server, run the special setup command and answer the prompts:

[root@m1 ~]# ambari-server setup-security

Using python  /usr/bin/python

Security setup options…

===========================================================================

Choose one of the following options:

  [1] Enable HTTPS for Ambari server.

  [2] Encrypt passwords stored in ambari.properties file.

  [3] Setup Ambari kerberos JAAS configuration.

  [4] Setup truststore.

  [5] Import certificate to truststore.

===========================================================================

Enter choice, (1-5): 2 (Select Option 2: Choose one of the following options:)

Please provide master key for locking the credential store: ******** (Provide a master key for encrypting the passwords. You are prompted to enter the key twice for accuracy.)

Re-enter master key:********

Do you want to persist master key. If you choose not to persist, you need to provide the Master Key while starting the ambari server as an env variable named AMBARI_SECURITY_MASTER_KEY or the start will prompt for the master key. Persist [y/n] (y)? n

Adjusting ambari-server permissions and ownership…

Ambari Server ‘setup-security’ completed successfully.

Note : Now you need to restart ambari server and provide the same master key when it prompt during restart. You can avoid it by setting up environment variable  in ambari-env.sh file.

Option 1: Provide key during restart. 

root@m1 ~]# ambari-server restart

Using python  /usr/bin/python

Restarting ambari-server

Using python  /usr/bin/python

Stopping ambari-server

Ambari Server stopped

Using python  /usr/bin/python

Starting ambari-server

Ambari Server running with administrator privileges.

Organizing resource files at /var/lib/ambari-server/resources…

Enter current Master Key: ********

Ambari database consistency check started…

No errors were found.

Ambari database consistency check finished

Server PID at: /var/run/ambari-server/ambari-server.pid

Server out at: /var/log/ambari-server/ambari-server.out

Server log at: /var/log/ambari-server/ambari-server.log

Waiting for server start………………..

Ambari Server ‘start’ completed successfully.

Option 2: set AMBARI_SECURITY_MASTER_KEY in ambari-env.sh

[root@m1 ~]# vi /var/lib/ambari-server/ambari-env.sh

[root@m1 ~]# grep -C4 AMBARI_SECURITY_MASTER_KEY /var/lib/ambari-server/ambari-env.sh

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

export AMBARI_SECURITY_MASTER_KEY=hadoop

AMBARI_PASSHPHRASE=”DEV”

export AMBARI_JVM_ARGS=$AMBARI_JVM_ARGS’ -Xms512m -Xmx2048m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false’

export PATH=$PATH:/var/lib/ambari-server

export PYTHONPATH=$PYTHONPATH:/usr/lib/python2.6/site-packages

Now restart Ambari-Server 

[root@m1 ~]# ambari-server restart

Using python  /usr/bin/python

Restarting ambari-server

Using python  /usr/bin/python

Stopping ambari-server

Ambari Server stopped

Using python  /usr/bin/python

Starting ambari-server

Ambari Server running with administrator privileges.

Organizing resource files at /var/lib/ambari-server/resources…

Ambari database consistency check started…

No errors were found.

Ambari database consistency check finished

Server PID at: /var/run/ambari-server/ambari-server.pid

Server out at: /var/log/ambari-server/ambari-server.out

Server log at: /var/log/ambari-server/ambari-server.log

Waiting for server start………………..

Ambari Server ‘start’ completed successfully.

[root@m1 conf]# ls -ltrh

total 52K

-rw-r–r– 1 root root 2.8K Mar 31  2015 ambari.properties.rpmsave.20161004015858

-rwxrwxrwx 1 root root  286 Sep 15 19:53 krb5JAASLogin.conf

-rw-r–r– 1 root root 3.9K Oct  4 01:58 ambari.properties.rpmsave.20161005033229

-rw-r–r– 1 root root 4.7K Oct  5 03:32 ambari.properties.rpmsave.20161005065356

-rw-r–r– 1 root root  286 Oct  5 06:45 krb5JAASLogin.conf.rpmsave

-rwxrwxrwx 1 root root 4.9K Oct  5 06:45 log4j.properties

-rw-r–r– 1 root root    9 Jan 31 05:35 users.txt

-rwxrwxrwx 1 root root 7.8K Feb  8 11:53 ambari.properties

Remove Encryption Entirely

To reset Ambari database and LDAP passwords to a completely unencrypted state:

  1. On the Ambari host, open /etc/ambari-server/conf/ambari.properties with a text editor and set this propertysecurity.passwords.encryption.enabled=false
  2. Delete /var/lib/ambari-server/keys/credentials.jceks
  3. Delete /var/lib/ambari-server/keys/master
  4. You must now reset the database password and, if necessary, the LDAP password. Run ambari-server setup and ambari-server setup-ldap again.

[root@m1 ~]# vi /etc/ambari-server/conf/ambari.properties

[root@m1 ~]# ls -ltrh /var/lib/ambari-server/keys/credentials.jceks

-rw-r—– 1 root root 992 Feb  8 11:35 /var/lib/ambari-server/keys/credentials.jceks

[root@m1 ~]# rm /var/lib/ambari-server/keys/credentials.jceks

rm: remove regular file `/var/lib/ambari-server/keys/credentials.jceks’? y

[root@m1 ~]# ambari-server setup

Using python  /usr/bin/python

Setup ambari-server

Checking SELinux…

SELinux status is ‘disabled’

Customize user account for ambari-server daemon [y/n] (n)? n

Adjusting ambari-server permissions and ownership…

Checking firewall status…

Checking JDK…

Do you want to change Oracle JDK [y/n] (n)? n

Completing setup…

Configuring database…

Enter advanced database configuration [y/n] (n)? y

Configuring database…

==============================================================================

Choose one of the following options:

[1] – PostgreSQL (Embedded)

[2] – Oracle

[3] – MySQL / MariaDB

[4] – PostgreSQL

[5] – Microsoft SQL Server (Tech Preview)

[6] – SQL Anywhere

[7] – BDB

==============================================================================

Enter choice (1): 1

Database name (ambari):

Postgres schema (ambari):

Username (ambari):

Enter Database Password (ambari.db.password):

Re-enter password:

Default properties detected. Using built-in database.

Configuring ambari database…

Checking PostgreSQL…

Configuring local database…

Connecting to local database…done.

Configuring PostgreSQL…

Backup for pg_hba found, reconfiguration not required

Extracting system views…

…………

Adjusting ambari-server permissions and ownership…

Ambari Server ‘setup’ completed successfully.

[root@m1 ~]# ambari-server setup-ldap

Using python  /usr/bin/python

Setting up LDAP properties…

Primary URL* {host:port} (ad.lowes.com:389):

Secondary URL {host:port} :

Use SSL* [true/false] (false):

User object class* (user):

User name attribute* (sAMAccountName):

Group object class* (group):

Group name attribute* (cn):

Group member attribute* (memberOf):

Distinguished name attribute* (dn):

Base DN* (dc=lowes,dc=com):

Referral method [follow/ignore] (ignore):

Bind anonymously* [true/false] (false):

Manager DN* (cn=ambariaddev,cn=users,dc=lowes,dc=com):

Enter Manager Password* :

Re-enter password:

====================

Review Settings

====================

authentication.ldap.managerDn: cn=ambariaddev,cn=users,dc=lowes,dc=com

authentication.ldap.managerPassword: *****

Save settings [y/n] (y)? y

Saving…done

Ambari Server ‘setup-ldap’ completed successfully.

[root@m1 ~]# ambari-server restart

Using python  /usr/bin/python

Restarting ambari-server

Using python  /usr/bin/python

Stopping ambari-server

Ambari Server stopped

Using python  /usr/bin/python

Starting ambari-server

Ambari Server running with administrator privileges.

Organizing resource files at /var/lib/ambari-server/resources…

Ambari database consistency check started…

No errors were found.

Ambari database consistency check finished

Server PID at: /var/run/ambari-server/ambari-server.pid

Server out at: /var/log/ambari-server/ambari-server.out

Server log at: /var/log/ambari-server/ambari-server.log

Waiting for server start………………..

Ambari Server ‘start’ completed successfully.

Change the Current Master Key

To change the master key:

  • If you know the current master key or if the current master key has been persisted:
    1. Re-run the encryption setup command and follow the prompts.ambari-server setup-security
      1. Select Option 2: Choose one of the following options:
        • [1] Enable HTTPS for Ambari server.
        • [2] Encrypt passwords stored in ambari.properties file.
        • [3] Setup Ambari kerberos JAAS configuration.
      2. Enter the current master key when prompted if necessary (if it is not persisted or set as an environment variable).
      3. At the Do you want to reset Master Key prompt, enter yes.
      4. At the prompt, enter the new master key and confirm.
  • If you do not know the current master key:
    • Remove encryption entirely, as described here.
    • Re-run ambari-server setup-security as described here.
    • Start or restart the Ambari Server.ambari-server restart

     

Please feel free to give your suggestion or feedback.


Leave a Reply