Encrypt Database and LDAP Passwords for Ambari-Server
Category : Ambari
By default the passwords to access the Ambari database and the LDAP server are stored in a plain text configuration file. To have those passwords encrypted, you need to run a special setup command.
[root@m1 ~]# cd /etc/ambari-server/conf/
[root@m1 conf]# ls -ltrh
total 52K
-rw-r–r– 1 root root 2.8K Mar 31 2015 ambari.properties.rpmsave.20161004015858
-rwxrwxrwx 1 root root 286 Sep 15 19:53 krb5JAASLogin.conf
-rw-r–r– 1 root root 3.9K Oct 4 01:58 ambari.properties.rpmsave.20161005033229
-rw-r–r– 1 root root 4.7K Oct 5 03:32 ambari.properties.rpmsave.20161005065356
-rw-r–r– 1 root root 286 Oct 5 06:45 krb5JAASLogin.conf.rpmsave
-rwxrwxrwx 1 root root 4.9K Oct 5 06:45 log4j.properties
-rw-r–r– 1 root root 9 Jan 31 05:35 users.txt
-rw-r—– 1 root root 7 Feb 8 11:51 password.dat
-rw-rw—- 1 root root 15 Feb 8 11:53 ldap-password.dat
-rwxrwxrwx 1 root root 7.8K Feb 8 11:53 ambari.properties
So to protect these you need to run ambari security setup. Ambari Server should not be running when you do this: either make the edits before you start Ambari Server the first time or bring the server down to make the edits.
Step 1: On the Ambari Server, run the special setup command and answer the prompts:
[root@m1 ~]# ambari-server setup-security
Using python /usr/bin/python
Security setup options…
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 2 (Select Option 2
: Choose one of the following options:)
Please provide master key for locking the credential store: ******** (Provide a master key for encrypting the passwords. You are prompted to enter the key twice for accuracy.)
Re-enter master key:********
Do you want to persist master key. If you choose not to persist, you need to provide the Master Key while starting the ambari server as an env variable named AMBARI_SECURITY_MASTER_KEY or the start will prompt for the master key. Persist [y/n] (y)? n
Adjusting ambari-server permissions and ownership…
Ambari Server ‘setup-security’ completed successfully.
Note : Now you need to restart ambari server and provide the same master key when it prompt during restart. You can avoid it by setting up environment variable in ambari-env.sh file.
Option 1: Provide key during restart.
root@m1 ~]# ambari-server restart
Using python /usr/bin/python
Restarting ambari-server
Using python /usr/bin/python
Stopping ambari-server
Ambari Server stopped
Using python /usr/bin/python
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources…
Enter current Master Key: ********
Ambari database consistency check started…
No errors were found.
Ambari database consistency check finished
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start………………..
Ambari Server ‘start’ completed successfully.
Option 2: set AMBARI_SECURITY_MASTER_KEY in ambari-env.sh
[root@m1 ~]# vi /var/lib/ambari-server/ambari-env.sh
[root@m1 ~]# grep -C4 AMBARI_SECURITY_MASTER_KEY /var/lib/ambari-server/ambari-env.sh
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
export AMBARI_SECURITY_MASTER_KEY=hadoop
AMBARI_PASSHPHRASE=”DEV”
export AMBARI_JVM_ARGS=$AMBARI_JVM_ARGS’ -Xms512m -Xmx2048m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false’
export PATH=$PATH:/var/lib/ambari-server
export PYTHONPATH=$PYTHONPATH:/usr/lib/python2.6/site-packages
Now restart Ambari-Server
[root@m1 ~]# ambari-server restart
Using python /usr/bin/python
Restarting ambari-server
Using python /usr/bin/python
Stopping ambari-server
Ambari Server stopped
Using python /usr/bin/python
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources…
Ambari database consistency check started…
No errors were found.
Ambari database consistency check finished
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start………………..
Ambari Server ‘start’ completed successfully.
[root@m1 conf]# ls -ltrh
total 52K
-rw-r–r– 1 root root 2.8K Mar 31 2015 ambari.properties.rpmsave.20161004015858
-rwxrwxrwx 1 root root 286 Sep 15 19:53 krb5JAASLogin.conf
-rw-r–r– 1 root root 3.9K Oct 4 01:58 ambari.properties.rpmsave.20161005033229
-rw-r–r– 1 root root 4.7K Oct 5 03:32 ambari.properties.rpmsave.20161005065356
-rw-r–r– 1 root root 286 Oct 5 06:45 krb5JAASLogin.conf.rpmsave
-rwxrwxrwx 1 root root 4.9K Oct 5 06:45 log4j.properties
-rw-r–r– 1 root root 9 Jan 31 05:35 users.txt
-rwxrwxrwx 1 root root 7.8K Feb 8 11:53 ambari.properties
Remove Encryption Entirely
To reset Ambari database and LDAP passwords to a completely unencrypted state:
- On the Ambari host, open
/etc/ambari-server/conf/ambari.properties
with a text editor and set this propertysecurity.passwords.encryption.enabled=false
- Delete
/var/lib/ambari-server/keys/credentials.jceks
- Delete
/var/lib/ambari-server/keys/master
- You must now reset the database password and, if necessary, the LDAP password. Run ambari-server setup and ambari-server setup-ldap again.
[root@m1 ~]# vi /etc/ambari-server/conf/ambari.properties
[root@m1 ~]# ls -ltrh /var/lib/ambari-server/keys/credentials.jceks
-rw-r—– 1 root root 992 Feb 8 11:35 /var/lib/ambari-server/keys/credentials.jceks
[root@m1 ~]# rm /var/lib/ambari-server/keys/credentials.jceks
rm: remove regular file `/var/lib/ambari-server/keys/credentials.jceks’? y
[root@m1 ~]# ambari-server setup
Using python /usr/bin/python
Setup ambari-server
Checking SELinux…
SELinux status is ‘disabled’
Customize user account for ambari-server daemon [y/n] (n)? n
Adjusting ambari-server permissions and ownership…
Checking firewall status…
Checking JDK…
Do you want to change Oracle JDK [y/n] (n)? n
Completing setup…
Configuring database…
Enter advanced database configuration [y/n] (n)? y
Configuring database…
==============================================================================
Choose one of the following options:
[1] – PostgreSQL (Embedded)
[2] – Oracle
[3] – MySQL / MariaDB
[4] – PostgreSQL
[5] – Microsoft SQL Server (Tech Preview)
[6] – SQL Anywhere
[7] – BDB
==============================================================================
Enter choice (1): 1
Database name (ambari):
Postgres schema (ambari):
Username (ambari):
Enter Database Password (ambari.db.password):
Re-enter password:
Default properties detected. Using built-in database.
Configuring ambari database…
Checking PostgreSQL…
Configuring local database…
Connecting to local database…done.
Configuring PostgreSQL…
Backup for pg_hba found, reconfiguration not required
Extracting system views…
…………
Adjusting ambari-server permissions and ownership…
Ambari Server ‘setup’ completed successfully.
[root@m1 ~]# ambari-server setup-ldap
Using python /usr/bin/python
Setting up LDAP properties…
Primary URL* {host:port} (ad.lowes.com:389):
Secondary URL {host:port} :
Use SSL* [true/false] (false):
User object class* (user):
User name attribute* (sAMAccountName):
Group object class* (group):
Group name attribute* (cn):
Group member attribute* (memberOf):
Distinguished name attribute* (dn):
Base DN* (dc=lowes,dc=com):
Referral method [follow/ignore] (ignore):
Bind anonymously* [true/false] (false):
Manager DN* (cn=ambariaddev,cn=users,dc=lowes,dc=com):
Enter Manager Password* :
Re-enter password:
====================
Review Settings
====================
authentication.ldap.managerDn: cn=ambariaddev,cn=users,dc=lowes,dc=com
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving…done
Ambari Server ‘setup-ldap’ completed successfully.
[root@m1 ~]# ambari-server restart
Using python /usr/bin/python
Restarting ambari-server
Using python /usr/bin/python
Stopping ambari-server
Ambari Server stopped
Using python /usr/bin/python
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources…
Ambari database consistency check started…
No errors were found.
Ambari database consistency check finished
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start………………..
Ambari Server ‘start’ completed successfully.
Change the Current Master Key
To change the master key:
- If you know the current master key or if the current master key has been persisted:
- Re-run the encryption setup command and follow the prompts.
ambari-server setup-security
- Select Option
2
: Choose one of the following options:- [1] Enable HTTPS for Ambari server.
- [2] Encrypt passwords stored in ambari.properties file.
- [3] Setup Ambari kerberos JAAS configuration.
- Enter the current master key when prompted if necessary (if it is not persisted or set as an environment variable).
- At the
Do you want to reset Master Key
prompt, enteryes
. - At the prompt, enter the new master key and confirm.
- Select Option
- Re-run the encryption setup command and follow the prompts.
- If you do not know the current master key:
Please feel free to give your suggestion or feedback.