Merge pull request #178 from tristan/customer-changes

Misc security fixes

Author: tristan

docs/how-to/clear-ca-server-state.md

@@ -0,0 +1,59 @@
+# How to: Clear CA Server state
+
+The CA Server (using `openssl ca`) can be used to sign the host certificates used to deploy the cluster.
+
+There may be cases where you wish to replace the host keys and certificates.
+
+# Replace the CA
+
+On each host in the cluster, move or delete the following directory:
+
+```
+/opt/cloudera/security/pki
+```
+
+On the `ca_server` host, move or delete the following directory:
+
+```
+/ca
+```
+
+Re-run the playbook.
+
+At a minimum, re-run the following in the order they appear:
+
+- `create_infrastructure.yml`
+- `prepare_tls.yml`
+
+# Keep the CA but replace host certificates
+
+On each host in the cluster where you wish to replace the host keys and certificates, move or delete the following directory:
+
+```
+/opt/cloudera/security/pki
+```
+
+On the `ca_server` host, execute the following for each host you wish to replace:
+
+```
+openssl ca -config /ca/intermediate/openssl.cnf -revoke /ca/intermediate/cert/<host-certificate>.pem -passin pass:<ca-password>
+```
+
+__Note:__ The default CA password is `password` and can be configured by setting:
+
+- `ca_server_root_key_password`
+- `ca_server_intermediate_key_password`
+
+Now move or delete the corresponding host certificates from:
+
+```
+/ca/intermediate/cert
+```
+
+Re-run the playbook.
+
+At a minimum, re-run `prepare_tls.yml`.
+
+__Note:__ You can skip the revoke step by setting `unique_subject` in `/ca/intermediate/index.txt.attr` to `no`.
+
+__Note:__ The CA Server is meant for testing only. Please use an enterprise CA Server in production.

docs/how-to/externally-signed.md

@@ -0,0 +1,100 @@
+# How to: Setup externally signed TLS certificates
+
+The playbook is able to provision an internal CA and automatically sign the host certificates.
+
+However, it is more likely that an external CA will be used in production environments.
+
+This guide will run through specifics for deploying clusters using an external CA to sign the host certificates.
+
+At a high-level, the playbook generates and distributes the TLS keys and certificates in three steps:
+
+- Phase 1 (generation)
+  * Create the host keys
+  * Generate the keystores
+  * Generate the CSRs
+  * Copy the CSRs to the Ansible controller
+- Phase 2 (signing)
+  * Sign the certificates
+- Phase 3 (installation)
+  * Copy the signed certificates to the hosts
+  * Copy the CA certificates to the hosts
+
+When `ca_server` is used, this all occurs automatically.
+
+However, when an external CA is used, a few manual steps are required to complete the deployment:
+
+Starting with the definition, assuming nothing has been deployed:
+
+## Ensure that `ca_server` is **not** present in the inventory
+
+The `ca_server` is the playbook's internal CA.
+
+As we wish to use an external CA, it should be omitted from the inventory file.
+
+## Set `tls_ca_certs` to point to the external CA certificates
+
+Here, we need to set `tls_ca_certs` in `extra_vars.yml` to point to the external CA certificates (on the Ansible controller):
+
+```
+tls_ca_certs:
+  - alias: ipaca
+    path: /root/ca.crt
+```
+
+In this example, our CA certificate exists on the Ansible controller at `/root/ca.crt`.
+
+**Note:** If you have an intermediate CA and a root CA, please include both certificates here.
+
+## Run the playbook deployment as usual
+
+If everything is configured correctly, it should run as usual until we reach `prepare_tls.yml`.
+
+Here, in `prepare_tls.yml`, it will fail with a message:
+
+> Signed cert for <hostname> could not be found. If manual signing is required, do this now and re-run the playbook with 'tls_signed_certs_dir' variable set.
+
+E.g.
+
+```
+TASK [security/tls_install_certs : fail] **************************************************************************************************************
+fatal: [host-1.example.com] FAILED! => {"changed": false, "msg": "\"Signed cert for host-1.example.com could not be found. If manual signing is required, do this now and re-run the playbook with 'tls_signed_certs_dir' variable set.\n"}
+fatal: [host-2.example.com] FAILED! => {"changed": false, "msg": "\"Signed cert for host-1.example.com could not be found. If manual signing is required, do this now and re-run the playbook with 'tls_signed_certs_dir' variable set.\n"}
+fatal: [host-3.example.com] FAILED! => {"changed": false, "msg": "\"Signed cert for host-1.example.com could not be found. If manual signing is required, do this now and re-run the playbook with 'tls_signed_certs_dir' variable set.\n"}
+fatal: [host-4.example.com] FAILED! => {"changed": false, "msg": "\"Signed cert for host-1.example.com could not be found. If manual signing is required, do this now and re-run the playbook with 'tls_signed_certs_dir' variable set.\n"}
+```
+
+This is expected.
+
+At this point, the playbook will have generated the TLS keys and CSRs and copied the CSRs to the Ansible controller (stage 1).
+
+It is up to us now to sign the CSRs and copy the signed certificates back to the Ansible controller:
+
+## Sign the CSRs generated by the playbook
+
+You will find copies of the TLS CSRs in `{{ local_temp_dir }}/csrs` on the Ansible controller (default `/tmp/csrs`).
+
+```
+# ls /tmp/csrs
+host-1.example.com.csr  host-3.example.com.csr
+host-2.example.com.csr  host-4.example.com.csr
+```
+
+Sign the CSRs and copy the signed certificates to the Ansible controller using the same filename, replacing `.csr` with `.pem`.
+
+Place these signed certificates in `{{ local_temp_dir }}/certs` on the Ansible controller (default `/tmp/certs`).
+
+```
+# ls /tmp/certs
+host-1.example.com.pem  host-3.example.com.pem
+host-2.example.com.pem  host-4.example.com.pem
+```
+
+## Rerun the playbook
+
+The playbook can be restarted now that the signed certificates exist on the Ansible controller (stage 2).
+
+**Note:** To save time, you can start the playbook from `prepare_tls.yml` – skipping completed steps.
+
+The playbook will distribute the new signed certificates and continue as usual.
+
+No other steps are required.

prepare_tls.yml

@@ -46,9 +46,9 @@
         flat: yes
       loop:
         - src: "{{ ca_server_root_cert_path }}"
-          dest: "{{ local_temp_dir }}/certs/rootca.pem"
+          dest: "{{ local_temp_dir }}/certs/cluster_rootca.pem"
         - src: "{{ ca_server_intermediate_cert_path }}"
-          dest: "{{ local_temp_dir }}/certs/intca.pem"
+          dest: "{{ local_temp_dir }}/certs/cluster_intca.pem"
       loop_control:
         loop_var: cert
   vars_files:

roles/cloudera_manager/admin_password/check/tasks/main.yml

@@ -26,6 +26,10 @@
   run_once: True
   when: cloudera_manager_admin_password is defined
 
+- set_fact:
+    cloudera_manager_api_password: "admin"
+  run_once: True
+
 - name: Set the playbook to use the non-default Cloudera Manager admin password
   set_fact:
     cloudera_manager_api_password: "{{ cloudera_manager_admin_password }}"