ambari-server/src/main/resources/scripts/check_ambari_permissions.py - ambari - Git at Google

 #!/usr/bin/env python

 '''
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 '''

 import os
 import shlex
 from ambari_commons import subprocess32
 import argparse

 JAR_FILE_PERMISSIONS = 644
 DIRECTORY_PERMISSIONS = 755
 FILE_PERMISSIONS = 755
 SECURE_DIRECTORY_PERMISSIONS = 700
 SECURE_FILE_PERMISSIONS = 700

 # List of directories with jar files or path to jar file. If "directory", then we will check all jar files in it and in all subdirectories. If jar "file" then we will check only this file.
 jar_files_to_check = ["/var/lib/ambari-server/", "/usr/lib/ambari-server/", "/var/lib/ambari-agent/"]

 # List of directories. For this list we are only checking permissions for directory.
 directories_to_check = ["/etc/ambari-server/conf", "/usr/lib/ambari-server", "/usr/lib/ambari-server/lib/ambari_server",
                         "/var/lib/ambari-server", "/usr/lib/ambari-agent", "/usr/lib/ambari-agent/lib/ambari_agent",
                         "/var/lib/ambari-agent/cache", "/var/lib/ambari-agent/cred", "/var/lib/ambari-agent/data",
                         "/var/lib/ambari-agent/tools", "/var/lib/ambari-agent/lib", "/etc/ambari-agent/conf"]

 # List of directories/files. If "directory", then we will check all files in it and in all subdirectories. If "file" then we will check only this file.
 files_to_check = ["/etc/ambari-server/conf/", "/etc/init/ambari-server.conf", "/etc/init.d/ambari-server",
                   "/usr/lib/ambari-server", "/usr/lib/ambari-server/lib/ambari_server", "/usr/sbin/ambari_server_main.py",
                   "/usr/sbin/ambari-server.py", "/var/lib/ambari-server", "/usr/lib/ambari-agent",
                   "/usr/lib/ambari-agent/lib/ambari_agent", "/var/lib/ambari-agent"]


 # List of secure directories. For this list we are only checking permissions for directory.
 secure_directories_to_check = ["/var/lib/ambari-server/keys","/var/lib/ambari-agent/keys"]

 # List of secure directories/files. If "directory", then we will check all files in it and in all subdirectories. If "file" then we will check only this file.
 secure_files_to_check = ["/var/lib/ambari-server/keys", "/var/lib/ambari-agent/keys"]


 def main():
   parser = argparse.ArgumentParser(
     description='This script search for ambari files with incorrect permissions.',
     epilog='Only for ambari!'
   )

   # options
   parser.add_argument('--ambari-root-dir', type=str, default='/',
                       action='store', help='Ambari server root directory. By default it is "/".')

   args = parser.parse_args()
   do_work(args)


 def get_YN_input(prompt, default):
   yes = set(['yes', 'ye', 'y'])
   no = set(['no', 'n'])
   return get_choice_string_input(prompt, default, yes, no)


 def get_choice_string_input(prompt, default, firstChoice, secondChoice):
   choice = raw_input(prompt).lower()
   if choice in firstChoice:
     return True
   elif choice in secondChoice:
     return False
   elif choice is "":  # Just enter pressed
     return default
   else:
     print "input not recognized, please try again: "
     return get_choice_string_input(prompt, default, firstChoice, secondChoice)

 def check_directory_permissions(dir_path, perm):
   print "Checking directory " + dir_path + ":"
   directories_with_wrong_permissions = []
   # check directory permissions
   directories_with_wrong_permissions = []
   if os.path.exists(dir_path):
     (retcode, stdout, stderr) = os_run_os_command("find " + str(dir_path) + " -type d -perm " + str(perm))
     if retcode > 0:
       print "ERROR: failed to check permissions for directory " + str(dir_path) + ": " + str(stderr) + "\n"

     if stdout and not stdout == "":
       directories_with_wrong_permissions = directories_with_wrong_permissions + stdout.splitlines()
   else:
     print "ERROR: directory " + dir_path + " doesn't exist!\n"

   return directories_with_wrong_permissions


 def check_files_in_directory_or_file_for_permissions(path, perm):
   files_with_wrong_permissions = []
   if os.path.exists(path):
     if os.path.isdir(path):
       # check files in directory
       print "Checking files in directory " + path
       (retcode, stdout, stderr) = os_run_os_command("find " + str(path) + " -type f -perm " + str(perm))
       if retcode > 0:
         print "ERROR: failed to check permissions for files in " + str(path) + ": " + str(stderr) + "\n"

     elif os.path.isfile(path):
       # check file for permissions
       print "Checking file " + path + ":"
       (retcode, stdout, stderr) = os_run_os_command("find " + str(path) + " -type f -perm " + str(perm))
       if retcode > 0:
         print "ERROR: failed to check permissions for directory " + str(path) + ": " + str(stderr) + "\n"

     if stdout and not stdout == "":
       files_with_wrong_permissions = files_with_wrong_permissions + stdout.splitlines()
   else:
     print "ERROR: directory/file " + path + " doesn't exist!\n"

   return files_with_wrong_permissions


 def update_permissions(list_of_paths, permissions, ask_msg):
   if list_of_paths:
     fix_permissions = get_YN_input(ask_msg + " [y/n] (y)? ", True)
     if fix_permissions:
       for path in list_of_paths:
         (retcode, stdout, stderr) = os_run_os_command("chmod " + str(permissions) + " " + str(path))
         if retcode > 0:
           print "ERROR: failed to update permissions" + str(permissions) + " for " + str(path) + ": " + str(stderr) + "\n"


 def print_paths_with_wrong_permissions(list_of_paths):
   for path in list_of_paths:
     (retcode, stdout, stderr) = os_run_os_command("stat -c \"%A %a %n\" " + str(path))
     if retcode > 0:
       print "ERROR: failed to get permissions for path " + str(path) + ": " + str(stderr) + "\n"
     else:
       print  str(stdout).rstrip("\n")


 def do_work(args):
   print "\n*****Check file, or files in directory for valid permissions (without w for group and other)*****"
   files_with_wrong_permissions = []
   for path in files_to_check:
     path = os.path.join(args.ambari_root_dir, path.lstrip('/'))
     files_with_wrong_permissions = files_with_wrong_permissions + check_files_in_directory_or_file_for_permissions(path, "/g=w,o=w")

   if files_with_wrong_permissions:
     print "\nFiles with wrong permissions:"
     print_paths_with_wrong_permissions(files_with_wrong_permissions)
     update_permissions(files_with_wrong_permissions, FILE_PERMISSIONS, "Fix permissions for files to " + str(FILE_PERMISSIONS) + " (recommended) ")

   print "\n*****Check ambari jar file, or files in directory, for valid permissions (without w+x for group and other)*****"
   jar_files_with_wrong_permissions = []
   for jar_path in jar_files_to_check:
     jar_path = os.path.join(args.ambari_root_dir, jar_path.lstrip('/'))
     if os.path.exists(jar_path):
       if os.path.isdir(jar_path):
         # check files in directory for permissions
         print "Checking jars in " + str(jar_path)
         (retcode, stdout, stderr) = os_run_os_command("find " + str(jar_path) + " -type f -name *.jar -perm /g=w+x,o=w+x")
         if retcode > 0:
           print "ERROR: failed to check permissions for jar files in " + str(jar_path) + ": " + str(stderr) + "\n"

       elif os.path.isfile(jar_path):
         # check file for permissions
         print "Checking jar " + str(jar_path)
         (retcode, stdout, stderr) = os_run_os_command("find " + str(jar_path) + " -type f -perm /g=w+x,o=w+x")
         if retcode > 0:
           print "ERROR: failed to check permissions for file " + str(jar_path) + ": " + str(stderr) + "\n"

       if stdout and not stdout == "":
         jar_files_with_wrong_permissions = jar_files_with_wrong_permissions + stdout.splitlines()
     else:
       print "ERROR: directory " + jar_path + " doesn't exist!\n"

   if jar_files_with_wrong_permissions:
     print "\nJar files with wrong permissions:"
     print_paths_with_wrong_permissions(jar_files_with_wrong_permissions)
     update_permissions(jar_files_with_wrong_permissions, JAR_FILE_PERMISSIONS, "Fix permissions for jar files to " + str(JAR_FILE_PERMISSIONS) + " (recommended) ")


   print "\n*****Check directories for valid permissions (without w for group and other)*****"
   directories_with_wrong_permissions = []
   for dir_path in directories_to_check:
     dir_path = os.path.join(args.ambari_root_dir, dir_path.lstrip('/'))
     directories_with_wrong_permissions = directories_with_wrong_permissions + check_directory_permissions(dir_path, "/g=w,o=w")

   if directories_with_wrong_permissions:
     print "\nDirectories with wrong permissions:"
     print_paths_with_wrong_permissions(directories_with_wrong_permissions)
     update_permissions(directories_with_wrong_permissions, DIRECTORY_PERMISSIONS, "Fix permissions for directories to " + str(DIRECTORY_PERMISSIONS) + " (recommended) ")

   print "\n*****Check secure directories for valid permissions (without r+w+x for group and other)*****"
   secure_directories_with_wrong_permissions = []
   for dir_path in secure_directories_to_check:
     dir_path = os.path.join(args.ambari_root_dir, dir_path.lstrip('/'))
     secure_directories_with_wrong_permissions = secure_directories_with_wrong_permissions + check_directory_permissions(dir_path, "/g=r+w+x,o=r+w+x")

   if secure_directories_with_wrong_permissions:
     print "\nSecure directories with wrong permissions:"
     print_paths_with_wrong_permissions(secure_directories_with_wrong_permissions)
     update_permissions(secure_directories_with_wrong_permissions, SECURE_DIRECTORY_PERMISSIONS, "Fix permissions for secure directories to " + str(SECURE_DIRECTORY_PERMISSIONS) + " (recommended) ")

   print "\n*****Check secure file, or files in directory for valid permissions (without r+w+x for group and other)*****"
   secure_files_with_wrong_permissions = []
   for path in secure_files_to_check:
     path = os.path.join(args.ambari_root_dir, path.lstrip('/'))
     secure_files_with_wrong_permissions = secure_files_with_wrong_permissions + check_files_in_directory_or_file_for_permissions(path, "/g=r+w+x,o=r+w+x")

   if secure_files_with_wrong_permissions:
     print "\nSecure files with wrong permissions:"
     print_paths_with_wrong_permissions(secure_files_with_wrong_permissions)
     update_permissions(secure_files_with_wrong_permissions, SECURE_FILE_PERMISSIONS, "Fix permissions for secure files to " + str(SECURE_FILE_PERMISSIONS) + " (recommended) ")

   print "\nCheck completed."


 def os_run_os_command(cmd, env=None, shell=False, cwd=None):
   if type(cmd) == str:
     cmd = shlex.split(cmd)
   process = subprocess32.Popen(cmd,
                              stdout=subprocess32.PIPE,
                              stdin=subprocess32.PIPE,
                              stderr=subprocess32.PIPE,
                              env=env,
                              cwd=cwd,
                              shell=shell
   )

   (stdoutdata, stderrdata) = process.communicate()
   return process.returncode, stdoutdata, stderrdata


 if __name__ == "__main__":
   main()
	#!/usr/bin/env python

	'''
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	'''

	import os
	import shlex
	from ambari_commons import subprocess32
	import argparse

	JAR_FILE_PERMISSIONS = 644
	DIRECTORY_PERMISSIONS = 755
	FILE_PERMISSIONS = 755
	SECURE_DIRECTORY_PERMISSIONS = 700
	SECURE_FILE_PERMISSIONS = 700

	# List of directories with jar files or path to jar file. If "directory", then we will check all jar files in it and in all subdirectories. If jar "file" then we will check only this file.
	jar_files_to_check = ["/var/lib/ambari-server/", "/usr/lib/ambari-server/", "/var/lib/ambari-agent/"]

	# List of directories. For this list we are only checking permissions for directory.
	directories_to_check = ["/etc/ambari-server/conf", "/usr/lib/ambari-server", "/usr/lib/ambari-server/lib/ambari_server",
	"/var/lib/ambari-server", "/usr/lib/ambari-agent", "/usr/lib/ambari-agent/lib/ambari_agent",
	"/var/lib/ambari-agent/cache", "/var/lib/ambari-agent/cred", "/var/lib/ambari-agent/data",
	"/var/lib/ambari-agent/tools", "/var/lib/ambari-agent/lib", "/etc/ambari-agent/conf"]

	# List of directories/files. If "directory", then we will check all files in it and in all subdirectories. If "file" then we will check only this file.
	files_to_check = ["/etc/ambari-server/conf/", "/etc/init/ambari-server.conf", "/etc/init.d/ambari-server",
	"/usr/lib/ambari-server", "/usr/lib/ambari-server/lib/ambari_server", "/usr/sbin/ambari_server_main.py",
	"/usr/sbin/ambari-server.py", "/var/lib/ambari-server", "/usr/lib/ambari-agent",
	"/usr/lib/ambari-agent/lib/ambari_agent", "/var/lib/ambari-agent"]


	# List of secure directories. For this list we are only checking permissions for directory.
	secure_directories_to_check = ["/var/lib/ambari-server/keys","/var/lib/ambari-agent/keys"]

	# List of secure directories/files. If "directory", then we will check all files in it and in all subdirectories. If "file" then we will check only this file.
	secure_files_to_check = ["/var/lib/ambari-server/keys", "/var/lib/ambari-agent/keys"]



	def main():
	parser = argparse.ArgumentParser(
	description='This script search for ambari files with incorrect permissions.',
	epilog='Only for ambari!'
	)

	# options
	parser.add_argument('--ambari-root-dir', type=str, default='/',
	action='store', help='Ambari server root directory. By default it is "/".')

	args = parser.parse_args()
	do_work(args)


	def get_YN_input(prompt, default):
	yes = set(['yes', 'ye', 'y'])
	no = set(['no', 'n'])
	return get_choice_string_input(prompt, default, yes, no)


	def get_choice_string_input(prompt, default, firstChoice, secondChoice):
	choice = raw_input(prompt).lower()
	if choice in firstChoice:
	return True
	elif choice in secondChoice:
	return False
	elif choice is "": # Just enter pressed
	return default
	else:
	print "input not recognized, please try again: "
	return get_choice_string_input(prompt, default, firstChoice, secondChoice)

	def check_directory_permissions(dir_path, perm):
	print "Checking directory " + dir_path + ":"
	directories_with_wrong_permissions = []
	# check directory permissions
	directories_with_wrong_permissions = []
	if os.path.exists(dir_path):
	(retcode, stdout, stderr) = os_run_os_command("find " + str(dir_path) + " -type d -perm " + str(perm))
	if retcode > 0:
	print "ERROR: failed to check permissions for directory " + str(dir_path) + ": " + str(stderr) + "\n"

	if stdout and not stdout == "":
	directories_with_wrong_permissions = directories_with_wrong_permissions + stdout.splitlines()
	else:
	print "ERROR: directory " + dir_path + " doesn't exist!\n"

	return directories_with_wrong_permissions


	def check_files_in_directory_or_file_for_permissions(path, perm):
	files_with_wrong_permissions = []
	if os.path.exists(path):
	if os.path.isdir(path):
	# check files in directory
	print "Checking files in directory " + path
	(retcode, stdout, stderr) = os_run_os_command("find " + str(path) + " -type f -perm " + str(perm))
	if retcode > 0:
	print "ERROR: failed to check permissions for files in " + str(path) + ": " + str(stderr) + "\n"

	elif os.path.isfile(path):
	# check file for permissions
	print "Checking file " + path + ":"
	(retcode, stdout, stderr) = os_run_os_command("find " + str(path) + " -type f -perm " + str(perm))
	if retcode > 0:
	print "ERROR: failed to check permissions for directory " + str(path) + ": " + str(stderr) + "\n"

	if stdout and not stdout == "":
	files_with_wrong_permissions = files_with_wrong_permissions + stdout.splitlines()
	else:
	print "ERROR: directory/file " + path + " doesn't exist!\n"

	return files_with_wrong_permissions


	def update_permissions(list_of_paths, permissions, ask_msg):
	if list_of_paths:
	fix_permissions = get_YN_input(ask_msg + " [y/n] (y)? ", True)
	if fix_permissions:
	for path in list_of_paths:
	(retcode, stdout, stderr) = os_run_os_command("chmod " + str(permissions) + " " + str(path))
	if retcode > 0:
	print "ERROR: failed to update permissions" + str(permissions) + " for " + str(path) + ": " + str(stderr) + "\n"


	def print_paths_with_wrong_permissions(list_of_paths):
	for path in list_of_paths:
	(retcode, stdout, stderr) = os_run_os_command("stat -c \"%A %a %n\" " + str(path))
	if retcode > 0:
	print "ERROR: failed to get permissions for path " + str(path) + ": " + str(stderr) + "\n"
	else:
	print str(stdout).rstrip("\n")


	def do_work(args):
	print "\n***Check file, or files in directory for valid permissions (without w for group and other)***"
	files_with_wrong_permissions = []
	for path in files_to_check:
	path = os.path.join(args.ambari_root_dir, path.lstrip('/'))
	files_with_wrong_permissions = files_with_wrong_permissions + check_files_in_directory_or_file_for_permissions(path, "/g=w,o=w")

	if files_with_wrong_permissions:
	print "\nFiles with wrong permissions:"
	print_paths_with_wrong_permissions(files_with_wrong_permissions)
	update_permissions(files_with_wrong_permissions, FILE_PERMISSIONS, "Fix permissions for files to " + str(FILE_PERMISSIONS) + " (recommended) ")

	print "\n***Check ambari jar file, or files in directory, for valid permissions (without w+x for group and other)***"
	jar_files_with_wrong_permissions = []
	for jar_path in jar_files_to_check:
	jar_path = os.path.join(args.ambari_root_dir, jar_path.lstrip('/'))
	if os.path.exists(jar_path):
	if os.path.isdir(jar_path):
	# check files in directory for permissions
	print "Checking jars in " + str(jar_path)
	(retcode, stdout, stderr) = os_run_os_command("find " + str(jar_path) + " -type f -name *.jar -perm /g=w+x,o=w+x")
	if retcode > 0:
	print "ERROR: failed to check permissions for jar files in " + str(jar_path) + ": " + str(stderr) + "\n"

	elif os.path.isfile(jar_path):
	# check file for permissions
	print "Checking jar " + str(jar_path)
	(retcode, stdout, stderr) = os_run_os_command("find " + str(jar_path) + " -type f -perm /g=w+x,o=w+x")
	if retcode > 0:
	print "ERROR: failed to check permissions for file " + str(jar_path) + ": " + str(stderr) + "\n"

	if stdout and not stdout == "":
	jar_files_with_wrong_permissions = jar_files_with_wrong_permissions + stdout.splitlines()
	else:
	print "ERROR: directory " + jar_path + " doesn't exist!\n"

	if jar_files_with_wrong_permissions:
	print "\nJar files with wrong permissions:"
	print_paths_with_wrong_permissions(jar_files_with_wrong_permissions)
	update_permissions(jar_files_with_wrong_permissions, JAR_FILE_PERMISSIONS, "Fix permissions for jar files to " + str(JAR_FILE_PERMISSIONS) + " (recommended) ")


	print "\n***Check directories for valid permissions (without w for group and other)***"
	directories_with_wrong_permissions = []
	for dir_path in directories_to_check:
	dir_path = os.path.join(args.ambari_root_dir, dir_path.lstrip('/'))
	directories_with_wrong_permissions = directories_with_wrong_permissions + check_directory_permissions(dir_path, "/g=w,o=w")

	if directories_with_wrong_permissions:
	print "\nDirectories with wrong permissions:"
	print_paths_with_wrong_permissions(directories_with_wrong_permissions)
	update_permissions(directories_with_wrong_permissions, DIRECTORY_PERMISSIONS, "Fix permissions for directories to " + str(DIRECTORY_PERMISSIONS) + " (recommended) ")

	print "\n***Check secure directories for valid permissions (without r+w+x for group and other)***"
	secure_directories_with_wrong_permissions = []
	for dir_path in secure_directories_to_check:
	dir_path = os.path.join(args.ambari_root_dir, dir_path.lstrip('/'))
	secure_directories_with_wrong_permissions = secure_directories_with_wrong_permissions + check_directory_permissions(dir_path, "/g=r+w+x,o=r+w+x")

	if secure_directories_with_wrong_permissions:
	print "\nSecure directories with wrong permissions:"
	print_paths_with_wrong_permissions(secure_directories_with_wrong_permissions)
	update_permissions(secure_directories_with_wrong_permissions, SECURE_DIRECTORY_PERMISSIONS, "Fix permissions for secure directories to " + str(SECURE_DIRECTORY_PERMISSIONS) + " (recommended) ")

	print "\n***Check secure file, or files in directory for valid permissions (without r+w+x for group and other)***"
	secure_files_with_wrong_permissions = []
	for path in secure_files_to_check:
	path = os.path.join(args.ambari_root_dir, path.lstrip('/'))
	secure_files_with_wrong_permissions = secure_files_with_wrong_permissions + check_files_in_directory_or_file_for_permissions(path, "/g=r+w+x,o=r+w+x")

	if secure_files_with_wrong_permissions:
	print "\nSecure files with wrong permissions:"
	print_paths_with_wrong_permissions(secure_files_with_wrong_permissions)
	update_permissions(secure_files_with_wrong_permissions, SECURE_FILE_PERMISSIONS, "Fix permissions for secure files to " + str(SECURE_FILE_PERMISSIONS) + " (recommended) ")

	print "\nCheck completed."


	def os_run_os_command(cmd, env=None, shell=False, cwd=None):
	if type(cmd) == str:
	cmd = shlex.split(cmd)
	process = subprocess32.Popen(cmd,
	stdout=subprocess32.PIPE,
	stdin=subprocess32.PIPE,
	stderr=subprocess32.PIPE,
	env=env,
	cwd=cwd,
	shell=shell
	)

	(stdoutdata, stderrdata) = process.communicate()
	return process.returncode, stdoutdata, stderrdata






	if __name__ == "__main__":
	main()