knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1562555 - in /incubator/knox: site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html trunk/books/0.4.0/book.md trunk/books/0.4.0/book_gateway-details.md
Date Wed, 29 Jan 2014 19:23:56 GMT
Author: lmccay
Date: Wed Jan 29 19:23:55 2014
New Revision: 1562555

URL: http://svn.apache.org/r1562555
Log:
updates for knoxcli

Modified:
    incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html
    incubator/knox/trunk/books/0.4.0/book.md
    incubator/knox/trunk/books/0.4.0/book_gateway-details.md

Modified: incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html
URL: http://svn.apache.org/viewvc/incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html?rev=1562555&r1=1562554&r2=1562555&view=diff
==============================================================================
--- incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html (original)
+++ incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html Wed Jan 29
19:23:55 2014
@@ -29,6 +29,7 @@
   <li><a href="#Gateway+Details">Gateway Details</a>
   <ul>
     <li><a href="#Configuration">Configuration</a></li>
+    <li><a href="#Knox+CLI">Knox CLI</a></li>
     <li><a href="#Authentication">Authentication</a></li>
     <li><a href="#LDAPGroupLookup">LDAPGroupLookup</a></li>
     <li><a href="#Identity+Assertion">Identity Assertion</a></li>
@@ -438,7 +439,71 @@ ip-10-39-107-209.ec2.internal
   <li>All security related artifacts are protected with the master secret</li>
   <li>Secrets used by the gateway itself are stored within the gateway credential store
and are the same across all gateway instances in the cluster of gateways</li>
   <li>Secrets used by providers within cluster topologies are stored in topology specific
credential stores and are the same for the same topology across the cluster of gateway instances.
 However, they are specific to the topology - so secrets for one hadoop cluster are different
from those of another.  This allows for fail-over from one gateway instance to another even
when encryption is being used while not allowing the compromise of one encryption key to expose
the data for all clusters.</li>
-</ol><p>NOTE: the SSL certificate will need special consideration depending on
the type of certificate. Wildcard certs may be able to be shared across all gateway instances
in a cluster. When certs are dedicated to specific machines the gateway identity store will
not be able to be blindly replicated as host name verification problems will ensue. Obviously,
trust-stores will need to be taken into account as well.</p><h3><a id="Authentication"></a>Authentication</h3><p>There
are two types of providers supported in Knox for establishing a user&rsquo;s identity:</p>
+</ol><p>NOTE: the SSL certificate will need special consideration depending on
the type of certificate. Wildcard certs may be able to be shared across all gateway instances
in a cluster. When certs are dedicated to specific machines the gateway identity store will
not be able to be blindly replicated as host name verification problems will ensue. Obviously,
trust-stores will need to be taken into account as well.</p><h3><a id="Knox+CLI"></a>Knox
CLI</h3><p>The Knox CLI is a command line utility for management of various aspects
of the Knox deployment. It is primarily concerned with the management of the security artifacts
for the gateway instance and each of the deployed topologies or hadoop clusters that are gated
by the Knox Gateway instance.</p><p>The various security artifacts are also generated
and populated automatically by the Knox Gateway runtime when they are not found at startup.
The assumptions made in those cases are appropriate for a test or development gateway instance
  and assume &lsquo;localhost&rsquo; for hostname specific activities. For production
deployments the use of the CLI may aid in managing some some prodution deployments.</p><p>The
knoxcli.sh script is located in the {GATEWAY_HOME}/bin directory.</p><h4><a
id="Help"></a>Help</h4><h5><a id="knoxcli.sh+[--help]"></a>knoxcli.sh
[&ndash;help]</h5><p>prints help for all commands</p><h4><a
id="Master+secret+persistence"></a>Master secret persistence</h4><h5><a
id="knoxcli.sh+create-master+[--help]"></a>knoxcli.sh create-master [&ndash;help]</h5><p>Creates
and persists an encrypted master secret in a file within {GATEWAY_HOME}/data/security/master</p><h4><a
id="Alias+creation"></a>Alias creation</h4><h5><a id="knoxcli.sh+create-alias+n+[--cluster+c]+[--value+v]+[--generate]+[--help]"></a>knoxcli.sh
create-alias n [&ndash;cluster c] [&ndash;value v] [&ndash;generate] [&ndash;help]</h5><p>Creates
a password alias and stores it in a credential store within the {GATEWAY_HOME}/data/security/keyst
 ores dir. </p>
+<table>
+  <thead>
+    <tr>
+      <th>argument </th>
+      <th>description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>&ndash;name</td>
+      <td>name of the alias to create</td>
+    </tr>
+    <tr>
+      <td>&ndash;cluster</td>
+      <td>name of Hadoop cluster for the cluster specific credential store otherwise
assumes __gateway &ndash;value|parameter for specifying the actual password otherwise
prompted<br/> &ndash;generate|boolean flag to indicate whether the tool should just
generate the value. This assumes that &ndash;value is not set - will result in error otherwise.
User will not be prompted for the value when &ndash;generate is set. </td>
+    </tr>
+  </tbody>
+</table><h4><a id="Alias+deletion"></a>Alias deletion</h4><h5><a
id="knoxcli.sh+delete-alias+n+[--cluster+c]+[--help]"></a>knoxcli.sh delete-alias
n [&ndash;cluster c] [&ndash;help]</h5><p>Deletes a password and alias
mapping from a credential store within {GATEWAY_HOME}/data/security/keystores. </p>
+<table>
+  <thead>
+    <tr>
+      <th>argument </th>
+      <th>description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>&ndash;name </td>
+      <td>name of the alias to delete</td>
+    </tr>
+    <tr>
+      <td>&ndash;cluster </td>
+      <td>name of Hadoop cluster for the cluster specific credential store otherwise
assumes __gateway</td>
+    </tr>
+  </tbody>
+</table><h4><a id="Alias+listing"></a>Alias listing</h4><h5><a
id="knoxcli.sh+list-alias+[--cluster+c]+[--help]"></a>knoxcli.sh list-alias [&ndash;cluster
c] [&ndash;help]</h5><p>Lists the alias names for the credential store within
{GATEWAY_HOME}/data/security/keystores. </p>
+<table>
+  <thead>
+    <tr>
+      <th>argument </th>
+      <th>description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>&ndash;cluster </td>
+      <td>name of Hadoop cluster for the cluster specific credential store otherwise
assumes __gateway</td>
+    </tr>
+  </tbody>
+</table><h4><a id="Self-signed+cert+creation"></a>Self-signed cert
creation</h4><h5><a id="knoxcli.sh+create-cert+[--hostname+n]+[--help]"></a>knoxcli.sh
create-cert [&ndash;hostname n] [&ndash;help]</h5><p>Creates and stores
a self-signed certificate to represent the identity of the gateway instance. This is stored
within the {GATEWAY_HOME}/data/security/keystores/gateway.jks keystore. </p>
+<table>
+  <thead>
+    <tr>
+      <th align="left">argument </th>
+      <th>description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td align="left">&ndash;hostname </td>
+      <td>name of the host to be used in the self-signed certificate. This allows multi-host
deployments to specify the proper hostnames for hostname verification to succeed on the client
side of the SSL connection. The default is “localhost”.</td>
+    </tr>
+  </tbody>
+</table><h3><a id="Authentication"></a>Authentication</h3><p>There
are two types of providers supported in Knox for establishing a user&rsquo;s identity:</p>
 <ol>
   <li>Authentication Providers</li>
   <li>Federation Providers</li>

Modified: incubator/knox/trunk/books/0.4.0/book.md
URL: http://svn.apache.org/viewvc/incubator/knox/trunk/books/0.4.0/book.md?rev=1562555&r1=1562554&r2=1562555&view=diff
==============================================================================
--- incubator/knox/trunk/books/0.4.0/book.md (original)
+++ incubator/knox/trunk/books/0.4.0/book.md Wed Jan 29 19:23:55 2014
@@ -36,6 +36,7 @@
     * #[Sandbox Configuration]
 * #[Gateway Details]
     * #[Configuration]
+    * #[Knox CLI]
     * #[Authentication]
     * #[LDAPGroupLookup]
     * #[Identity Assertion]

Modified: incubator/knox/trunk/books/0.4.0/book_gateway-details.md
URL: http://svn.apache.org/viewvc/incubator/knox/trunk/books/0.4.0/book_gateway-details.md?rev=1562555&r1=1562554&r2=1562555&view=diff
==============================================================================
--- incubator/knox/trunk/books/0.4.0/book_gateway-details.md (original)
+++ incubator/knox/trunk/books/0.4.0/book_gateway-details.md Wed Jan 29 19:23:55 2014
@@ -51,6 +51,7 @@ Note: The ports 50070, 50111, 11000 and 
 Their values can also be provided via the cluster topology descriptor if your Hadoop cluster
uses different ports.
 
 <<config.md>>
+<<knox_cli.md>>
 <<config_authn.md>>
 <<config_ldap_group_lookup.md>>
 <<config_id_assertion.md>>



Mime
View raw message