knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-545 - Simplify Keystore Management for Cluster Scaleout
Date Thu, 21 May 2015 18:31:57 GMT
Repository: knox
Updated Branches:
  refs/heads/master 43b8b43ba -> 801e821a1


KNOX-545 - Simplify Keystore Management for Cluster Scaleout

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/801e821a
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/801e821a
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/801e821a

Branch: refs/heads/master
Commit: 801e821a1761ddf39440656e17ec836847948bbe
Parents: 43b8b43
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Thu May 21 14:31:23 2015 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Thu May 21 14:31:23 2015 -0400

----------------------------------------------------------------------
 .../services/security/impl/JettySSLService.java   |  8 +++++++-
 .../org/apache/hadoop/gateway/util/KnoxCLI.java   | 18 +++++++++++++++---
 2 files changed, 22 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/801e821a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index 9c515b2..c3b257f 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -77,7 +77,10 @@ public class JettySSLService implements SSLService {
       if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
         log.creatingCredentialStoreForGateway();
         ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
-        as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
+        // LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
+        // IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
+        // THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
+        // as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
       }
       else {
         log.credentialStoreForGatewayFoundNotCreating();
@@ -91,6 +94,9 @@ public class JettySSLService implements SSLService {
         log.creatingKeyStoreForGateway();
         ks.createKeystoreForGateway();
         char[] passphrase = as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME,
GATEWAY_IDENTITY_PASSPHRASE);
+        if (passphrase == null) {
+          passphrase = ms.getMasterSecret();
+        }
         ks.addSelfSignedCertForGateway("gateway-identity", passphrase);
       }
       else {

http://git-wip-us.apache.org/repos/asf/knox/blob/801e821a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
index 8366f2e..c172151 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
@@ -30,6 +30,7 @@ import org.apache.hadoop.gateway.services.topology.TopologyService;
 import org.apache.hadoop.gateway.services.security.AliasService;
 import org.apache.hadoop.gateway.services.security.KeystoreService;
 import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
+import org.apache.hadoop.gateway.services.security.MasterService;
 import org.apache.hadoop.gateway.topology.Topology;
 import org.apache.hadoop.util.Tool;
 import org.apache.hadoop.util.ToolRunner;
@@ -93,10 +94,14 @@ public class KnoxCLI extends Configured implements Tool {
         initializeServices( command instanceof MasterCreateCommand );
         command.execute();
       } else {
-        out.println("ERROR: Invalid Command" + "\n" + "Unrecognized option:" + args[0] +
"\n"
-            + "A fatal exception has occurred. Program will exit.");
+        out.println("ERROR: Invalid Command" + "\n" + "Unrecognized option:" +
+            args[0] + "\n" +
+            "A fatal exception has occurred. Program will exit.");
         exitCode = -2;
       }
+    } catch (ServiceLifecycleException sle) {
+      out.println("ERROR: Internal Error: Please refer to the knoxcli.log " +
+          "file for details. " + sle.getMessage());
     } catch (Exception e) {
       e.printStackTrace( err );
       err.flush();
@@ -364,7 +369,10 @@ public class KnoxCLI extends Configured implements Tool {
          else {
 //           log.credentialStoreForGatewayFoundNotCreating();
          }
-         as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
+         // LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
+         // IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
+         // THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
+         //as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
        } catch (KeystoreServiceException e) {
          throw new ServiceLifecycleException("Keystore was not loaded properly - the provided
(or persisted) master secret may not match the password for the keystore.", e);
        }
@@ -378,6 +386,10 @@ public class KnoxCLI extends Configured implements Tool {
 //           log.keyStoreForGatewayFoundNotCreating();
          }
          char[] passphrase = as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME,
GATEWAY_IDENTITY_PASSPHRASE);
+         if (passphrase == null) {
+           MasterService ms = services.getService("MasterService");
+           passphrase = ms.getMasterSecret();
+         }
          ks.addSelfSignedCertForGateway("gateway-identity", passphrase, hostname);
 //         logAndValidateCertificate();
          out.println("Certificate gateway-identity has been successfully created.");


Mime
View raw message