knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@apache.org
Subject svn commit: r1829661 - in /knox: site/books/knox-1-1-0/user-guide.html site/index.html site/issue-tracking.html site/license.html site/mail-lists.html site/project-info.html site/team-list.html trunk/books/1.1.0/book.md trunk/books/1.1.0/config.md
Date Fri, 20 Apr 2018 15:04:32 GMT
Author: more
Date: Fri Apr 20 15:04:31 2018
New Revision: 1829661

URL: http://svn.apache.org/viewvc?rev=1829661&view=rev
Log:
KNOX-1265 - Document Remote Alias Discovery

Modified:
    knox/site/books/knox-1-1-0/user-guide.html
    knox/site/index.html
    knox/site/issue-tracking.html
    knox/site/license.html
    knox/site/mail-lists.html
    knox/site/project-info.html
    knox/site/team-list.html
    knox/trunk/books/1.1.0/book.md
    knox/trunk/books/1.1.0/config.md

Modified: knox/site/books/knox-1-1-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-1-1-0/user-guide.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/books/knox-1-1-0/user-guide.html (original)
+++ knox/site/books/knox-1-1-0/user-guide.html Fri Apr 20 15:04:31 2018
@@ -41,6 +41,7 @@
       <li><a href="#Cluster+Configuration+Monitoring">Cluster Configuration Monitoring</a></li>
       <li><a href="#Remote+Configuration+Monitor">Remote Configuration Monitor</a></li>
       <li><a href="#Remote+Configuration+Registry+Clients">Remote Configuration
Registry Clients</a></li>
+      <li><a href="#Remote+Alias+Discovery">Remote Alias Discovery</a></li>
       <li><a href="#Topology+Descriptors">Topology Descriptors</a></li>
       <li><a href="#Hostmap+Provider">Hostmap Provider</a></li>
     </ul></li>
@@ -732,6 +733,11 @@ https://{gateway-host}:{gateway-port}/{g
       <td>The interval (in seconds) at which the cluster monitor will poll Ambari for
cluster configuration changes. </td>
       <td>60</td>
     </tr>
+    <tr>
+      <td>gateway.remote.alias.service.enabled </td>
+      <td>Turn on/off Remote Alias Discovery, this will take effect only when remote
configuration monitor is enabled </td>
+      <td>true</td>
+    </tr>
   </tbody>
 </table><h4><a id="Topology+Descriptors">Topology Descriptors</a>
<a href="#Topology+Descriptors"><img src="markbook-section-link.png"/></a></h4><p>The
topology descriptor files provide the gateway with per-cluster configuration information.
This includes configuration for both the providers within the gateway and the services within
the Hadoop cluster. These files are located in <code>{GATEWAY_HOME}/conf/topologies</code>.
The general outline of this document looks like this.</p>
 <pre><code>&lt;topology&gt;
@@ -1115,7 +1121,13 @@ trustworthiness.
     &lt;value&gt;type=ZooKeeper;address=zkhost1:2181,zkhost2:2181,zkhost3:2181;authType=Kerberos;principal=myzkuser;keytab=/home/user/myzk.keytab;useKeyTab=true;useTicketCache=false&lt;/value&gt;
     &lt;description&gt;ZooKeeper configuration registry client details.&lt;/description&gt;
 &lt;/property&gt;
-</code></pre><p><em>While multiple such clients can be configured,
for ZooKeeper clients, there is currently a limitation with respect to authentication. Multiple
clients cannot each have distinct authentication configurations. This limitation is imposed
by the underlying ZooKeeper client. Therefore, the clients must all be insecure (no authentication
configured), or they must all authenticate to the same ZooKeeper using the same credentials.</em></p><p>The
<a href="#Remote+Configuration+Monitor">remote configuration monitor</a> facility
uses these client configurations to perform its function.</p><h4><a id="Logging">Logging</a>
<a href="#Logging"><img src="markbook-section-link.png"/></a></h4><p>If
necessary you can enable additional logging by editing the <code>log4j.properties</code>
file in the <code>conf</code> directory. Changing the <code>rootLogger</code>
value from <code>ERROR</code> to <code>DEBUG</code> will generate
a large amount of debug logging. A number of useful, mo
 re fine loggers are also provided in the file.</p><h4><a id="Java+VM+Options">Java
VM Options</a> <a href="#Java+VM+Options"><img src="markbook-section-link.png"/></a></h4><p>TODO
- Java VM options doc.</p><h4><a id="Persisting+the+Master+Secret">Persisting
the Master Secret</a> <a href="#Persisting+the+Master+Secret"><img src="markbook-section-link.png"/></a></h4><p>The
master secret is required to start the server. This secret is used to access secured artifacts
by the gateway instance. Keystore, trust stores and credential stores are all protected with
the master secret.</p><p>You may persist the master secret by supplying the <em>-persist-master</em>
switch at startup. This will result in a warning indicating that persisting the secret is
less secure than providing it at startup. We do make some provisions in order to protect the
persisted password.</p><p>It is encrypted with AES 128 bit encryption and where
possible the file permissions are set to only be accessible by the user
  that the gateway is running as.</p><p>After persisting the secret, ensure that
the file at data/security/master has the appropriate permissions set for your environment.
This is probably the most important layer of defense for master secret. Do not assume that
the encryption is sufficient protection.</p><p>A specific user should be created
to run the gateway. This user will be the only user with permissions for the persisted master
file.</p><p>See the Knox CLI section for descriptions of the command line utilities
related to the master secret.</p><h4><a id="Management+of+Security+Artifacts">Management
of Security Artifacts</a> <a href="#Management+of+Security+Artifacts"><img
src="markbook-section-link.png"/></a></h4><p>There are a number of artifacts
that are used by the gateway in ensuring the security of wire level communications, access
to protected resources and the encryption of sensitive data. These artifacts can be managed
from outside of the gateway instances or generated a
 nd populated by the gateway instance itself.</p><p>The following is a description
of how this is coordinated with both standalone (development, demo, etc) gateway instances
and instances as part of a cluster of gateways in mind.</p><p>Upon start of the
gateway server we:</p>
+</code></pre><p><em>While multiple such clients can be configured,
for ZooKeeper clients, there is currently a limitation with respect to authentication. Multiple
clients cannot each have distinct authentication configurations. This limitation is imposed
by the underlying ZooKeeper client. Therefore, the clients must all be insecure (no authentication
configured), or they must all authenticate to the same ZooKeeper using the same credentials.</em></p><p>The
<a href="#Remote+Configuration+Monitor">remote configuration monitor</a> facility
uses these client configurations to perform its function.</p><h4><a id="Remote+Alias+Discovery">Remote
Alias Discovery</a> <a href="#Remote+Alias+Discovery"><img src="markbook-section-link.png"/></a></h4><p>Knox
will also monitor for remote aliases that are added, deleted or updated. By default this is
turned on (if Remote Configuration Monitor is on) and will sync all the aliases. In case one
wants to turn off this feature they can do so by using t
 he property &ldquo;gateway.remote.alias.service.enabled&rdquo; in gateway-site.xml.
Knox needs to be restarted for this change to take effect. </p>
+<pre><code>&lt;property&gt;
+    &lt;name&gt;gateway.remote.alias.service.enabled&lt;/name&gt;
+    &lt;value&gt;false&lt;/value&gt;
+    &lt;description&gt;Turn on/off Remote Alias Discovery(true by default)&lt;/description&gt;
+&lt;/property&gt;
+</code></pre><h4><a id="Logging">Logging</a> <a href="#Logging"><img
src="markbook-section-link.png"/></a></h4><p>If necessary you can enable
additional logging by editing the <code>log4j.properties</code> file in the <code>conf</code>
directory. Changing the <code>rootLogger</code> value from <code>ERROR</code>
to <code>DEBUG</code> will generate a large amount of debug logging. A number
of useful, more fine loggers are also provided in the file.</p><h4><a id="Java+VM+Options">Java
VM Options</a> <a href="#Java+VM+Options"><img src="markbook-section-link.png"/></a></h4><p>TODO
- Java VM options doc.</p><h4><a id="Persisting+the+Master+Secret">Persisting
the Master Secret</a> <a href="#Persisting+the+Master+Secret"><img src="markbook-section-link.png"/></a></h4><p>The
master secret is required to start the server. This secret is used to access secured artifacts
by the gateway instance. Keystore, trust stores and credential stores are all protected with
the master secret.</p><p>You m
 ay persist the master secret by supplying the <em>-persist-master</em> switch
at startup. This will result in a warning indicating that persisting the secret is less secure
than providing it at startup. We do make some provisions in order to protect the persisted
password.</p><p>It is encrypted with AES 128 bit encryption and where possible
the file permissions are set to only be accessible by the user that the gateway is running
as.</p><p>After persisting the secret, ensure that the file at data/security/master
has the appropriate permissions set for your environment. This is probably the most important
layer of defense for master secret. Do not assume that the encryption is sufficient protection.</p><p>A
specific user should be created to run the gateway. This user will be the only user with permissions
for the persisted master file.</p><p>See the Knox CLI section for descriptions
of the command line utilities related to the master secret.</p><h4><a id="Management+of+Security+Arti
 facts">Management of Security Artifacts</a> <a href="#Management+of+Security+Artifacts"><img
src="markbook-section-link.png"/></a></h4><p>There are a number of artifacts
that are used by the gateway in ensuring the security of wire level communications, access
to protected resources and the encryption of sensitive data. These artifacts can be managed
from outside of the gateway instances or generated and populated by the gateway instance itself.</p><p>The
following is a description of how this is coordinated with both standalone (development, demo,
etc) gateway instances and instances as part of a cluster of gateways in mind.</p><p>Upon
start of the gateway server we:</p>
 <ol>
   <li>Look for an identity store at <code>data/security/keystores/gateway.jks</code>.
 The identity store contains the certificate and private key used to represent the identity
of the server for SSL connections and signature creation.
   <ul>

Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180405" />
+    <meta name="Date-Revision-yyyymmdd" content="20180420" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Announcing Apache Knox 1.0.0!</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2018-04-05</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2018-04-20</li>

             
                             </ul>
       </div>

Modified: knox/site/issue-tracking.html
URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180405" />
+    <meta name="Date-Revision-yyyymmdd" content="20180420" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Issue Tracking</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2018-04-05</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2018-04-20</li>

             
                             </ul>
       </div>

Modified: knox/site/license.html
URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180405" />
+    <meta name="Date-Revision-yyyymmdd" content="20180420" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project License</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2018-04-05</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2018-04-20</li>

             
                             </ul>
       </div>

Modified: knox/site/mail-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180405" />
+    <meta name="Date-Revision-yyyymmdd" content="20180420" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Mailing Lists</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2018-04-05</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2018-04-20</li>

             
                             </ul>
       </div>

Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180405" />
+    <meta name="Date-Revision-yyyymmdd" content="20180420" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Information</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2018-04-05</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2018-04-20</li>

             
                             </ul>
       </div>

Modified: knox/site/team-list.html
URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180405" />
+    <meta name="Date-Revision-yyyymmdd" content="20180420" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Team list</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2018-04-05</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2018-04-20</li>

             
                             </ul>
       </div>

Modified: knox/trunk/books/1.1.0/book.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/1.1.0/book.md?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/trunk/books/1.1.0/book.md (original)
+++ knox/trunk/books/1.1.0/book.md Fri Apr 20 15:04:31 2018
@@ -45,6 +45,7 @@
 		* #[Cluster Configuration Monitoring]
         * #[Remote Configuration Monitor]
         * #[Remote Configuration Registry Clients]
+        * #[Remote Alias Discovery]
         * #[Topology Descriptors]
         * #[Hostmap Provider]
     * #[Knox CLI]

Modified: knox/trunk/books/1.1.0/config.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/1.1.0/config.md?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/trunk/books/1.1.0/config.md (original)
+++ knox/trunk/books/1.1.0/config.md Fri Apr 20 15:04:31 2018
@@ -146,6 +146,7 @@ gateway.remote.config.monitor.client|A r
 gateway.remote.config.registry.<b>&lt;name&gt;</b>|A named [remote configuration
registry client](#Remote+Configuration+Registry+Clients) definition|null
 gateway.cluster.config.monitor.ambari.enabled | Indicates whether the cluster monitoring
and associated dynamic topology updating is enabled. | false
 gateway.cluster.config.monitor.ambari.interval | The interval (in seconds) at which the cluster
monitor will poll Ambari for cluster configuration changes. | 60
+gateway.remote.alias.service.enabled | Turn on/off Remote Alias Discovery, this will take
effect only when remote configuration monitor is enabled  | true
 
 
 #### Topology Descriptors ####
@@ -742,6 +743,16 @@ _While multiple such clients can be conf
 
 The [remote configuration monitor](#Remote+Configuration+Monitor) facility uses these client
configurations to perform its function.
 
+#### Remote Alias Discovery ####
+
+Knox will also monitor for remote aliases that are added, deleted or updated. By default
this is turned on (if Remote Configuration Monitor is on) and will sync all the aliases. In
case one wants to turn off this feature they can do so by using the property "gateway.remote.alias.service.enabled"
in gateway-site.xml. Knox needs to be restarted for this change to take effect. 
+
+    <property>
+        <name>gateway.remote.alias.service.enabled</name>
+        <value>false</value>
+        <description>Turn on/off Remote Alias Discovery(true by default)</description>
+    </property>
+
 
 #### Logging ####
 



Mime
View raw message