You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2015/05/21 20:31:57 UTC
knox git commit: KNOX-545 - Simplify Keystore Management for Cluster
Scaleout
Repository: knox
Updated Branches:
refs/heads/master 43b8b43ba -> 801e821a1
KNOX-545 - Simplify Keystore Management for Cluster Scaleout
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/801e821a
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/801e821a
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/801e821a
Branch: refs/heads/master
Commit: 801e821a1761ddf39440656e17ec836847948bbe
Parents: 43b8b43
Author: Larry McCay <lm...@hortonworks.com>
Authored: Thu May 21 14:31:23 2015 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Thu May 21 14:31:23 2015 -0400
----------------------------------------------------------------------
.../services/security/impl/JettySSLService.java | 8 +++++++-
.../org/apache/hadoop/gateway/util/KnoxCLI.java | 18 +++++++++++++++---
2 files changed, 22 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/801e821a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index 9c515b2..c3b257f 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -77,7 +77,10 @@ public class JettySSLService implements SSLService {
if (!ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
log.creatingCredentialStoreForGateway();
ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
- as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
+ // LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
+ // IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
+ // THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
+ // as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
}
else {
log.credentialStoreForGatewayFoundNotCreating();
@@ -91,6 +94,9 @@ public class JettySSLService implements SSLService {
log.creatingKeyStoreForGateway();
ks.createKeystoreForGateway();
char[] passphrase = as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
+ if (passphrase == null) {
+ passphrase = ms.getMasterSecret();
+ }
ks.addSelfSignedCertForGateway("gateway-identity", passphrase);
}
else {
http://git-wip-us.apache.org/repos/asf/knox/blob/801e821a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
index 8366f2e..c172151 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/util/KnoxCLI.java
@@ -30,6 +30,7 @@ import org.apache.hadoop.gateway.services.topology.TopologyService;
import org.apache.hadoop.gateway.services.security.AliasService;
import org.apache.hadoop.gateway.services.security.KeystoreService;
import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
+import org.apache.hadoop.gateway.services.security.MasterService;
import org.apache.hadoop.gateway.topology.Topology;
import org.apache.hadoop.util.Tool;
import org.apache.hadoop.util.ToolRunner;
@@ -93,10 +94,14 @@ public class KnoxCLI extends Configured implements Tool {
initializeServices( command instanceof MasterCreateCommand );
command.execute();
} else {
- out.println("ERROR: Invalid Command" + "\n" + "Unrecognized option:" + args[0] + "\n"
- + "A fatal exception has occurred. Program will exit.");
+ out.println("ERROR: Invalid Command" + "\n" + "Unrecognized option:" +
+ args[0] + "\n" +
+ "A fatal exception has occurred. Program will exit.");
exitCode = -2;
}
+ } catch (ServiceLifecycleException sle) {
+ out.println("ERROR: Internal Error: Please refer to the knoxcli.log " +
+ "file for details. " + sle.getMessage());
} catch (Exception e) {
e.printStackTrace( err );
err.flush();
@@ -364,7 +369,10 @@ public class KnoxCLI extends Configured implements Tool {
else {
// log.credentialStoreForGatewayFoundNotCreating();
}
- as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
+ // LET'S NOT GENERATE A DIFFERENT KEY PASSPHRASE BY DEFAULT ANYMORE
+ // IF A DEPLOYMENT WANTS TO CHANGE THE KEY PASSPHRASE TO MAKE IT MORE SECURE THEN
+ // THEY CAN ADD THE ALIAS EXPLICITLY WITH THE CLI
+ //as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
}
@@ -378,6 +386,10 @@ public class KnoxCLI extends Configured implements Tool {
// log.keyStoreForGatewayFoundNotCreating();
}
char[] passphrase = as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
+ if (passphrase == null) {
+ MasterService ms = services.getService("MasterService");
+ passphrase = ms.getMasterSecret();
+ }
ks.addSelfSignedCertForGateway("gateway-identity", passphrase, hostname);
// logAndValidateCertificate();
out.println("Certificate gateway-identity has been successfully created.");