You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2019/02/26 20:55:01 UTC
[GitHub] smolnar82 opened a new pull request #60: KNOX-1418 - New KnoxShell
command to build truststore using the gateway server's public certificate
smolnar82 opened a new pull request #60: KNOX-1418 - New KnoxShell command to build truststore using the gateway server's public certificate
URL: https://github.com/apache/knox/pull/60
## What changes were proposed in this pull request?
Currently, the KnoxShell setup requires some manual steps to login to the machine where the gateway server is located and execute `knoxcli.sh export-cert –type JKS` then copy it to the current user's home.
To make it easier for our end-users a new KnoxShell command was added to do this work:
`buildTrustStore <knox-gateway-url>`
## How was this patch tested?
Executing JUnit tests (including integration tests):
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 17:47 min (Wall Clock)
[INFO] Finished at: 2019-02-26T21:21:54+01:00
[INFO] Final Memory: 267M/1641M
[INFO] ------------------------------------------------------------------------
```
Additionally, the following manual test steps were executed:
1. Unzipped the updated version of `knoxshell-1.3.0-SNAPSHOT.zip` locally and removed previously created `~/gateway-client-trust.jks`
2. Checked if the new command is available in KnoxShell's help:
```
$ ./bin/knoxshell.sh help
Apache Knox Client Shell
The client shell facility provide a CLI for establishing and managing Apache Knox Sessions
and executing the Apache Knox groovy-based DSL scripts. It may also be used to enter an
interactive shell where groovy-based DSL and groovy code may be entered and executed in realtime.
knoxshell usage:
knoxshell.sh [[buildTrustStore <knox-gateway-url>|init <topology-url>|list|destroy|help] | [<script-file-name>]]
----------------------------------------------------------
buildTrustStore <knox-gateway-url> - downloads the given gateway server's public certificate and builds a trust store to be used by KnoxShell
example: knoxshell.sh buildTrustStore https://localhost:8443/
init <topology-url> - requests a session from the knox token service at the url
example: knoxshell.sh init https://localhost:8443/gateway/sandbox
list - lists the details of the cached knox session token
example: knoxshell.sh list
destroy - removes the cached knox session token
example: knoxshell.sh destroy
<script-file-name> - executes the groovy script file
example: knoxshell.sh ~/bin/ls.groovy
```
3. Invoked `knoxshell.sh buildTrustStore` without the mandatory `<knox-gateway-url>` parameter:
```
$ ./bin/knoxshell.sh buildTrustStore
Illegal number of parameters.
Apache Knox Client Shell
The client shell facility provide a CLI for establishing and managing Apache Knox Sessions
and executing the Apache Knox groovy-based DSL scripts. It may also be used to enter an
interactive shell where groovy-based DSL and groovy code may be entered and executed in realtime.
knoxshell usage:
knoxshell.sh [[buildTrustStore <knox-gateway-url>|init <topology-url>|list|destroy|help] | [<script-file-name>]]
----------------------------------------------------------
buildTrustStore <knox-gateway-url> - downloads the given gateway server's public certificate and builds a trust store to be used by KnoxShell
example: knoxshell.sh buildTrustStore https://localhost:8443/
...
```
4. Tested if trust store was built using a valid gateway server's cert and the trust store is OK to run KnoxShell samples:
```
$ ls -al ~/gateway-client-trust.jks
ls: /Users/smolnar/gateway-client-trust.jks: No such file or directory
$ ./bin/knoxshell.sh buildTrustStore https://c7401.ambari.apache.org:8443/
Opening connection to c7401.ambari.apache.org:8443...
Starting SSL handshake...
SSL exception; found non-trusted certificate
Gateway server's certificate is exported into /Users/smolnar/gateway-client-trust.jks
$ ls -al /Users/smolnar/gateway-client-trust.jks
-rw-r--r-- 1 smolnar staff 674 Feb 26 21:26 /Users/smolnar/gateway-client-trust.jks
$ ./bin/knoxshell.sh samples/ExampleWebHdfsLs.groovy
Enter username: guest
Enter password:
[app-logs, ats, atsv2, hdp, mapred, mr-history, tmp, user]
```
5. Tested if trust store was built using another (non-gateway) server's cert and running a KnoxShell sample failed:
```
$ ./bin/knoxshell.sh buildTrustStore https://google.com:443/
Opening connection to google.com:443...
Starting SSL handshake...
SSL exception; found non-trusted certificate
Gateway server's certificate is exported into /Users/smolnar/gateway-client-trust.jks
$ ls -al ~/gateway-client-trust.jks
-rw-r--r-- 1 smolnar staff 2068 Feb 26 21:45 /Users/smolnar/gateway-client-trust.jks
$ ./bin/knoxshell.sh samples/ExampleWebHdfsLs.groovy
Enter username: guest
Enter password:
Caught: org.apache.knox.gateway.shell.KnoxShellException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.apache.knox.gateway.shell.KnoxShellException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.knox.gateway.shell.AbstractRequest.now(AbstractRequest.java:81)
at org.apache.knox.gateway.shell.AbstractRequest$now.call(Unknown Source)
at ExampleWebHdfsLs.run(ExampleWebHdfsLs.groovy:37)
at org.apache.knox.gateway.shell.Shell.main(Shell.java:58)
at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
```
Also tested the `init|list|destroy` commands to make sure my bash changes did not screw up anything.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services