You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2019/02/26 20:55:01 UTC

[GitHub] smolnar82 opened a new pull request #60: KNOX-1418 - New KnoxShell command to build truststore using the gateway server's public certificate

smolnar82 opened a new pull request #60: KNOX-1418 - New KnoxShell command to build truststore using the gateway server's public certificate
URL: https://github.com/apache/knox/pull/60
 
 
   ## What changes were proposed in this pull request?
   
   Currently, the KnoxShell setup requires some manual steps to login to the machine where the gateway server is located and execute `knoxcli.sh export-cert –type JKS` then copy it to the current user's home.
   To make it easier for our end-users a new KnoxShell command was added to do this work:
   `buildTrustStore <knox-gateway-url>`
   
   ## How was this patch tested?
   
   Executing JUnit tests (including integration tests):
   ```
   [INFO] ------------------------------------------------------------------------
   [INFO] BUILD SUCCESS
   [INFO] ------------------------------------------------------------------------
   [INFO] Total time: 17:47 min (Wall Clock)
   [INFO] Finished at: 2019-02-26T21:21:54+01:00
   [INFO] Final Memory: 267M/1641M
   [INFO] ------------------------------------------------------------------------
   ```
   Additionally, the following manual test steps were executed:
   1. Unzipped the updated version of `knoxshell-1.3.0-SNAPSHOT.zip` locally and removed previously created `~/gateway-client-trust.jks`
   2. Checked if the new command is available in KnoxShell's help:
   ```
   $ ./bin/knoxshell.sh help
   
   Apache Knox Client Shell
   The client shell facility provide a CLI for establishing and managing Apache Knox Sessions
   and executing the Apache Knox groovy-based DSL scripts. It may also be used to enter an
   interactive shell where groovy-based DSL and groovy code may be entered and executed in realtime.
   
   knoxshell usage: 
      knoxshell.sh [[buildTrustStore <knox-gateway-url>|init <topology-url>|list|destroy|help] | [<script-file-name>]]
      ----------------------------------------------------------
      buildTrustStore <knox-gateway-url> - downloads the given gateway server's public certificate and builds a trust store to be used by KnoxShell
           example: knoxshell.sh buildTrustStore https://localhost:8443/
      init <topology-url> - requests a session from the knox token service at the url
           example: knoxshell.sh init https://localhost:8443/gateway/sandbox
      list - lists the details of the cached knox session token
           example: knoxshell.sh list
      destroy - removes the cached knox session token
           example: knoxshell.sh destroy
      <script-file-name> - executes the groovy script file
           example: knoxshell.sh ~/bin/ls.groovy
   ```
   3. Invoked `knoxshell.sh buildTrustStore` without the mandatory `<knox-gateway-url>` parameter:
   ```
   $ ./bin/knoxshell.sh buildTrustStore
   Illegal number of parameters.
   
   Apache Knox Client Shell
   The client shell facility provide a CLI for establishing and managing Apache Knox Sessions
   and executing the Apache Knox groovy-based DSL scripts. It may also be used to enter an
   interactive shell where groovy-based DSL and groovy code may be entered and executed in realtime.
   
   knoxshell usage: 
      knoxshell.sh [[buildTrustStore <knox-gateway-url>|init <topology-url>|list|destroy|help] | [<script-file-name>]]
      ----------------------------------------------------------
      buildTrustStore <knox-gateway-url> - downloads the given gateway server's public certificate and builds a trust store to be used by KnoxShell
           example: knoxshell.sh buildTrustStore https://localhost:8443/
   ...
   ```
   4. Tested if trust store was built using a valid gateway server's cert and the trust store is OK to run KnoxShell samples:
   ```
   $ ls -al ~/gateway-client-trust.jks
   ls: /Users/smolnar/gateway-client-trust.jks: No such file or directory
   
   $ ./bin/knoxshell.sh buildTrustStore https://c7401.ambari.apache.org:8443/
   Opening connection to c7401.ambari.apache.org:8443...
   Starting SSL handshake...
   SSL exception; found non-trusted certificate
   Gateway server's certificate is exported into /Users/smolnar/gateway-client-trust.jks
   
   $ ls -al /Users/smolnar/gateway-client-trust.jks
   -rw-r--r--  1 smolnar  staff  674 Feb 26 21:26 /Users/smolnar/gateway-client-trust.jks
   
   $ ./bin/knoxshell.sh samples/ExampleWebHdfsLs.groovy
   Enter username: guest
   Enter password: 
   [app-logs, ats, atsv2, hdp, mapred, mr-history, tmp, user]
   ```
   5.  Tested if trust store was built using another (non-gateway) server's cert and running a KnoxShell sample failed:
   ```
   $ ./bin/knoxshell.sh buildTrustStore https://google.com:443/
   Opening connection to google.com:443...
   Starting SSL handshake...
   SSL exception; found non-trusted certificate
   Gateway server's certificate is exported into /Users/smolnar/gateway-client-trust.jks
   
   $ ls -al ~/gateway-client-trust.jks
   -rw-r--r--  1 smolnar  staff  2068 Feb 26 21:45 /Users/smolnar/gateway-client-trust.jks
   
   $ ./bin/knoxshell.sh samples/ExampleWebHdfsLs.groovy
   Enter username: guest
   Enter password: 
   Caught: org.apache.knox.gateway.shell.KnoxShellException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   org.apache.knox.gateway.shell.KnoxShellException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   	at org.apache.knox.gateway.shell.AbstractRequest.now(AbstractRequest.java:81)
   	at org.apache.knox.gateway.shell.AbstractRequest$now.call(Unknown Source)
   	at ExampleWebHdfsLs.run(ExampleWebHdfsLs.groovy:37)
   	at org.apache.knox.gateway.shell.Shell.main(Shell.java:58)
   	at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
   	at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
   	at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
   	at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
   	at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
   ```
   
   Also tested the `init|list|destroy` commands to make sure my bash changes did not screw up anything.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services