Author: more
Date: Fri Apr 20 15:04:31 2018
New Revision: 1829661
URL: http://svn.apache.org/viewvc?rev=1829661&view=rev
Log:
KNOX-1265 - Document Remote Alias Discovery
Modified:
knox/site/books/knox-1-1-0/user-guide.html
knox/site/index.html
knox/site/issue-tracking.html
knox/site/license.html
knox/site/mail-lists.html
knox/site/project-info.html
knox/site/team-list.html
knox/trunk/books/1.1.0/book.md
knox/trunk/books/1.1.0/config.md
Modified: knox/site/books/knox-1-1-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-1-1-0/user-guide.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/books/knox-1-1-0/user-guide.html (original)
+++ knox/site/books/knox-1-1-0/user-guide.html Fri Apr 20 15:04:31 2018
@@ -41,6 +41,7 @@
<li><a href="#Cluster+Configuration+Monitoring">Cluster Configuration
Monitoring</a></li>
<li><a href="#Remote+Configuration+Monitor">Remote Configuration
Monitor</a></li>
<li><a href="#Remote+Configuration+Registry+Clients">Remote
Configuration Registry Clients</a></li>
+ <li><a href="#Remote+Alias+Discovery">Remote Alias Discovery</a></li>
<li><a href="#Topology+Descriptors">Topology Descriptors</a></li>
<li><a href="#Hostmap+Provider">Hostmap Provider</a></li>
</ul></li>
@@ -732,6 +733,11 @@ https://{gateway-host}:{gateway-port}/{g
<td>The interval (in seconds) at which the cluster monitor will poll
Ambari for cluster configuration changes. </td>
<td>60</td>
</tr>
+ <tr>
+ <td>gateway.remote.alias.service.enabled </td>
+ <td>Turn on/off Remote Alias Discovery, this will take effect only when
remote configuration monitor is enabled </td>
+ <td>true</td>
+ </tr>
</tbody>
</table><h4><a id="Topology+Descriptors">Topology Descriptors</a> <a
href="#Topology+Descriptors"><img
src="markbook-section-link.png"/></a></h4><p>The topology descriptor files
provide the gateway with per-cluster configuration information. This includes
configuration for both the providers within the gateway and the services within
the Hadoop cluster. These files are located in
<code>{GATEWAY_HOME}/conf/topologies</code>. The general outline of this
document looks like this.</p>
<pre><code><topology>
@@ -1115,7 +1121,13 @@ trustworthiness.
<value>type=ZooKeeper;address=zkhost1:2181,zkhost2:2181,zkhost3:2181;authType=Kerberos;principal=myzkuser;keytab=/home/user/myzk.keytab;useKeyTab=true;useTicketCache=false</value>
<description>ZooKeeper configuration registry client
details.</description>
</property>
-</code></pre><p><em>While multiple such clients can be configured, for
ZooKeeper clients, there is currently a limitation with respect to
authentication. Multiple clients cannot each have distinct authentication
configurations. This limitation is imposed by the underlying ZooKeeper client.
Therefore, the clients must all be insecure (no authentication configured), or
they must all authenticate to the same ZooKeeper using the same
credentials.</em></p><p>The <a href="#Remote+Configuration+Monitor">remote
configuration monitor</a> facility uses these client configurations to perform
its function.</p><h4><a id="Logging">Logging</a> <a href="#Logging"><img
src="markbook-section-link.png"/></a></h4><p>If necessary you can enable
additional logging by editing the <code>log4j.properties</code> file in the
<code>conf</code> directory. Changing the <code>rootLogger</code> value from
<code>ERROR</code> to <code>DEBUG</code> will generate a large amount of debug
logging. A number of useful, mo
re fine loggers are also provided in the file.</p><h4><a
id="Java+VM+Options">Java VM Options</a> <a href="#Java+VM+Options"><img
src="markbook-section-link.png"/></a></h4><p>TODO - Java VM options
doc.</p><h4><a id="Persisting+the+Master+Secret">Persisting the Master
Secret</a> <a href="#Persisting+the+Master+Secret"><img
src="markbook-section-link.png"/></a></h4><p>The master secret is required to
start the server. This secret is used to access secured artifacts by the
gateway instance. Keystore, trust stores and credential stores are all
protected with the master secret.</p><p>You may persist the master secret by
supplying the <em>-persist-master</em> switch at startup. This will result in a
warning indicating that persisting the secret is less secure than providing it
at startup. We do make some provisions in order to protect the persisted
password.</p><p>It is encrypted with AES 128 bit encryption and where possible
the file permissions are set to only be accessible by the user
that the gateway is running as.</p><p>After persisting the secret, ensure
that the file at data/security/master has the appropriate permissions set for
your environment. This is probably the most important layer of defense for
master secret. Do not assume that the encryption is sufficient
protection.</p><p>A specific user should be created to run the gateway. This
user will be the only user with permissions for the persisted master
file.</p><p>See the Knox CLI section for descriptions of the command line
utilities related to the master secret.</p><h4><a
id="Management+of+Security+Artifacts">Management of Security Artifacts</a> <a
href="#Management+of+Security+Artifacts"><img
src="markbook-section-link.png"/></a></h4><p>There are a number of artifacts
that are used by the gateway in ensuring the security of wire level
communications, access to protected resources and the encryption of sensitive
data. These artifacts can be managed from outside of the gateway instances or
generated a
nd populated by the gateway instance itself.</p><p>The following is a
description of how this is coordinated with both standalone (development, demo,
etc) gateway instances and instances as part of a cluster of gateways in
mind.</p><p>Upon start of the gateway server we:</p>
+</code></pre><p><em>While multiple such clients can be configured, for
ZooKeeper clients, there is currently a limitation with respect to
authentication. Multiple clients cannot each have distinct authentication
configurations. This limitation is imposed by the underlying ZooKeeper client.
Therefore, the clients must all be insecure (no authentication configured), or
they must all authenticate to the same ZooKeeper using the same
credentials.</em></p><p>The <a href="#Remote+Configuration+Monitor">remote
configuration monitor</a> facility uses these client configurations to perform
its function.</p><h4><a id="Remote+Alias+Discovery">Remote Alias Discovery</a>
<a href="#Remote+Alias+Discovery"><img
src="markbook-section-link.png"/></a></h4><p>Knox will also monitor for remote
aliases that are added, deleted or updated. By default this is turned on (if
Remote Configuration Monitor is on) and will sync all the aliases. In case one
wants to turn off this feature they can do so by using t
he property “gateway.remote.alias.service.enabled” in
gateway-site.xml. Knox needs to be restarted for this change to take effect.
</p>
+<pre><code><property>
+ <name>gateway.remote.alias.service.enabled</name>
+ <value>false</value>
+ <description>Turn on/off Remote Alias Discovery(true by
default)</description>
+</property>
+</code></pre><h4><a id="Logging">Logging</a> <a href="#Logging"><img
src="markbook-section-link.png"/></a></h4><p>If necessary you can enable
additional logging by editing the <code>log4j.properties</code> file in the
<code>conf</code> directory. Changing the <code>rootLogger</code> value from
<code>ERROR</code> to <code>DEBUG</code> will generate a large amount of debug
logging. A number of useful, more fine loggers are also provided in the
file.</p><h4><a id="Java+VM+Options">Java VM Options</a> <a
href="#Java+VM+Options"><img src="markbook-section-link.png"/></a></h4><p>TODO
- Java VM options doc.</p><h4><a id="Persisting+the+Master+Secret">Persisting
the Master Secret</a> <a href="#Persisting+the+Master+Secret"><img
src="markbook-section-link.png"/></a></h4><p>The master secret is required to
start the server. This secret is used to access secured artifacts by the
gateway instance. Keystore, trust stores and credential stores are all
protected with the master secret.</p><p>You m
ay persist the master secret by supplying the <em>-persist-master</em> switch
at startup. This will result in a warning indicating that persisting the secret
is less secure than providing it at startup. We do make some provisions in
order to protect the persisted password.</p><p>It is encrypted with AES 128 bit
encryption and where possible the file permissions are set to only be
accessible by the user that the gateway is running as.</p><p>After persisting
the secret, ensure that the file at data/security/master has the appropriate
permissions set for your environment. This is probably the most important layer
of defense for master secret. Do not assume that the encryption is sufficient
protection.</p><p>A specific user should be created to run the gateway. This
user will be the only user with permissions for the persisted master
file.</p><p>See the Knox CLI section for descriptions of the command line
utilities related to the master secret.</p><h4><a
id="Management+of+Security+Arti
facts">Management of Security Artifacts</a> <a
href="#Management+of+Security+Artifacts"><img
src="markbook-section-link.png"/></a></h4><p>There are a number of artifacts
that are used by the gateway in ensuring the security of wire level
communications, access to protected resources and the encryption of sensitive
data. These artifacts can be managed from outside of the gateway instances or
generated and populated by the gateway instance itself.</p><p>The following is
a description of how this is coordinated with both standalone (development,
demo, etc) gateway instances and instances as part of a cluster of gateways in
mind.</p><p>Upon start of the gateway server we:</p>
<ol>
<li>Look for an identity store at
<code>data/security/keystores/gateway.jks</code>. The identity store contains
the certificate and private key used to represent the identity of the server
for SSL connections and signature creation.
<ul>
Modified: knox/site/index.html
URL:
http://svn.apache.org/viewvc/knox/site/index.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180405" />
+ <meta name="Date-Revision-yyyymmdd" content="20180420" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Announcing Apache Knox 1.0.0!</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2018-04-05</li>
+ <li id="publishDate" class="pull-right">Last Published:
2018-04-20</li>
</ul>
</div>
Modified: knox/site/issue-tracking.html
URL:
http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180405" />
+ <meta name="Date-Revision-yyyymmdd" content="20180420" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Issue Tracking</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2018-04-05</li>
+ <li id="publishDate" class="pull-right">Last Published:
2018-04-20</li>
</ul>
</div>
Modified: knox/site/license.html
URL:
http://svn.apache.org/viewvc/knox/site/license.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180405" />
+ <meta name="Date-Revision-yyyymmdd" content="20180420" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project License</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2018-04-05</li>
+ <li id="publishDate" class="pull-right">Last Published:
2018-04-20</li>
</ul>
</div>
Modified: knox/site/mail-lists.html
URL:
http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180405" />
+ <meta name="Date-Revision-yyyymmdd" content="20180420" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Mailing Lists</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2018-04-05</li>
+ <li id="publishDate" class="pull-right">Last Published:
2018-04-20</li>
</ul>
</div>
Modified: knox/site/project-info.html
URL:
http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180405" />
+ <meta name="Date-Revision-yyyymmdd" content="20180420" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Information</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2018-04-05</li>
+ <li id="publishDate" class="pull-right">Last Published:
2018-04-20</li>
</ul>
</div>
Modified: knox/site/team-list.html
URL:
http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Fri Apr 20 15:04:31 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2018-04-05
+ | Generated by Apache Maven Doxia at 2018-04-20
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180405" />
+ <meta name="Date-Revision-yyyymmdd" content="20180420" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Team list</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2018-04-05</li>
+ <li id="publishDate" class="pull-right">Last Published:
2018-04-20</li>
</ul>
</div>
Modified: knox/trunk/books/1.1.0/book.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/1.1.0/book.md?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/trunk/books/1.1.0/book.md (original)
+++ knox/trunk/books/1.1.0/book.md Fri Apr 20 15:04:31 2018
@@ -45,6 +45,7 @@
* #[Cluster Configuration Monitoring]
* #[Remote Configuration Monitor]
* #[Remote Configuration Registry Clients]
+ * #[Remote Alias Discovery]
* #[Topology Descriptors]
* #[Hostmap Provider]
* #[Knox CLI]
Modified: knox/trunk/books/1.1.0/config.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/1.1.0/config.md?rev=1829661&r1=1829660&r2=1829661&view=diff
==============================================================================
--- knox/trunk/books/1.1.0/config.md (original)
+++ knox/trunk/books/1.1.0/config.md Fri Apr 20 15:04:31 2018
@@ -146,6 +146,7 @@ gateway.remote.config.monitor.client|A r
gateway.remote.config.registry.<b><name></b>|A named [remote
configuration registry client](#Remote+Configuration+Registry+Clients)
definition|null
gateway.cluster.config.monitor.ambari.enabled | Indicates whether the cluster
monitoring and associated dynamic topology updating is enabled. | false
gateway.cluster.config.monitor.ambari.interval | The interval (in seconds) at
which the cluster monitor will poll Ambari for cluster configuration changes. |
60
+gateway.remote.alias.service.enabled | Turn on/off Remote Alias Discovery,
this will take effect only when remote configuration monitor is enabled | true
#### Topology Descriptors ####
@@ -742,6 +743,16 @@ _While multiple such clients can be conf
The [remote configuration monitor](#Remote+Configuration+Monitor) facility
uses these client configurations to perform its function.
+#### Remote Alias Discovery ####
+
+Knox will also monitor for remote aliases that are added, deleted or updated.
By default this is turned on (if Remote Configuration Monitor is on) and will
sync all the aliases. In case one wants to turn off this feature they can do so
by using the property "gateway.remote.alias.service.enabled" in
gateway-site.xml. Knox needs to be restarted for this change to take effect.
+
+ <property>
+ <name>gateway.remote.alias.service.enabled</name>
+ <value>false</value>
+ <description>Turn on/off Remote Alias Discovery(true by
default)</description>
+ </property>
+
#### Logging ####
