Author: buildbot
Date: Tue Feb 17 17:33:12 2015
New Revision: 940496
Log:
Staging update by buildbot for slider
Modified:
websites/staging/slider/trunk/content/ (props changed)
websites/staging/slider/trunk/content/docs/security.html
Propchange: websites/staging/slider/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Feb 17 17:33:12 2015
@@ -1 +1 @@
-1659654
+1660455
Modified: websites/staging/slider/trunk/content/docs/security.html
==============================================================================
--- websites/staging/slider/trunk/content/docs/security.html (original)
+++ websites/staging/slider/trunk/content/docs/security.html Tue Feb 17
17:33:12 2015
@@ -398,7 +398,56 @@ documentation.</p>
</pre></div>
-<h3 id="important-java-cryptography-package">Important: Java Cryptography
Package</h3>
+<h2
id="generation-and-deployment-of-application-keystorestruststores">Generation
and deployment of application keystores/truststores</h2>
+<p>Application components may make use of keystores and truststores to
establish secure communications. Given the nature of application deployments
in a YARN cluster and the lack of certainty concerning the nodemanager host on
which a component container may be spawned, Slider provides the facility for
creating and deploying the keystores and truststores that may be required.</p>
+<p>The process of enabling application keystore/truststore generation and
deployment is:</p>
+<ul>
+<li>Set the "slider.component.security.stores.required" property to "true".
This property can be set as a global property (indicating all components
require stores) or can be set/overridden at the component level to selectively
enable store generation for a given component.</li>
+<li>Specify the password property for the component keystore or truststore
or,</li>
+<li>Specify the property providing the alias that references a credential
managed by the Hadoop Credential Provider. This credential provides the
password for securing the keystore/truststore.</li>
+</ul>
+<h3 id="specifying-a-keystoretruststore-password">Specifying a
keystore/truststore password</h3>
+<p>Applications that make use of a keystore and/or truststore may already have
configuration properties that reference the value for the password used to
secure the given certificate store. In those instances the application
configuration can reference the value of the password property in the component
specific configuration section:</p>
+<div class="codehilite"><pre> "<span
class="n">APP_COMPONENT</span>"<span class="p">:</span> <span
class="p">{</span>
+ "<span class="n">slider</span><span class="p">.</span><span
class="n">component</span><span class="p">.</span><span
class="n">security</span><span class="p">.</span><span
class="n">stores</span><span class="p">.</span><span
class="n">required</span>"<span class="p">:</span> "<span
class="n">true</span>"<span class="p">,</span>
+ "<span class="n">slider</span><span class="p">.</span><span
class="n">component</span><span class="p">.</span><span
class="n">keystore</span><span class="p">.</span><span
class="n">password</span><span class="p">.</span><span
class="n">property</span>"<span class="p">:</span> "<span
class="n">site</span><span class="p">.</span><span class="n">myapp</span><span
class="o">-</span><span class="n">site</span><span class="p">.</span><span
class="n">app_component</span><span class="p">.</span><span
class="n">keystore</span><span class="p">.</span><span
class="n">password</span>"
+ <span class="p">}</span>
+</pre></div>
+
+
+<p>In this example:</p>
+<ul>
+<li>The store required property is set to "true" for the APP_COMPONENT
component</li>
+<li>The application has a property in its site configuration file named
"app_component.keystore.password". This property is specified in the appConfig
file's global section (with the "site.myapp-site" prefix), and is referenced
here to indicate to Slider which application property provides the store
password.</li>
+</ul>
+<h3 id="specifying-a-keystoretruststore-credential-provider-alias">Specifying
a keystore/truststore Credential Provider alias</h3>
+<p>Applications that utilize the Credenfial Provider API to retrieve
application passwords can specify the following configuration:</p>
+<ul>
+<li>
+<p>Indicate the credential storage path in the "credentials" section of the
app configuration file:</p>
+<div class="codehilite"><pre> "credentials": {
+ "jceks://hdfs/user/<span class="cp">${</span><span
class="n">USER</span><span class="cp">}</span>/myapp.jceks":
["app_component.keystore.password.alias"]
+ }
+</pre></div>
+
+
+</li>
+</ul>
+<p>If you specify a list of aliases and are making use of the Slider CLI for
application deployment, you will be prompted to enter a value for the passwords
specified if no password matching a configured alias is found in the credential
store. However, any mechanism available for pre-populating the credential
store may be utilized.</p>
+<ul>
+<li>
+<p>Reference the alias to use for securing the keystore/truststore in the
component's configuraton section:</p>
+<div class="codehilite"><pre>"<span
class="n">APP_COMPONENT</span>"<span class="p">:</span> <span
class="p">{</span>
+ "<span class="n">slider</span><span class="p">.</span><span
class="n">component</span><span class="p">.</span><span
class="n">security</span><span class="p">.</span><span
class="n">stores</span><span class="p">.</span><span
class="n">required</span>"<span class="p">:</span> "<span
class="n">true</span>"<span class="p">,</span>
+ "<span class="n">slider</span><span class="p">.</span><span
class="n">component</span><span class="p">.</span><span
class="n">keystore</span><span class="p">.</span><span
class="n">credential</span><span class="p">.</span><span
class="n">alias</span><span class="p">.</span><span
class="n">property</span>"<span class="p">:</span> "<span
class="n">app_component</span><span class="p">.</span><span
class="n">keystore</span><span class="p">.</span><span
class="n">password</span><span class="p">.</span><span
class="n">alias</span>"
+<span class="p">}</span>
+</pre></div>
+
+
+</li>
+</ul>
+<p>At runtime, Slider will read the credential mapped to the alias (in this
case, "app_component.keystore.password.alias"), and leverage the password
stored to secure the generated keystore.</p>
+<h2 id="important-java-cryptography-package">Important: Java Cryptography
Package</h2>
<p>When trying to talk to a secure, cluster you may see the message:</p>
<div class="codehilite"><pre><span class="n">No</span> <span
class="n">valid</span> <span class="n">credentials</span> <span
class="n">provided</span> <span class="p">(</span><span
class="n">Mechanism</span> <span class="n">level</span><span class="p">:</span>
<span class="n">Illegal</span> <span class="n">key</span> <span
class="nb">size</span><span class="p">)]</span>
</pre></div>
