smolnar82 opened a new pull request #60: KNOX-1418 - New KnoxShell command to build truststore using the gateway server's public certificate URL: https://github.com/apache/knox/pull/60 ## What changes were proposed in this pull request? Currently, the KnoxShell setup requires some manual steps to login to the machine where the gateway server is located and execute `knoxcli.sh export-cert –type JKS` then copy it to the current user's home. To make it easier for our end-users a new KnoxShell command was added to do this work: `buildTrustStore <knox-gateway-url>` ## How was this patch tested? Executing JUnit tests (including integration tests): ``` [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 17:47 min (Wall Clock) [INFO] Finished at: 2019-02-26T21:21:54+01:00 [INFO] Final Memory: 267M/1641M [INFO] ------------------------------------------------------------------------ ``` Additionally, the following manual test steps were executed: 1. Unzipped the updated version of `knoxshell-1.3.0-SNAPSHOT.zip` locally and removed previously created `~/gateway-client-trust.jks` 2. Checked if the new command is available in KnoxShell's help: ``` $ ./bin/knoxshell.sh help Apache Knox Client Shell The client shell facility provide a CLI for establishing and managing Apache Knox Sessions and executing the Apache Knox groovy-based DSL scripts. It may also be used to enter an interactive shell where groovy-based DSL and groovy code may be entered and executed in realtime. knoxshell usage: knoxshell.sh [[buildTrustStore <knox-gateway-url>|init <topology-url>|list|destroy|help] | [<script-file-name>]] ---------------------------------------------------------- buildTrustStore <knox-gateway-url> - downloads the given gateway server's public certificate and builds a trust store to be used by KnoxShell example: knoxshell.sh buildTrustStore https://localhost:8443/ init <topology-url> - requests a session from the knox token service at the url example: knoxshell.sh init https://localhost:8443/gateway/sandbox list - lists the details of the cached knox session token example: knoxshell.sh list destroy - removes the cached knox session token example: knoxshell.sh destroy <script-file-name> - executes the groovy script file example: knoxshell.sh ~/bin/ls.groovy ``` 3. Invoked `knoxshell.sh buildTrustStore` without the mandatory `<knox-gateway-url>` parameter: ``` $ ./bin/knoxshell.sh buildTrustStore Illegal number of parameters. Apache Knox Client Shell The client shell facility provide a CLI for establishing and managing Apache Knox Sessions and executing the Apache Knox groovy-based DSL scripts. It may also be used to enter an interactive shell where groovy-based DSL and groovy code may be entered and executed in realtime. knoxshell usage: knoxshell.sh [[buildTrustStore <knox-gateway-url>|init <topology-url>|list|destroy|help] | [<script-file-name>]] ---------------------------------------------------------- buildTrustStore <knox-gateway-url> - downloads the given gateway server's public certificate and builds a trust store to be used by KnoxShell example: knoxshell.sh buildTrustStore https://localhost:8443/ ... ``` 4. Tested if trust store was built using a valid gateway server's cert and the trust store is OK to run KnoxShell samples: ``` $ ls -al ~/gateway-client-trust.jks ls: /Users/smolnar/gateway-client-trust.jks: No such file or directory $ ./bin/knoxshell.sh buildTrustStore https://c7401.ambari.apache.org:8443/ Opening connection to c7401.ambari.apache.org:8443... Starting SSL handshake... SSL exception; found non-trusted certificate Gateway server's certificate is exported into /Users/smolnar/gateway-client-trust.jks $ ls -al /Users/smolnar/gateway-client-trust.jks -rw-r--r-- 1 smolnar staff 674 Feb 26 21:26 /Users/smolnar/gateway-client-trust.jks $ ./bin/knoxshell.sh samples/ExampleWebHdfsLs.groovy Enter username: guest Enter password: [app-logs, ats, atsv2, hdp, mapred, mr-history, tmp, user] ``` 5. Tested if trust store was built using another (non-gateway) server's cert and running a KnoxShell sample failed: ``` $ ./bin/knoxshell.sh buildTrustStore https://google.com:443/ Opening connection to google.com:443... Starting SSL handshake... SSL exception; found non-trusted certificate Gateway server's certificate is exported into /Users/smolnar/gateway-client-trust.jks $ ls -al ~/gateway-client-trust.jks -rw-r--r-- 1 smolnar staff 2068 Feb 26 21:45 /Users/smolnar/gateway-client-trust.jks $ ./bin/knoxshell.sh samples/ExampleWebHdfsLs.groovy Enter username: guest Enter password: Caught: org.apache.knox.gateway.shell.KnoxShellException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target org.apache.knox.gateway.shell.KnoxShellException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.apache.knox.gateway.shell.AbstractRequest.now(AbstractRequest.java:81) at org.apache.knox.gateway.shell.AbstractRequest$now.call(Unknown Source) at ExampleWebHdfsLs.run(ExampleWebHdfsLs.groovy:37) at org.apache.knox.gateway.shell.Shell.main(Shell.java:58) at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68) at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39) at org.apache.knox.gateway.launcher.Command.run(Command.java:99) at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75) at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52) ``` Also tested the `init|list|destroy` commands to make sure my bash changes did not screw up anything.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
