[
https://issues.apache.org/jira/browse/KNOX-1418?focusedWorklogId=204766&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-204766
]
ASF GitHub Bot logged work on KNOX-1418:
----------------------------------------
Author: ASF GitHub Bot
Created on: 26/Feb/19 20:55
Start Date: 26/Feb/19 20:55
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #60: KNOX-1418 -
New KnoxShell command to build truststore using the gateway server's public
certificate
URL: https://github.com/apache/knox/pull/60
## What changes were proposed in this pull request?
Currently, the KnoxShell setup requires some manual steps to login to the
machine where the gateway server is located and execute `knoxcli.sh export-cert
–type JKS` then copy it to the current user's home.
To make it easier for our end-users a new KnoxShell command was added to do
this work:
`buildTrustStore <knox-gateway-url>`
## How was this patch tested?
Executing JUnit tests (including integration tests):
```
[INFO]
------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 17:47 min (Wall Clock)
[INFO] Finished at: 2019-02-26T21:21:54+01:00
[INFO] Final Memory: 267M/1641M
[INFO]
------------------------------------------------------------------------
```
Additionally, the following manual test steps were executed:
1. Unzipped the updated version of `knoxshell-1.3.0-SNAPSHOT.zip` locally
and removed previously created `~/gateway-client-trust.jks`
2. Checked if the new command is available in KnoxShell's help:
```
$ ./bin/knoxshell.sh help
Apache Knox Client Shell
The client shell facility provide a CLI for establishing and managing Apache
Knox Sessions
and executing the Apache Knox groovy-based DSL scripts. It may also be used
to enter an
interactive shell where groovy-based DSL and groovy code may be entered and
executed in realtime.
knoxshell usage:
knoxshell.sh [[buildTrustStore <knox-gateway-url>|init
<topology-url>|list|destroy|help] | [<script-file-name>]]
----------------------------------------------------------
buildTrustStore <knox-gateway-url> - downloads the given gateway server's
public certificate and builds a trust store to be used by KnoxShell
example: knoxshell.sh buildTrustStore https://localhost:8443/
init <topology-url> - requests a session from the knox token service at
the url
example: knoxshell.sh init https://localhost:8443/gateway/sandbox
list - lists the details of the cached knox session token
example: knoxshell.sh list
destroy - removes the cached knox session token
example: knoxshell.sh destroy
<script-file-name> - executes the groovy script file
example: knoxshell.sh ~/bin/ls.groovy
```
3. Invoked `knoxshell.sh buildTrustStore` without the mandatory
`<knox-gateway-url>` parameter:
```
$ ./bin/knoxshell.sh buildTrustStore
Illegal number of parameters.
Apache Knox Client Shell
The client shell facility provide a CLI for establishing and managing Apache
Knox Sessions
and executing the Apache Knox groovy-based DSL scripts. It may also be used
to enter an
interactive shell where groovy-based DSL and groovy code may be entered and
executed in realtime.
knoxshell usage:
knoxshell.sh [[buildTrustStore <knox-gateway-url>|init
<topology-url>|list|destroy|help] | [<script-file-name>]]
----------------------------------------------------------
buildTrustStore <knox-gateway-url> - downloads the given gateway server's
public certificate and builds a trust store to be used by KnoxShell
example: knoxshell.sh buildTrustStore https://localhost:8443/
...
```
4. Tested if trust store was built using a valid gateway server's cert and
the trust store is OK to run KnoxShell samples:
```
$ ls -al ~/gateway-client-trust.jks
ls: /Users/smolnar/gateway-client-trust.jks: No such file or directory
$ ./bin/knoxshell.sh buildTrustStore https://c7401.ambari.apache.org:8443/
Opening connection to c7401.ambari.apache.org:8443...
Starting SSL handshake...
SSL exception; found non-trusted certificate
Gateway server's certificate is exported into
/Users/smolnar/gateway-client-trust.jks
$ ls -al /Users/smolnar/gateway-client-trust.jks
-rw-r--r-- 1 smolnar staff 674 Feb 26 21:26
/Users/smolnar/gateway-client-trust.jks
$ ./bin/knoxshell.sh samples/ExampleWebHdfsLs.groovy
Enter username: guest
Enter password:
[app-logs, ats, atsv2, hdp, mapred, mr-history, tmp, user]
```
5. Tested if trust store was built using another (non-gateway) server's
cert and running a KnoxShell sample failed:
```
$ ./bin/knoxshell.sh buildTrustStore https://google.com:443/
Opening connection to google.com:443...
Starting SSL handshake...
SSL exception; found non-trusted certificate
Gateway server's certificate is exported into
/Users/smolnar/gateway-client-trust.jks
$ ls -al ~/gateway-client-trust.jks
-rw-r--r-- 1 smolnar staff 2068 Feb 26 21:45
/Users/smolnar/gateway-client-trust.jks
$ ./bin/knoxshell.sh samples/ExampleWebHdfsLs.groovy
Enter username: guest
Enter password:
Caught: org.apache.knox.gateway.shell.KnoxShellException:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
org.apache.knox.gateway.shell.KnoxShellException:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at
org.apache.knox.gateway.shell.AbstractRequest.now(AbstractRequest.java:81)
at org.apache.knox.gateway.shell.AbstractRequest$now.call(Unknown
Source)
at ExampleWebHdfsLs.run(ExampleWebHdfsLs.groovy:37)
at org.apache.knox.gateway.shell.Shell.main(Shell.java:58)
at
org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
```
Also tested the `init|list|destroy` commands to make sure my bash changes
did not screw up anything.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 204766)
Time Spent: 10m
Remaining Estimate: 0h
> Knox Shell command for downloading the public cert from a Knox instance
> -----------------------------------------------------------------------
>
> Key: KNOX-1418
> URL: https://issues.apache.org/jira/browse/KNOX-1418
> Project: Apache Knox
> Issue Type: Improvement
> Components: KnoxShell
> Affects Versions: 1.1.0
> Reporter: Phil Zampino
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 1.3.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> To support the containerization of Knox, it would be helpful to have a
> KnoxShell command for getting the public cert from a Knox instance
> (equivalent to the knoxcli export-cert command, but remote).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
