You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: knox-site/docs/knox_cli.md
+35-5Lines changed: 35 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -88,6 +88,34 @@ Argument | Description
88
88
\-\-generate | Boolean flag to indicate whether the tool should just generate the value. This assumes that \-\-value is not set - will result in error otherwise. User will not be prompted for the value when \-\-generate is set.
89
89
\-\-cluster | Name of Hadoop cluster for the cluster specific credential store otherwise assumes that it is for the gateway itself
90
90
91
+
#### Batch alias creation across multiple credential stores ####
Creates multiple alias/secret pairs across one or more credential stores in a single invocation. The argument list is interpreted positionally: each `--cluster` closes the preceding group of `--alias`/`--value` pairs and assigns them to that cluster's credential store. Any `--alias` entries appearing before the first `--cluster` are written to the gateway credential store (`__gateway`). After the aliases are written, the full alias listing for each affected cluster is printed.
96
+
97
+
Argument | Description
98
+
-------------|-----------
99
+
\-\-alias | Name of an alias to create. Belongs to the credential store of the next `--cluster` argument, or to `__gateway` if none follows.
100
+
\-\-value | Parameter for specifying the actual password otherwise prompted. Escape complex passwords or surround with single quotes.
101
+
\-\-cluster | Name of the Hadoop cluster whose credential store the preceding aliases should be written to. May be specified multiple times.
102
+
\-\-generate | Boolean flag to indicate whether the tool should just generate the value. This assumes that `--value` is not set - will result in error otherwise. User will not be prompted for the value when `--generate` is set.
Reads one or more Kubernetes Secrets and creates a Knox alias for each. Intended for Knox deployments running inside Kubernetes; uses in-cluster configuration to talk to the Kubernetes API.
109
+
110
+
Every Secret must contain the keys `alias.name` (the alias name) and `alias.value` (the secret value). The optional `topology` key selects the credential store to write to; when absent the alias is stored in the gateway-level credential store (`__gateway`).
111
+
112
+
All Secrets are fetched and validated before any alias is written, so a failure in the batch leaves the credential store untouched.
113
+
114
+
Argument | Description
115
+
---------------|-----------
116
+
secret-name | Name of a Kubernetes Secret to read. One or more may be passed; all aliases are created atomically.
117
+
\-\-namespace | Kubernetes namespace to look up the secrets in. Defaults to `knox`. `--ns` is accepted as a shorthand.
118
+
91
119
#### Alias deletion ####
92
120
##### `bin/knoxcli.sh delete-alias name [--cluster c] [--help]` #####
93
121
Deletes a password and alias mapping from a credential store within `{GATEWAY_HOME}/data/security/keystores`.
@@ -98,14 +126,14 @@ name | Name of the alias to delete
98
126
\-\-cluster | Name of Hadoop cluster for the cluster specific credential store otherwise assumes '__gateway'
Lists the alias names for one or more credential stores within `{GATEWAY_HOME}/data/security/keystores`. The aliases for each cluster are listed in a separate section, each followed by an item count. If a supplied cluster name has no credential store, an `Invalid cluster name provided` notice is printed for that entry and the remaining clusters are still processed.
103
131
104
132
NOTE: This command will list the aliases in lowercase which is a result of the underlying credential store implementation. Lookup of credentials is a case insensitive operation - so this is not an issue.
105
133
106
134
Argument | Description
107
135
------------|-----------
108
-
\-\-cluster | Name of Hadoop cluster for the cluster specific credential store otherwise assumes '__gateway'
136
+
\-\-cluster | Comma-separated list of Hadoop cluster names whose credential stores should be listed. Defaults to `__gateway` when omitted.
\-\-hostname | Name of the host to be used in the self-signed certificate. This allows multi-host deployments to specify the proper hostnames for hostname verification to succeed on the client side of the SSL connection. The default is 'localhost'.
The export-cert command exports the public certificate from the a gateway.jks keystore with the alias of gateway-identity. It will be exported to `{GATEWAY_HOME}/data/security/keystores/` with a name of `gateway-client-trust.<type>`. Using the `--type` option you can specify which keystore type you need (default: PEM)
121
149
122
-
**NOTE:** The password for the JKS, JCEKS and PKCS12 types is `changeit`. It can be changed using: `keytool -storepasswd -storetype <type> -keystore gateway-client-trust.<type>`
150
+
**NOTE:** The password for the JKS, JCEKS, PKCS12 and BCFKS types is `changeit`. It can be changed using: `keytool -storepasswd -storetype <type> -keystore gateway-client-trust.<type>`
151
+
152
+
**NOTE:**`BCFKS` is BouncyCastle's FIPS-compliant keystore format and requires a BouncyCastle provider to be **registered** with the JVM (not merely present on the classpath). The `bcprov-jdk18on` jar shipped with Knox is not registered as a security provider by the gateway, so on a stock JVM the export will fail with `NoSuchAlgorithmException: BCFKS`. Use the `BCFKS` type only on a JVM where a BouncyCastle provider is registered via `java.security` — in Knox this is the FIPS-configured deployment in which the BouncyCastle FIPS provider (`bc-fips`) is installed as a JVM security provider.
0 commit comments