[API change] show TLS certificate details; add top-level 'ais tls' co…

…mmand * Go API: add api/x509 source: - `api.LoadX509Cert` - `api.GetX509Info` * CLI: add cmd/cli/cli/x509; consolidate all TLS in there * CLI: add top-level `ais tls`; update all related docs and references * prev. commit sequence: 3f3e502 * separately: - aistore as reverse-proxy is obsolete - update the docs, add disclaimer - related (very old) commit: 2cc8212 Signed-off-by: Alex Aizman <[email protected]>
NVIDIA · Sep 18, 2024 · 091f7b0 · 091f7b0
1 parent c0faf87
commit 091f7b0
Show file tree

Hide file tree

Showing 28 changed files with 494 additions and 247 deletions.
diff --git a/README.md b/README.md
@@ -26,14 +26,15 @@ AIS [consistently shows balanced I/O distribution and linear scalability](https:
 * **Batch jobs**. APIs and CLI to start, stop, and monitor documented [batch operations](/docs/batch.md), such as `prefetch`, `download`, copy or transform datasets, and many more.
 
 For easy usage, management, and monitoring, there's also:
-* **Integrated and powerful [CLI](/docs/cli.md)**. As of early 2024, top-level CLI commands include:
+* **Integrated easy-to-use [CLI](/docs/cli.md)**, with top-level commands including:
 ```console
-$ ais
+$ ais <TAB-TAB>
 
-bucket        etl         help           log              create        dsort        stop         blob-download
-object        job         advanced       performance      download      evict        cp           rmo
-cluster       auth        storage        remote-cluster   prefetch      get          rmb          wait
-config        show        archive        alias            put           ls           start        search
+bucket           job              storage          remote-cluster   prefetch         evict            create
+object           auth             archive          alias            put              rmo              dsort
+cluster          show             log              ls               start            wait             search
+config           help             tls              stop             get              blob-download
+etl              advanced         performance      download         rmb              cp
 ```
 
 AIS runs natively on Kubernetes and features open format - thus, the freedom to copy or move your data from AIS at any time using the familiar Linux `tar(1)`, `scp(1)`, `rsync(1)` and similar.

diff --git a/ais/htrun.go b/ais/htrun.go
@@ -1075,6 +1075,8 @@ func _checkAction(msg *apc.ActMsg, expectedActions ...string) (err error) {
 // common cplane cont-d
 //
 
+// see related "GET(what)" set of APIs: api/cluster and api/daemon
+// the enum itself in api/apc/query
 func (h *htrun) httpdaeget(w http.ResponseWriter, r *http.Request, query url.Values, htext htext) {
 	var (
 		body any
@@ -1128,8 +1130,10 @@ func (h *htrun) httpdaeget(w http.ResponseWriter, r *http.Request, query url.Val
 		daeStats := h.statsT.GetStatsV322()
 		ds.Tracker = daeStats.Tracker
 		body = ds
+	case apc.WhatCertificate: // (see also: daeLoadX509, cluLoadX509)
+		body = certloader.Props()
 	default:
-		h.writeErrf(w, r, "invalid GET /daemon request: unrecognized what=%s", what)
+		h.writeErrf(w, r, "invalid '%s' request: unrecognized 'what=%s' query", r.URL.Path, what)
 		return
 	}
 	h.writeJSON(w, r, body, "httpdaeget-"+what)

diff --git a/ais/proxy.go b/ais/proxy.go
@@ -2470,7 +2470,7 @@ func (p *proxy) reverseHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// rewrite URL path (removing `apc.Reverse`)
+	// update URL path: remove `apc.Reverse`
 	r.URL.Path = cos.JoinWords(apc.Version, apiItems[0])
 
 	nodeID := r.Header.Get(apc.HdrNodeID)

diff --git a/ais/prxs3.go b/ais/prxs3.go
@@ -720,6 +720,8 @@ func (p *proxy) initByNameOnly(w http.ResponseWriter, r *http.Request, bucket st
 // see also: docs/s3compat.md
 func (p *proxy) s3Redirect(w http.ResponseWriter, r *http.Request, si *meta.Snode, redirectURL, bucket string) {
 	if cmn.Rom.Features().IsSet(feat.S3ReverseProxy) {
+		// [intra-cluster communications]
+		// instead of regular HTTP redirect (below) reverse-proxy S3 API call to a designated target
 		p.reverseNodeRequest(w, r, si)
 		return
 	}

diff --git a/ais/x509.go b/ais/x509.go
@@ -15,6 +15,10 @@ import (
 	"github.com/NVIDIA/aistore/core/meta"
 )
 
+//
+// API endpoint: load TLS cert
+//
+
 func (h *htrun) daeLoadX509(w http.ResponseWriter, r *http.Request) {
 	if err := certloader.Load(); err != nil {
 		h.writeErr(w, r, err)

diff --git a/api/apc/query.go b/api/apc/query.go
@@ -4,8 +4,7 @@
  */
 package apc
 
-// URL Query "?name1=val1&name2=..."
-// User query params.
+// see related "GET(what)" set of APIs: api/cluster and api/daemon
 const (
 	QparamWhat = "what" // "smap" | "bmd" | "config" | "stats" | "xaction" ... (enum below)
 
@@ -212,22 +211,24 @@ const (
 
 // QparamWhat enum.
 const (
-	// cluster meta
+	// cluster metadata
 	WhatSmap = "smap"
 	WhatBMD  = "bmd"
+
 	// config
-	WhatNodeConfig    = "config" // query specific node for (cluster config + overrides, local config)
-	WhatClusterConfig = "cluster_config"
+	WhatNodeConfig    = "config"         // query specific node for (cluster config + overrides, local config)
+	WhatClusterConfig = "cluster_config" // as the name implies; identical (compressed, checksummed, versioned) copy on each node
 
 	// configured backends
 	WhatBackends = "backends"
 
 	// stats and status
-	WhatNodeStatsV322          = "stats"  // [ backward compatibility ]
-	WhatNodeStatsAndStatusV322 = "status" // [ ditto ]
-	WhatNodeStats              = "node_stats"
-	WhatNodeStatsAndStatus     = "node_status"
-	WhatDiskRWUtilCap          = "disk" // read/write stats, disk utilization, capacity
+	WhatNodeStatsV322          = "stats"       // [ backward compatibility ]
+	WhatNodeStatsAndStatusV322 = "status"      // [ ditto ]
+	WhatNodeStats              = "node_stats"  // redundant
+	WhatNodeStatsAndStatus     = "node_status" // current
+
+	WhatDiskRWUtilCap = "disk" // read/write stats, disk utilization, capacity
 
 	WhatMetricNames = "metrics"
 
@@ -237,17 +238,23 @@ const (
 	WhatSmapVote   = "smapvote"
 	WhatSysInfo    = "sysinfo"
 	WhatTargetIPs  = "target_ips" // comma-separated list of all target IPs (compare w/ GetWhatSnode)
+
 	// log
 	WhatLog = "log"
+
 	// xactions
 	WhatOneXactStatus   = "status"      // IC status by uuid (returns a single matching xaction or none)
 	WhatAllXactStatus   = "status_all"  // ditto - all matching xactions
 	WhatXactStats       = "getxstats"   // stats: xaction by uuid
 	WhatQueryXactStats  = "qryxstats"   // stats: all matching xactions
 	WhatAllRunningXacts = "running_all" // e.g. e.g.: put-copies[D-ViE6HEL_j] list[H96Y7bhR2s] ...
+
 	// internal
 	WhatSnode    = "snode"
 	WhatICBundle = "ic_bundle"
+
+	// tls
+	WhatCertificate = "tls_certificate"
 )
 
 // QparamLogSev enum.

diff --git a/api/cluster.go b/api/cluster.go
@@ -351,22 +351,6 @@ func DetachRemoteAIS(bp BaseParams, alias string) error {
 	return err
 }
 
-func LoadX509Cert(bp BaseParams, nodeID ...string) error {
-	bp.Method = http.MethodPut
-	reqParams := AllocRp()
-	{
-		reqParams.BaseParams = bp
-		if len(nodeID) > 0 {
-			reqParams.Path = apc.URLPathCluX509.Join(nodeID[0]) // the node
-		} else {
-			reqParams.Path = apc.URLPathCluX509.S // all nodes
-		}
-	}
-	err := reqParams.DoRequest()
-	FreeRp(reqParams)
-	return err
-}
-
 //
 // Backend (enable | disable)
 // see also GetConfiguredBackends above

diff --git a/api/daemon.go b/api/daemon.go
@@ -30,7 +30,7 @@ func GetMountpaths(bp BaseParams, node *meta.Snode) (mpl *apc.MountpathList, err
 	reqParams := AllocRp()
 	{
 		reqParams.BaseParams = bp
-		reqParams.Path = apc.URLPathReverseDae.S // NOTE: reverse, via p.reverseHandler
+		reqParams.Path = apc.URLPathReverseDae.S
 		reqParams.Query = url.Values{apc.QparamWhat: []string{apc.WhatMountpaths}}
 		reqParams.Header = http.Header{
 			apc.HdrNodeID: []string{node.ID()},
@@ -93,7 +93,7 @@ func _actMpath(bp BaseParams, node *meta.Snode, mountpath, action string, q url.
 	reqParams := AllocRp()
 	{
 		reqParams.BaseParams = bp
-		reqParams.Path = apc.URLPathReverseDae.Join(apc.Mountpaths) // NOTE: reverse, via p.reverseHandler
+		reqParams.Path = apc.URLPathReverseDae.Join(apc.Mountpaths)
 		reqParams.Body = cos.MustMarshal(apc.ActMsg{Action: action, Value: mountpath})
 		reqParams.Header = http.Header{
 			apc.HdrNodeID:      []string{node.ID()},
@@ -113,7 +113,7 @@ func GetDaemonConfig(bp BaseParams, node *meta.Snode) (config *cmn.Config, err e
 	reqParams := AllocRp()
 	{
 		reqParams.BaseParams = bp
-		reqParams.Path = apc.URLPathReverseDae.S // NOTE: reverse, via p.reverseHandler
+		reqParams.Path = apc.URLPathReverseDae.S
 		reqParams.Query = url.Values{apc.QparamWhat: []string{apc.WhatNodeConfig}}
 		reqParams.Header = http.Header{apc.HdrNodeID: []string{node.ID()}}
 	}
@@ -128,7 +128,7 @@ func GetMetricNames(bp BaseParams, node *meta.Snode) (kvs cos.StrKVs, err error)
 	reqParams := AllocRp()
 	{
 		reqParams.BaseParams = bp
-		reqParams.Path = apc.URLPathReverseDae.S // NOTE: reverse, via p.reverseHandler
+		reqParams.Path = apc.URLPathReverseDae.S
 		reqParams.Query = url.Values{apc.QparamWhat: []string{apc.WhatMetricNames}}
 		reqParams.Header = http.Header{apc.HdrNodeID: []string{node.ID()}}
 	}
@@ -155,7 +155,7 @@ func GetDaemonLog(bp BaseParams, node *meta.Snode, args GetLogInput) (int64, err
 	reqParams := AllocRp()
 	{
 		reqParams.BaseParams = bp
-		reqParams.Path = apc.URLPathReverseDae.S // NOTE: reverse, via p.reverseHandler
+		reqParams.Path = apc.URLPathReverseDae.S
 		reqParams.Query = q
 		reqParams.Header = http.Header{apc.HdrNodeID: []string{node.ID()}}
 	}
@@ -180,7 +180,7 @@ func SetDaemonConfig(bp BaseParams, nodeID string, nvs cos.StrKVs, transient ...
 	reqParams := AllocRp()
 	{
 		reqParams.BaseParams = bp
-		reqParams.Path = apc.URLPathReverseDae.Join(apc.ActSetConfig) // NOTE: reverse, via p.reverseHandler
+		reqParams.Path = apc.URLPathReverseDae.Join(apc.ActSetConfig)
 		reqParams.Query = query
 		reqParams.Header = http.Header{apc.HdrNodeID: []string{nodeID}}
 	}
@@ -203,7 +203,7 @@ func _putDaemon(bp BaseParams, nodeID string, msg apc.ActMsg) error {
 	reqParams := AllocRp()
 	{
 		reqParams.BaseParams = bp
-		reqParams.Path = apc.URLPathReverseDae.S // NOTE: reverse, via p.reverseHandler
+		reqParams.Path = apc.URLPathReverseDae.S
 		reqParams.Body = cos.MustMarshal(msg)
 		reqParams.Header = http.Header{
 			apc.HdrNodeID:      []string{nodeID},

diff --git a/api/x509.go b/api/x509.go
@@ -0,0 +1,49 @@
+// Package api provides native Go-based API/SDK over HTTP(S).
+/*
+ * Copyright (c) 2024, NVIDIA CORPORATION. All rights reserved.
+ */
+package api
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/NVIDIA/aistore/api/apc"
+	"github.com/NVIDIA/aistore/cmn/cos"
+)
+
+func LoadX509Cert(bp BaseParams, nodeID ...string) error {
+	bp.Method = http.MethodPut
+	reqParams := AllocRp()
+	{
+		reqParams.BaseParams = bp
+		if len(nodeID) > 0 {
+			reqParams.Path = apc.URLPathCluX509.Join(nodeID[0]) // the node
+		} else {
+			reqParams.Path = apc.URLPathCluX509.S // all nodes
+		}
+	}
+	err := reqParams.DoRequest()
+	FreeRp(reqParams)
+	return err
+}
+
+func GetX509Info(bp BaseParams, nodeID ...string) (info cos.StrKVs, err error) {
+	bp.Method = http.MethodGet
+	reqParams := AllocRp()
+	{
+		reqParams.BaseParams = bp
+		reqParams.Query = url.Values{apc.QparamWhat: []string{apc.WhatCertificate}}
+		if len(nodeID) > 0 {
+			reqParams.Path = apc.URLPathReverseDae.S
+			reqParams.Header = http.Header{
+				apc.HdrNodeID: []string{nodeID[0]},
+			}
+		} else {
+			reqParams.Path = apc.URLPathDae.S
+		}
+	}
+	_, err = reqParams.DoReqAny(&info)
+	FreeRp(reqParams)
+	return
+}
diff --git a/cmd/cli/cli/advanced_hdlr.go b/cmd/cli/cli/advanced_hdlr.go
@@ -72,13 +72,6 @@ var (
 				Action:       backendDisableHandler,
 				BashComplete: suggestCloudProvider,
 			},
-			{
-				Name:         cmdLoadX509,
-				Usage:        "(re)load TLS certificate",
-				ArgsUsage:    optionalNodeIDArgument,
-				Action:       loadX509Handler,
-				BashComplete: suggestAllNodes,
-			},
 		},
 	}
 )
@@ -207,17 +200,3 @@ func backendDisableHandler(c *cli.Context) error {
 	actionDone(c, "cluster: disabled "+cloudProvider+" backend")
 	return nil
 }
-
-func loadX509Handler(c *cli.Context) (err error) {
-	s := "Done."
-	if c.NArg() == 0 {
-		err = api.LoadX509Cert(apiBP, c.Args()...)
-		s = "Done: all nodes."
-	} else {
-		err = api.LoadX509Cert(apiBP, meta.N2ID(c.Args().Get(0)))
-	}
-	if err == nil {
-		actionDone(c, s)
-	}
-	return err
-}
diff --git a/cmd/cli/cli/app.go b/cmd/cli/cli/app.go
@@ -307,6 +307,7 @@ func (a *acli) setupCommands(emptyCmdline bool) {
 		storageCmd,
 		archCmd,
 		logCmd,
+		tlsCmd,
 		showCmdPeformance,
 		remClusterCmd,
 		a.getAliasCmd(),

diff --git a/cmd/cli/cli/const.go b/cmd/cli/cli/const.go
@@ -17,19 +17,20 @@ import (
 
 // top-level commands (categories - nouns)
 const (
-	commandAuth     = "auth"
 	commandAdvanced = "advanced"
+	commandAlias    = "alias"
+	commandArch     = "archive"
+	commandAuth     = "auth"
 	commandBucket   = "bucket"
-	commandObject   = "object"
 	commandCluster  = "cluster"
 	commandConfig   = "config"
+	commandETL      = apc.ETL
 	commandJob      = "job"
 	commandLog      = "log"
+	commandObject   = "object"
 	commandPerf     = "performance"
 	commandStorage  = "storage"
-	commandETL      = apc.ETL   // TODO: add `ais show etl`
-	commandAlias    = "alias"   // TODO: ditto alias
-	commandArch     = "archive" // TODO: ditto archive
+	commandTLS      = "tls"
 
 	commandSearch = "search"
 )
@@ -131,7 +132,7 @@ const (
 	cmdBackendEnable  = "enable-backend"
 	cmdBackendDisable = "disable-backend"
 
-	cmdLoadX509 = "load-X.509"
+	cmdLoadTLS = "load-certificate"
 
 	// Node subcommands
 	cmdJoin                = "join"

diff --git a/cmd/cli/cli/search_hdlr.go b/cmd/cli/cli/search_hdlr.go
@@ -52,6 +52,7 @@ var (
 		cmdAuthAdd:      {"register", "create"},
 		cmdStgCleanup:   {"remove", "delete", "evict"},
 		cmdDownload:     {"load", "populate", "copy", "cp"},
+		commandTLS:      {"x509", "X509", "X.509", "certificate", "https"},
 	}
 
 	// app state

diff --git a/cmd/cli/cli/show_hdlr.go b/cmd/cli/cli/show_hdlr.go
@@ -113,6 +113,7 @@ var (
 			showCmdRemoteAIS,
 			showCmdJob,
 			showCmdLog,
+			showTLS,
 		},
 	}