diff --git a/docs/manual/cluster-admin/basic-management-operations.md b/docs/manual/cluster-admin/basic-management-operations.md index a09a94cedd..120f2ef8bd 100644 --- a/docs/manual/cluster-admin/basic-management-operations.md +++ b/docs/manual/cluster-admin/basic-management-operations.md @@ -40,7 +40,7 @@ There is a shortcut to k8s dashboard on the webportal. However, it needs special -To use it, you should first set up `https` access (Using `http://` won't work) for OpenPAI. Then, on the dev box machine, follow the steps below: +To use it, you should first set up `https` access (Using `http://` won't work) for OpenPAI. Please refer to [here](#how-to-set-up-https). Then, on the dev box machine, follow the steps below: **Step 1.** Save following yaml text as `admin-user.yaml` @@ -151,4 +151,116 @@ Another example is to restart the whole cluster: ./paictl.py service start ``` -You can use `exit` to leave the dev-box container, and use `sudo docker exec -it dev-box bash` to re-enter it if you desire so. If you don't need it any more, use `sudo docker stop dev-box` and `sudo docker rm dev-box` to delete the docker container. \ No newline at end of file +You can use `exit` to leave the dev-box container, and use `sudo docker exec -it dev-box bash` to re-enter it if you desire so. If you don't need it any more, use `sudo docker stop dev-box` and `sudo docker rm dev-box` to delete the docker container. + +## How To Set Up HTTPS + +To configure https certificate for pylon, you need to obtain a digital certificate first, and then save the digital certificate-related files in the dev-box container. In the dev-box container, you can find the configuration file `services-configuration.yaml`, and then you need to add the file path of the saved digital certificate into the `services-configuration.yaml` file. You can choose a self-signed certificate or a certificate issued by a CA. Next, we will first demonstrate the configuration process of a self-signed certificate. The configuration processes for the two types of certificates are similar. + +### Configure A Self-Signed Certificate + + +#### 1. Enter the dev-box container + +You need to use [`paictl`](#pai-service-management-and-paictl) to enter the container in the following way: + +```bash +sudo docker exec -it dev-box bash +``` + +#### 2. Create a folder in the dev-box container +When you enter the container, you need to create a folder and generate a self-signed certificate in this folder. You can create an `ssl` folder in the `home` folder. + +``` bash +mkdir /home/ssl +cd /home/ssl +``` +#### 3. Generate RSA private key with openssl + +``` bash +openssl genrsa -des3 -out FileName.key 1024 +``` +In this step, a password will be asked. The following commands you enter will use the `FileName` parameter multiple times. You can choose a suitable file name to replace `FileName`. + + +#### 4. Generate certificate request + +```bash +SUBJECT="/C=US/ST=Washington/CN=FileName" +openssl req -new -subj $SUBJECT -key FileName.key -out FileName.csr +``` + +#### 5. Generate certificate + +```bash +mv FileName.key FileName.origin.key +openssl rsa -in FileName.origin.key -out FileName.key +openssl x509 -req -days 3650 -in FileName.csr -signkey FileName.key -out FileName.crt +``` + +#### 6. Final result + +In the current directory, you will find 4 files: + +
+paictl overview picture +
+ +#### 7. Configure services-configuration.yaml + + +If you are configuring PAI service for the first time, `services-configuration.yaml` may not exist in the dev-box container. You should follow the procedure below to change the configuration file and make it effective. Then, stop the pylon service, pull the OpenPAI configuration file `services-configuration.yaml` to the local, change the configuration file, upload the configuration file, and restart the pylon service. The commands you need are: +```bash +./paictl.py service stop -n pylon +./paictl.py config pull -o +vim /services-configuration.yaml +./paictl.py config push -p -m service +./paictl.py service start -n pylon +``` + + +If you already have `services-configuration.yaml` in your container, you can omit the process of pulling the file. Please note that the master_ip in the configuration file is the IP of your master machine, not the IP of your dev box machine. Please configure the yaml file in the following format: +``` +pylon: + port: 80 + uri: "http://master_ip:80" + ssl: + crt_name: xxxxxx + crt_path: /path/to/xxxxxx + key_name: yyyyyy + key_path: /path/to/yyyyyy +``` +With the example we just gave, the configuration file content should be: +``` +pylon: + port: 80 + uri: "http://master_ip:80" + ssl: + crt_name: FileName.crt + crt_path: /home/ssl/FileName.crt + key_name: FileName.key + key_path: /home/ssl/FileName.key +``` +Restart the pylon service, and you will be able to access OpenPAI via https. + +#### Configure CA certificate +##### 1. Save the CA certificate in the dev-box container +To configure a CA certificate, you first need to apply for and export it. You will eventually get a crt file and a key file. Please save these two files in the dev-box container. As shown in the following picture, the two files are saved in `/home/ssl`. + +
+paictl overview picture +
+ +##### 2. Configure services-configuration.yaml +In this step, you can configure the `services-configuration.yaml` in accordance with the Step 7 in the process of `Configure a self-signed certificate`. For example: + +``` +pylon: + port: 80 + uri: "http://master_ip:80" + ssl: + crt_name: n32.openpai.org_chain.crt + crt_path: /home/ssl/n32.openpai.org_chain.crt + key_name: n32.openpai.org_key.key + key_path: /home/ssl/n32.openpai.org_key.key +``` diff --git a/docs/manual/cluster-admin/how-to-manage-users-and-groups.md b/docs/manual/cluster-admin/how-to-manage-users-and-groups.md index 6ab1df2372..033285a230 100644 --- a/docs/manual/cluster-admin/how-to-manage-users-and-groups.md +++ b/docs/manual/cluster-admin/how-to-manage-users-and-groups.md @@ -25,61 +25,8 @@ In this section, we will cover how to set up the integration step by step. #### Note -Previous user data in webportal is required to be mapping/migrate to AAD. Once the integration is enabled, instead of using basic user authentication, OpenPAI will switch to use (and only use) AAD as user authentication mechanism. +Previous user data in webportal is required to be mapping/migrate to AAD. Once the integration is enabled, instead of using basic user authentication, OpenPAI will switch to use (and only use) AAD as user authentication mechanism. To set up AAD, please follow the instructions [here](./basic-management-operations.md#how-to-set-up-https) to set up HTTPS access for OpenPAI first. -#### [Pylon] Prepare your certificate for https, self-sign cert as an example - -##### 1. Store your domain name (pylon address) into a linux env - -```bash -DOMAIN={pylon address} -``` -##### 2. Generate RSA private key with openssl - -``` bash -openssl genrsa -des3 -out $DOMAIN.key 1024 -``` - -In this step, password will be asked. You can just skip it with an empty value (Type enter button). - -##### 3. Generate certificate request - -```bash -SUBJECT="/C=US/ST=Washington/CN=$DOMAIN" -openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr -``` - -##### 4. Generate certificate - -```bash -mv $DOMAIN.key $DOMAIN.origin.key -openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key -openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt -``` - -##### 5. Final result - -You should get the following 4 files in your current path - -
-paictl overview picture -
- -##### 6. Configure pylon - -Add the following configuration to your `services-configuration.yaml`. If you wonder what `services-configuration.yaml` is, please refer to [PAI Service Management and Paictl](basic-management-operations.md#pai-service-management-and-paictl). - -``` -pylon: - port: 80 - uri: "http://master_ip:80" - ssl: - # self-sign - crt_name: xxxxxx - crt_path: /path/to/xxxxxx - key_name: yyyyyy - key_path: /path/to/yyyyyy -``` #### [Rest-server] Configuration AAD diff --git a/docs/manual/cluster-admin/imgs/aad/openssl_result.png b/docs/manual/cluster-admin/imgs/aad/openssl_result.png deleted file mode 100644 index 24903b772c..0000000000 Binary files a/docs/manual/cluster-admin/imgs/aad/openssl_result.png and /dev/null differ diff --git a/docs_zh_CN/manual/cluster-admin/imgs/aad/openssl_CA_result.png b/docs/manual/cluster-admin/imgs/openssl_CA_result.png similarity index 100% rename from docs_zh_CN/manual/cluster-admin/imgs/aad/openssl_CA_result.png rename to docs/manual/cluster-admin/imgs/openssl_CA_result.png diff --git a/docs_zh_CN/manual/cluster-admin/imgs/aad/openssl_result.png b/docs/manual/cluster-admin/imgs/openssl_result.png similarity index 100% rename from docs_zh_CN/manual/cluster-admin/imgs/aad/openssl_result.png rename to docs/manual/cluster-admin/imgs/openssl_result.png diff --git a/docs_zh_CN/manual/cluster-admin/basic-management-operations.md b/docs_zh_CN/manual/cluster-admin/basic-management-operations.md index 2486d28a59..b6ee07055c 100644 --- a/docs_zh_CN/manual/cluster-admin/basic-management-operations.md +++ b/docs_zh_CN/manual/cluster-admin/basic-management-operations.md @@ -204,7 +204,7 @@ openssl x509 -req -days 3650 -in FileName.csr -signkey FileName.key -out FileNam 在当前目录下,您将会发现有4个文件
-paictl overview picture +paictl overview picture
#### 7. 设置services-configuration.yaml @@ -250,7 +250,7 @@ pylon: 要配置CA证书,您首先需要申请并导出您的CA证书,您最终会得到一个crt文件和一个key文件,然后将这两个文件保存到dev-box容器中,比如存储到dev-box容器的/home/ssl文件夹下。如图所示:
-paictl overview picture +paictl overview picture
##### 2. 设置services-configuration.yaml diff --git a/docs_zh_CN/manual/cluster-admin/imgs/openssl_CA_result.png b/docs_zh_CN/manual/cluster-admin/imgs/openssl_CA_result.png new file mode 100644 index 0000000000..3a2a23bc33 Binary files /dev/null and b/docs_zh_CN/manual/cluster-admin/imgs/openssl_CA_result.png differ diff --git a/docs_zh_CN/manual/cluster-admin/imgs/openssl_result.png b/docs_zh_CN/manual/cluster-admin/imgs/openssl_result.png new file mode 100644 index 0000000000..74092a6e73 Binary files /dev/null and b/docs_zh_CN/manual/cluster-admin/imgs/openssl_result.png differ