Https英文文档

docs/manual/cluster-admin/basic-management-operations.md

@@ -40,7 +40,7 @@ There is a shortcut to k8s dashboard on the webportal. However, it needs special
 
    <img src="./imgs/k8s-dashboard.png" width="100%" height="100%" />
 
-To use it, you should first set up `https` access (Using `http://<ip>` won't work) for OpenPAI. Then, on the dev box machine, follow the steps below:
+To use it, you should first set up `https` access (Using `http://<ip>` won't work) for OpenPAI. Please refer to [here](#how-to-set-up-https). Then, on the dev box machine, follow the steps below:
 
 **Step 1.** Save following yaml text as `admin-user.yaml`
 
@@ -151,4 +151,116 @@ Another example is to restart the whole cluster:
 ./paictl.py service start
 ```
 
-You can use `exit` to leave the dev-box container, and use `sudo docker exec -it dev-box bash` to re-enter it if you desire so. If you don't need it any more, use `sudo docker stop dev-box` and `sudo docker rm dev-box` to delete the docker container.
+You can use `exit` to leave the dev-box container, and use `sudo docker exec -it dev-box bash` to re-enter it if you desire so. If you don't need it any more, use `sudo docker stop dev-box` and `sudo docker rm dev-box` to delete the docker container.
+
+## How To Set Up HTTPS
+
+To configure https certificate for pylon, you need to obtain a digital certificate first, and then save the digital certificate-related files in the dev-box container. In the dev-box container, you can find the configuration file `services-configuration.yaml`, and then you need to add the file path of the saved digital certificate into the `services-configuration.yaml` file. You can choose a self-signed certificate or a certificate issued by a CA. Next, we will first demonstrate the configuration process of a self-signed certificate. The configuration processes for the two types of certificates are similar.
+
+### Configure A Self-Signed Certificate
+
+
+#### 1. Enter the dev-box container
+
+You need to use [`paictl`](#pai-service-management-and-paictl) to enter the container in the following way:
+
+```bash
+sudo docker exec -it dev-box bash
+```
+
+#### 2. Create a folder in the dev-box container
+When you enter the container, you need to create a folder and generate a self-signed certificate in this folder. You can create an `ssl` folder in the `home` folder.
+
+``` bash
+mkdir /home/ssl
+cd  /home/ssl
+```
+#### 3. Generate RSA private key with openssl
+
+``` bash
+openssl genrsa -des3 -out FileName.key 1024
+```
+In this step, a password will be asked.The following commands you enter will use the `FileName` parameter multiple times. You can choose a suitable file name to replace `FileName`.
+
+
+#### 4. Generate certificate request
+
+```bash
+SUBJECT="/C=US/ST=Washington/CN=FileName"
+openssl req -new -subj $SUBJECT -key FileName.key -out FileName.csr
+```
+
+#### 5. Generate certificate
+
+```bash
+mv FileName.key FileName.origin.key
+openssl rsa -in FileName.origin.key -out FileName.key
+openssl x509 -req -days 3650 -in FileName.csr -signkey FileName.key -out FileName.crt
+```
+
+#### 6. Final result
+
+In the current directory, you will find 4 files:
+
+<div  align="center">
+<img src="./imgs/openssl_result.png" alt="paictl overview picture" style="float: center; margin-right: 10px;" />
+</div>
+
+#### 7. Configure services-configuration.yaml
+
+
+If you are configuring PAI service for the first time, `services-configuration.yaml` may not exist in the dev-box container. You should follow the procedure below to change the configuration file and make it effective. Then, stop the pylon service, pull the OpenPAI configuration file `services-configuration.yaml` to the local, change the configuration file, upload the configuration file, and restart the pylon service. The commands you need are:
+```bash
+./paictl.py service stop -n pylon
+./paictl.py config pull -o <config-folder>
+vim <config-folder>/services-configuration.yaml
+./paictl.py config push -p <config-folder> -m service
+./paictl.py service start -n pylon
+```
+
+
+If you already have `services-configuration.yaml` in your container, you can omit the process of pulling the file. Please note that the master_ip in the configuration file is the IP of your master machine, not the IP of your dev box machine. Please configure the yaml file in the following format:
+```
+pylon:
+    port: 80
+    uri: "http://master_ip:80"
+    ssl:
+      crt_name: xxxxxx
+      crt_path: /path/to/xxxxxx
+      key_name: yyyyyy
+      key_path: /path/to/yyyyyy
+```
+With the example we just gave, the configuration file content should be:
+```
+pylon:
+    port: 80
+    uri: "http://master_ip:80"
+    ssl:
+      crt_name: FileName.crt
+      crt_path: /home/ssl/FileName.crt
+      key_name: FileName.key
+      key_path: /home/ssl/FileName.key
+```
+Restart the pylon service, and you will be able to access OpenPAI via https.
+
+#### Configure CA certificate
+##### 1. Save the CA certificate in the dev-box container
+To configure a CA certificate, you first need to apply for and export it. You will eventually get a crt file and a key file. Please save these two files in the dev-box container. As shown in the following picture, the two files are saved in `/home/ssl`.
+
+<div  align="center">
+<img src="./imgs/openssl_CA_result.png" alt="paictl overview picture" style="float: center; margin-right: 10px;" />
+</div>
+
+##### 2. Configure services-configuration.yaml
+In this step, you can configure the `services-configuration.yaml` in accordance with the Step 7 in the process of `Configure a self-signed certificate`. For example:
+
+```
+pylon:
+    port: 80
+    uri: "http://master_ip:80"
+    ssl:
+      crt_name: n32.openpai.org_chain.crt
+      crt_path: /home/ssl/n32.openpai.org_chain.crt
+      key_name: n32.openpai.org_key.key
+      key_path: /home/ssl/n32.openpai.org_key.key
+```

docs/manual/cluster-admin/how-to-manage-users-and-groups.md

@@ -25,61 +25,8 @@ In this section, we will cover how to set up the integration step by step.
 
 #### Note
 
-Previous user data in webportal is required to be mapping/migrate to AAD. Once the integration is enabled, instead of using basic user authentication, OpenPAI will switch to use (and only use) AAD as user authentication mechanism.
+Previous user data in webportal is required to be mapping/migrate to AAD. Once the integration is enabled, instead of using basic user authentication, OpenPAI will switch to use (and only use) AAD as user authentication mechanism. To set up AAD, please follow the instructions [here](./basic-management-operations.md#how-to-set-up-https) to set up HTTPS access for OpenPAI first.
 
-#### [Pylon] Prepare your certificate for https, self-sign cert as an example
-
-##### 1. Store your domain name (pylon address) into a linux env
-
-```bash
-DOMAIN={pylon address}
-```
-##### 2. Generate RSA private key with openssl
-
-``` bash
-openssl genrsa -des3 -out $DOMAIN.key 1024
-```
-
-In this step, password will be asked. You can just skip it with an empty value (Type enter button).
-
-##### 3. Generate certificate request
-
-```bash
-SUBJECT="/C=US/ST=Washington/CN=$DOMAIN"
-openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
-```
-
-##### 4. Generate certificate
-
-```bash
-mv $DOMAIN.key $DOMAIN.origin.key
-openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key
-openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
-```
-
-##### 5. Final result
-
-You should get the following 4 files in your current path
-
-<div  align="center">
-<img src="./imgs/aad/openssl_result.png" alt="paictl overview picture" style="float: center; margin-right: 10px;" />
-</div>
-
-##### 6. Configure pylon
-
-Add the following configuration to your `services-configuration.yaml`. If you wonder what `services-configuration.yaml` is, please refer to [PAI Service Management and Paictl](basic-management-operations.md#pai-service-management-and-paictl).
-
-```
-pylon:
-    port: 80
-    uri: "http://master_ip:80"
-    ssl:
-      # self-sign
-      crt_name: xxxxxx
-      crt_path: /path/to/xxxxxx
-      key_name: yyyyyy
-      key_path: /path/to/yyyyyy
-```
 
 #### [Rest-server] Configuration AAD