pinterest/knox pinterest/knox

  • Stars
    star
    1,229
  • Rank 38,186 (Top 0.8 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 8 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
pinterest/knox
github

pinterest

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Knox is a secret management service

Knox -- the high level overview

Knox is a service for storing and rotation of secrets, keys, and passwords used by other services.

The Problem Knox is Meant to Solve

Pinterest has a plethora of keys or secrets doing things like signing cookies, encrypting data, protecting our network via TLS, accessing our AWS machines, communicating with our third parties, and many more. If these keys become compromised, rotating (or changing our keys) used to be a difficult process generally involving a deploy and likely a code change. Keys/secrets within Pinterest were stored in git repositories. This means they were copied all over our company's infrastructure and present on many of our employees laptops. There was no way to audit who accessed or who has access to the keys. Knox was built to solve these problems.

The goals of Knox are:

  • Ease of use for developers to access/use confidential secrets, keys, and credentials
  • Confidentiality for secrets, keys, and credentials
  • Provide mechanisms for key rotation in case of compromise
  • Create audit log to keep track of what systems and users access confidential data

Read more at https://github.com/pinterest/knox/wiki

Getting knox set up

The first step is to install Go (or use Docker, see below). We require Go >= 1.6 or Go 1.5 with the vendor flag enabled (GO15VENDOREXPERIMENT=1). For instructions on setting up Go, please visit https://golang.org/doc/install

After Go is set up (including a $GOPATH directory that will store your workspace), please run go get -d github.com/pinterest/knox to get the latest version of the knox code.

To compile the devserver and devclient binaries, run go install github.com/pinterest/knox/cmd/dev_server and go install github.com/pinterest/knox/cmd/dev_client. These can be directly executed, the dev_client expects the server to be running on a localhost. By default, the client uses mTLS with a hardcoded signed cert given for example.com for machine authentication and had github authentication enabled for users.

To start your server run:

$GOPATH/bin/dev_server

For using this client as a user, generate a token via these instructions https://help.github.com/articles/creating-an-access-token-for-command-line-use/ with read:org permissions. This token will be able to get your username and the organization you belong to. With the dev_server running you can now create your first knox key.

export KNOX_USER_AUTH=<insert generated github token here>
echo -n "My first knox secret" | $GOPATH/bin/dev_client create test_service:first_secret

You can retrieve the secret using:

$GOPATH/bin/dev_client get test_service:first_secret

You can see all key IDs using:

$GOPATH/bin/dev_client keys

To see all available commands run:

$GOPATH/bin/dev_client help

For production usage, I recommend making your own client, renaming it knox, and moving it into you $PATH for ease of use.

For more information on interacting with knox, use knox help or go to https://github.com/pinterest/knox/wiki/Knox-Client

Knox with Docker

You can run a Docker container to get knox set up, instead of installing Go on your host.

git clone https://github.com/pinterest/knox.git
cd knox
docker run --name knox --rm -v "$PWD":/go/src/github.com/pinterest/knox -it golang /bin/bash

This will run a bash shell into the container, mounting a local copy of knox in the go source path.

You can refer back to the section "Getting knox set up" to set up knox.

More Repositories

1

ktlint

An anti-bikeshedding Kotlin linter with built-in formatter
Kotlin
6,192
star
2

gestalt

A set of React UI components that supports Pinterestโ€™s design language
TypeScript
4,240
star
3

PINRemoteImage

A thread safe, performant, feature rich image fetcher
Objective-C
4,009
star
4

PINCache

Fast, non-deadlocking parallel object cache for iOS, tvOS and OS X
Objective-C
2,660
star
5

querybook

Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface.
TypeScript
1,923
star
6

secor

Secor is a service implementing Kafka log persistence
Java
1,845
star
7

teletraan

Teletraan is Pinterest's deploy system.
Java
1,807
star
8

pinball

Pinball is a scalable workflow manager
JavaScript
1,048
star
9

mysql_utils

Pinterest MySQL Management Tools
Python
883
star
10

snappass

Share passwords securely
Python
837
star
11

elixometer

A light Elixir wrapper around exometer.
Elixir
827
star
12

pymemcache

A comprehensive, fast, pure-Python memcached client.
Python
771
star
13

bonsai

Understand the tree of dependencies inside your webpack bundles, and trim away the excess.
JavaScript
738
star
14

rocksplicator

RocksDB Replication
C++
662
star
15

esprint

Fast eslint runner
JavaScript
661
star
16

bender

An easy-to-use library for creating load testing applications
Go
658
star
17

DoctorK

DoctorK is a service for Kafka cluster auto healing and workload balancing
Java
633
star
18

plank

A tool for generating immutable model objects
Swift
469
star
19

riffed

Provides idiomatic Elixir bindings for Apache Thrift
Elixir
307
star
20

thrift-tools

thrift-tools is a library and a set of tools to introspect Apache Thrift traffic.
Python
233
star
21

elixir-thrift

A Pure Elixir Thrift Implementation
Elixir
214
star
22

widgets

JavaScript widgets, including the Pin It button.
JavaScript
210
star
23

singer

A high-performance, reliable and extensible logging agent for uploading data to Kafka, Pulsar, etc.
Java
178
star
24

terrapin

Serving system for batch generated data sets
Java
176
star
25

git-stacktrace

Easily figure out which git commit caused a given stacktrace
Python
158
star
26

jbender

An easy-to-use library for creating load testing applications.
Java
156
star
27

ptracer

A library for ptrace-based tracing of Python programs
Python
155
star
28

react-pinterest

JavaScript
151
star
29

pinlater

PinLater is a Thrift service to manage scheduling and execution of asynchronous jobs.
Java
135
star
30

memq

MemQ is an efficient, scalable cloud native PubSub system
Java
129
star
31

api-quickstart

Code that makes it easy to get started with the Pinterest API.
Python
122
star
32

it-cpe-cookbooks

A suite of Chef cookbooks that we use to manage our fleet of client devices
Ruby
118
star
33

psc

PubSubClient (PSC)
Java
117
star
34

pinterest-api-demo

JavaScript
106
star
35

PINOperation

Objective-C
104
star
36

orion

Management and automation platform for Stateful Distributed Systems
Java
101
star
37

soundwave

A searchable EC2 Inventory store
Java
96
star
38

PINFuture

An Objective-C future implementation that aims to provide maximal type safety
Objective-C
83
star
39

kingpin

KingPin is the toolset used at Pinterest for service discovery and application configuration.
Python
69
star
40

arcanist-linters

A collection of custom Arcanist linters
PHP
63
star
41

pagerduty-monit

Wrapper scripts to integrate monit and PagerDuty.
Shell
60
star
42

pinrepo

Pinrepo is a highly scalable solution for storing and serving build artifacts such as debian packages, maven jars and pypi packages.
Python
58
star
43

transformer_user_action

Transformer-based Realtime User Action Model for Recommendation at Pinterest
Python
49
star
44

quasar-thrift

A Thrift server that uses Quasar's lightweight threads to handle connections.
Java
47
star
45

pinterest-python-sdk

An SDK that makes it quick and easy to build applications with Pinterest API.
Python
47
star
46

yuvi

Yuvi is an in-memory storage engine for recent time series metrics data.
Java
45
star
47

atg-research

Python
41
star
48

slackminion

A python bot framework for slack
Python
22
star
49

api-description

OpenAPI descriptions for Pinterest's REST API
18
star
50

l10nmessages

L10nMessages is a library that makes internationalization (i18n) and localization (l10n) of Java applications easy and safe.
Java
17
star
51

thriftcheck

A linter for Thrift IDL files
Go
16
star
52

arcanist-owners

An Arcanist extension for displaying file ownership information
PHP
16
star
53

tiered-storage

Pinterest's simplified and efficient Tiered Storage implementation for Kafka
Java
13
star
54

.github

Pinterest's Open Source Project Template
12
star
55

homebrew-tap

macOS Homebrew formulas to install Pinterest open source software
Ruby
12
star
56

pinterest-python-generated-api-client

This is the auto-generated code using OpenAPI generator. Generated code comprises HTTP requests to various v5 API endpoints.
Python
12
star
57

vscode-gestalt

Visual Studio Code extension for Gestalt, Pinterest's design system
TypeScript
9
star
58

wheeljack

Work with interdependent python repositories seemlessly.
Python
8
star
59

ffffound

FFFFOUND Import tool for Pinterest
HTML
8
star
60

vscode-package-watcher

Watch package lock files and suggest to re-run npm or yarn.
TypeScript
6
star
61

graphql-lint-rules

Pinterest GraphQL Lint Rules
TypeScript
6
star
62

ss-gtm-template

This is a repository to implement the Google Tag Manager server-side tag template for Pinterest Conversions API to be deployed into Google Community Template Gallery.
Smarty
5
star
63

pinterest-magento2-extension

PHP
4
star
64

Pinterest-Salesforce-Commerce-Cartridge

JavaScript
4
star
65

figma-calculations

TypeScript
2
star
66

slate

Resource Lifecycle Management framework
Java
1
star