IMPALA-5816: xfail wildcard TLS cert tests Wildcard support is not uniform across all platforms that Impala is tested on. This patch xfails the wildcard tests in test_client_ssl.
A follow-up change will generate certificates on a per-host basis, which should allow compatible wildcard certs to be generated for all platforms. Change-Id: I86148739aa1c66c817eed8b727f68cfc08c178ed Reviewed-on: http://gerrit.cloudera.org:8080/7908 Reviewed-by: Sailesh Mukil <[email protected]> Tested-by: Impala Public Jenkins Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/c163ac14 Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/c163ac14 Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/c163ac14 Branch: refs/heads/master Commit: c163ac1468e4d878c3516ec933c69fb66851af01 Parents: 3a41c21 Author: Henry Robinson <[email protected]> Authored: Wed Aug 30 15:17:47 2017 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Thu Aug 31 02:50:16 2017 +0000 ---------------------------------------------------------------------- tests/custom_cluster/test_client_ssl.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/c163ac14/tests/custom_cluster/test_client_ssl.py ---------------------------------------------------------------------- diff --git a/tests/custom_cluster/test_client_ssl.py b/tests/custom_cluster/test_client_ssl.py index 487b802..b9b2096 100644 --- a/tests/custom_cluster/test_client_ssl.py +++ b/tests/custom_cluster/test_client_ssl.py @@ -111,10 +111,11 @@ class TestClientSsl(CustomClusterTestSuite): # Test that the shell can connect to a TLS1.2 only cluster, and for good measure # restrict the cipher suite to just one choice. - TLS_V12_ARGS = ("--ssl_server_certificate=%s/wildcard-cert.pem " - "--ssl_private_key=%s/wildcard-cert.key " + TLS_V12_ARGS = ("--ssl_client_ca_certificate=%s/server-cert.pem " + "--ssl_server_certificate=%s/server-cert.pem " + "--ssl_private_key=%s/server-key.pem " + "--hostname=localhost " # Required to match hostname in certificate" "--ssl_minimum_version=tlsv1.2 " - "--ssl_client_ca_certificate=%s/wildcardCA.pem " "--ssl_cipher_list=AES128-GCM-SHA256 " % (CERT_DIR, CERT_DIR, CERT_DIR)) @@ -124,13 +125,14 @@ class TestClientSsl(CustomClusterTestSuite): catalogd_args=TLS_V12_ARGS) @pytest.mark.skipif(HAS_LEGACY_OPENSSL, reason=SKIP_SSL_MSG) def test_tls_v12(self, vector): - self._validate_positive_cases("%s/wildcardCA.pem" % self.CERT_DIR) + self._validate_positive_cases("%s/server-cert.pem" % self.CERT_DIR) @pytest.mark.execute_serially @CustomClusterTestSuite.with_args(impalad_args=SSL_WILDCARD_ARGS, statestored_args=SSL_WILDCARD_ARGS, catalogd_args=SSL_WILDCARD_ARGS) @pytest.mark.skipif(HAS_LEGACY_OPENSSL, reason=SKIP_SSL_MSG) + @pytest.mark.xfail(run=True, reason="Inconsistent wildcard support on target platforms") def test_wildcard_ssl(self, vector): """ Test for IMPALA-3159: Test with a certificate which has a wildcard for the CommonName. @@ -144,6 +146,7 @@ class TestClientSsl(CustomClusterTestSuite): statestored_args=SSL_WILDCARD_SAN_ARGS, catalogd_args=SSL_WILDCARD_SAN_ARGS) @pytest.mark.skipif(HAS_LEGACY_OPENSSL, reason=SKIP_SSL_MSG) + @pytest.mark.xfail(run=True, reason="Inconsistent wildcard support on target platforms") def test_wildcard_san_ssl(self, vector): """ Test for IMPALA-3159: Test with a certificate which has a wildcard as a SAN. """
