Repository: kudu Updated Branches: refs/heads/master 914ed3b98 -> 69f2619d0
[docs] added info on TSK an CA entries in systable Change-Id: I3c75d792981c3152f5844a2ea6934c0ce0032522 Reviewed-on: http://gerrit.cloudera.org:8080/6111 Reviewed-by: Adar Dembo <[email protected]> Tested-by: Alexey Serbin <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/kudu/repo Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/0bd10cb8 Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/0bd10cb8 Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/0bd10cb8 Branch: refs/heads/master Commit: 0bd10cb881d389eded337eb188a0bf30cc2483f3 Parents: 914ed3b Author: Alexey Serbin <[email protected]> Authored: Wed Feb 22 12:09:03 2017 -0800 Committer: Alexey Serbin <[email protected]> Committed: Thu Feb 23 01:27:32 2017 +0000 ---------------------------------------------------------------------- docs/design-docs/master.md | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kudu/blob/0bd10cb8/docs/design-docs/master.md ---------------------------------------------------------------------- diff --git a/docs/design-docs/master.md b/docs/design-docs/master.md index 4a366aa..fdcf7dd 100644 --- a/docs/design-docs/master.md +++ b/docs/design-docs/master.md @@ -104,9 +104,6 @@ Master or tablet server goes offline before a particular DeleteTablet operation successfully completes, the Master will send a new DeleteTablet request at the time that the next heartbeat is received from the tablet that is to be deleted. -A "Cleaner" process will be reponsible for removing the data from deleted tables -and tablets in the future, both on-disk and cached in memory (TODO). - Table Assignment (Tablet Creation) ---------------------------------- @@ -237,3 +234,32 @@ tablet server to the master (tablet servers that have been heard from, heartbeats, tablet reports, etc...). The information is stored in a map, where the key is the permanent uuid of a tablet server and the value is (a pointer to) a TSDescriptor. + +IPKI: Internal Root Certificate Authority (CA) Information +---------------------------------------------------------- + +Besides tables' metadata, the system table contains the root CA certificate +and corresponding private key when Kudu is configured to use its own IPKI +(Internal Private Key Infrastructure). The root CA certificate and the private +key are used to + 1. Sign TLS certificates for Kudu server-side components like Master and + Tablet Servers. + 2. Authenticate the server side of TLS connection: the initiator of a + TLS connection (the client side) uses Kudu CA certificate to make sure + the peer has valid TLS certificate signed by the Kudu internal CA. + +Upon start of a Kudu master server, it generates and stores the root CA +certificate and corresponding private key when becoming leader if no such +information is present in the system table. If the internal root CA information +is already present in the system table, the leader master loads that +information into memory and uses it appropriately. + +IPKI: TSK (Token Signing Keys) +------------------------------ + +The system table contains entries with TSKs used for authn/authz token signing. +The leader master generates and stores those in the system table. Upon start-up +or on the change of master leadership, a new leader master loads existing TSK +entries from the system table and populates in-memory structures necessary +for token signing. Expired keys are lazily purged from the system table +by the leader master.
