This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 152211658 KUDU-3392 Support trusting custom certificates
152211658 is described below
commit 152211658ef9d33e0ad727ccba46f8af24cd45b0
Author: Attila Bukor <[email protected]>
AuthorDate: Fri Aug 19 18:12:31 2022 +0200
KUDU-3392 Support trusting custom certificates
Right now, Kudu can only talk to Ranger KMS over TLS when its
certificate is trusted on the OS level (installed in /etc/pki). By
adding a new flag to trust a PEM file in a custom location, users don't
need to install Ranger KMS's certificate in a central location, they can
simply provide the PEM file when starting up Kudu servers. Right now,
Ranger KMS is the only such service (Kudu talks to Ranger Admin using
its Java client within a subprocess, which uses an XML config file to
set the truststore location), but it's possible that in the future, Kudu
will act as a client to other services, so the new flag,
-trusted_certificate_file, sets the trust in a central location, in
curl_util using CURLOPT_CAINFO.
A webserver-test has been updated to use the new trusted certificate
flag instead of disabling verifying the peer. The test certificate used
in this test had to be updated as well, as the original one had
CN=MyName, so the verification failed. It was valid only until 2027 as
well. The new certificate expires in 100 years and CN=127.0.0.1.
Issuer: C=US, L=Default City, O=Apache Software Foundation,
CN=127.0.0.1/[email protected]
Validity
Not Before: Aug 23 08:47:48 2022 GMT
Not After : Jul 30 08:47:48 2122 GMT
Subject: C=US, L=Default City, O=Apache Software Foundation,
CN=127.0.0.1/[email protected]
Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Reviewed-on: http://gerrit.cloudera.org:8080/18870
Tested-by: Kudu Jenkins
Reviewed-by: Zoltan Chovan <[email protected]>
Reviewed-by: Alexey Serbin <[email protected]>
---
src/kudu/security/test/test_certs.cc | 63 ++++++++++++++++++------------------
src/kudu/server/webserver-test.cc | 11 +++++--
src/kudu/util/curl_util.cc | 8 +++++
3 files changed, 48 insertions(+), 34 deletions(-)
diff --git a/src/kudu/security/test/test_certs.cc
b/src/kudu/security/test/test_certs.cc
index 0c5b29e4a..321a4ef59 100644
--- a/src/kudu/security/test/test_certs.cc
+++ b/src/kudu/security/test/test_certs.cc
@@ -399,37 +399,38 @@ Status CreateTestSSLCertWithEncryptedKey(const string&
dir,
string* key_password) {
const char* kCert = R"(
-----BEGIN CERTIFICATE-----
-MIIFuTCCA6GgAwIBAgIJAMboiIQH/LDlMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBk15TmFtZTEbMBkGCSqGSIb3DQEJARYM
-bXlAZW1haWwuY29tMB4XDTE3MDQxNDE3MzEzOVoXDTI3MDQxMjE3MzEzOVowczEL
-MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVy
-bmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGTXlOYW1lMRswGQYJKoZIhvcN
-AQkBFgxteUBlbWFpbC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-AQC+Av808cmgkgtLpH+ERAaJLgpSQ+l2UfUHTB4XeFXcWcxlsRyXqqNTh5NwkjMI
-c6Ei8p12PBol9I2j//l9sCmLXWDXq2EFFkZ+tcszPjQiTmqzPeruAnamYzuQFioZ
-mnNbPypD9qdk/IWY4XWMWOL/qIhnkNQvswSCqu7JA37xaiOqdLBYt/nSN9h5cOwi
-iHQODY15OmrgAB4JO9brHdBp/fzoN3DkHpQ0V5rlEZ+5Ud9qDs3UEQMgo+ZV8wYL
-KVb9/sUyWu+i1NJIAIhNt5oC8AXJJt+C5Bqme3+7mkWnnBo9DwsvnqDOjOY6AvpO
-NHDeRgEBBelj8rGOGQAFgfTlv+w3kDas25oxmoeVXSPF94eU75bu/EE6GGNpe1EB
-ZtfGUSfRLZwBMAeTZ7f1b9xgNygNpBGmwt9bg+qOZ6PYWkGIrP5+Umhjyss26j5r
-PzJSummB93+69QoESLnF68WcFrR7fxN+oVra63kic/wvC3RH+P3lAIaYw9dKGtec
-D3/F2xBp9+Q3nMJQ5MGDdv4wbWQ9lA63uwcWSGIP3R3KKrs4ULtvHIVQz3tgKbwu
-Lw5LM7x3KnV1iMwfJC09I+lv8MxJBS7cxGU7UEyIasIirsZblPTBshjoKPax2RWR
-I/VI9HwdA4cCk+zbvklK3hHgemCagVLIGwT5+tU7tY4UOQIDAQABo1AwTjAdBgNV
-HQ4EFgQU+4nVu5ZsCzs3wxbyS8LNmkL849AwHwYDVR0jBBgwFoAU+4nVu5ZsCzs3
-wxbyS8LNmkL849AwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAWHLA
-OCjmeqf6AWpmoOOx3fUaGzaR0SG1Cn85nDMypdTrZtNUn9mkDDDXH40xP31vUyjx
-i2Z68dvHsJCdqYL1KAwvvWIEt8xzIWI9ALCANl7JD1L224lUdXI/SgOVaba5bxf4
-nVhqeGH5G7WB6g4ZoOkiICluCnjc5FWaZlENJ4oQLLS9mQE7sREouCy+lDnlUW0x
-Mf1A5hiERTmvuy26b/lkjXfdGw0z/lNXNAS2k59cKHZ11FqzSLwzK2betmpJYzcq
-N4kPMbfUDrN5x/pjAl//GATQgCiXCUjwGvKnhhXedLjnLUC7bxrAoDwKj986iKnO
-v9wzukBC6t/Ao1COodDISzTLORTMIWLOjyg9bPVKSjdFxmKhpCUQQ3Jt6k9JOZtR
-hvKVmDZBCB10eCJALsHlDWAy0DgjRrD1dnnXrOIUgq6ZLqtzAKGkQF5Y5sYEXyTm
-fCFgiXHtU2haGzp5x+i/vz/E6bBsxJhUVzaWlP149WhQs4RO1YL3Iqsdcy0AcMA9
-FUNW6C+37fVk6w1OJGcI4uTfgMpSJL7iTCSzuspR4lEPUHLIvB3kZKyjr7/eAiMg
-NU9t8oyYtGfrXWXHEZ+d8vK7KCnvMZ2ezNtMC88tC8NtnJ8yBPxBLS7k1f/IrYVL
-OHUKIgiZvAfTg3GSj/iiNespDd665okkzRb0QNQ=
+MIIF2TCCA8GgAwIBAgIJAOiLCthPpcWhMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
+VQQGEwJVUzEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MSMwIQYDVQQKDBpBcGFjaGUg
+U29mdHdhcmUgRm91bmRhdGlvbjESMBAGA1UEAwwJMTI3LjAuMC4xMSIwIAYJKoZI
+hvcNAQkBFhNkZXZAa3VkdS5hcGFjaGUub3JnMCAXDTIyMDgyMzA4NDc0OFoYDzIx
+MjIwNzMwMDg0NzQ4WjCBgTELMAkGA1UEBhMCVVMxFTATBgNVBAcMDERlZmF1bHQg
+Q2l0eTEjMCEGA1UECgwaQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24xEjAQBgNV
+BAMMCTEyNy4wLjAuMTEiMCAGCSqGSIb3DQEJARYTZGV2QGt1ZHUuYXBhY2hlLm9y
+ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL4C/zTxyaCSC0ukf4RE
+BokuClJD6XZR9QdMHhd4VdxZzGWxHJeqo1OHk3CSMwhzoSLynXY8GiX0jaP/+X2w
+KYtdYNerYQUWRn61yzM+NCJOarM96u4CdqZjO5AWKhmac1s/KkP2p2T8hZjhdYxY
+4v+oiGeQ1C+zBIKq7skDfvFqI6p0sFi3+dI32Hlw7CKIdA4NjXk6auAAHgk71usd
+0Gn9/Og3cOQelDRXmuURn7lR32oOzdQRAyCj5lXzBgspVv3+xTJa76LU0kgAiE23
+mgLwBckm34LkGqZ7f7uaRaecGj0PCy+eoM6M5joC+k40cN5GAQEF6WPysY4ZAAWB
+9OW/7DeQNqzbmjGah5VdI8X3h5Tvlu78QToYY2l7UQFm18ZRJ9EtnAEwB5Nnt/Vv
+3GA3KA2kEabC31uD6o5no9haQYis/n5SaGPKyzbqPms/MlK6aYH3f7r1CgRIucXr
+xZwWtHt/E36hWtrreSJz/C8LdEf4/eUAhpjD10oa15wPf8XbEGn35DecwlDkwYN2
+/jBtZD2UDre7BxZIYg/dHcoquzhQu28chVDPe2ApvC4vDkszvHcqdXWIzB8kLT0j
+6W/wzEkFLtzEZTtQTIhqwiKuxluU9MGyGOgo9rHZFZEj9Uj0fB0DhwKT7Nu+SUre
+EeB6YJqBUsgbBPn61Tu1jhQ5AgMBAAGjUDBOMB0GA1UdDgQWBBT7idW7lmwLOzfD
+FvJLws2aQvzj0DAfBgNVHSMEGDAWgBT7idW7lmwLOzfDFvJLws2aQvzj0DAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBd4Yw1S/URnAhon5m17BnT1/91
+GPntoIv5eu0aqwQsx8TReG9vSGr9N9QpwkziwCFUweSSPsmyp7PtdzkCQdVQ8R4V
+3GB3hDVS3aYFMNkKi00qNB0ytUMtYAoP/31JI8u4R7oXPI1XDRInWBHM//ByfNvm
+up3duP38pY3HglIRqA+RaJo5M532cN0XcufSmt7i+amPzm2ZQ3N5yaQGUEdIwE/4
+CIT50gzW0IXJHT/Z9wPPLnhPF7z0tQaN56vjIGmPMaAuvTZbm6Lspz3PCLEE1Ecg
+UfsvOFSPQ5pvsAmSG7OCwwqg/cKm4ZSY2eW5gyW+PFu7MxXsZwLReNxwfHhV7Fx2
+4LF3FTGWFTQJOSQAW/YDLjEuLJrHA8SC4jMDO/+9RNqdsHTGXgrGtQRBfdvOXFAW
+gpEb/e75Hb7kn/erN3hDRGgPOM9oaMaWGry1hzKN3vuK7Ch5t+luE76FFHJWHqQw
+xdoXNYABiwweXxA8w5Tg96eakN9b4X4Unhn4AjikP1tTFFazY7IMOcO0yRnmtujc
+/RCGewtaFMFverDmYNhtQmKcNsjZgHyGSgqc+qw1bK+r559D1TJL+OGlSGR/M+TA
+d7Xh+yJBR1m0BKGmDlvYoA/q011T9Ub4Inu2KST92TxIuEZk0C9ghp8ARcNulDhY
+PS4lBkgDhK2s1TPdYg==
-----END CERTIFICATE-----
)";
const char* kKey = R"(
diff --git a/src/kudu/server/webserver-test.cc
b/src/kudu/server/webserver-test.cc
index b62120c29..e765ee8ed 100644
--- a/src/kudu/server/webserver-test.cc
+++ b/src/kudu/server/webserver-test.cc
@@ -59,6 +59,7 @@ using std::unique_ptr;
using strings::Substitute;
DECLARE_int32(webserver_max_post_length_bytes);
+DECLARE_string(trusted_certificate_file);
DEFINE_bool(test_sensitive_flag, false, "a sensitive flag");
TAG_FLAG(test_sensitive_flag, sensitive);
@@ -98,7 +99,10 @@ class WebserverTest : public KuduTest {
opts.port = 0;
opts.doc_root = static_dir_;
opts.enable_doc_root = enable_doc_root();
- if (use_ssl()) SetSslOptions(&opts);
+ if (use_ssl()) {
+ SetSslOptions(&opts);
+ cert_path_ = opts.certificate_file;
+ }
if (use_htpasswd()) SetHTPasswdOptions(&opts);
MaybeSetupSpnego(&opts);
server_.reset(new Webserver(opts));
@@ -142,6 +146,7 @@ class WebserverTest : public KuduTest {
Sockaddr addr_;
string url_;
string static_dir_;
+ string cert_path_;
};
class SslWebserverTest : public WebserverTest {
@@ -413,8 +418,8 @@ TEST_F(WebserverTest, TestHttpCompression) {
}
TEST_F(SslWebserverTest, TestSSL) {
- // We use a self-signed cert, so we need to disable cert verification in
curl.
- curl_.set_verify_peer(false);
+ // We use a self-signed cert, so we have to trust it manually.
+ FLAGS_trusted_certificate_file = cert_path_;
ASSERT_OK(curl_.FetchURL(url_, &buf_));
// Should have expected title.
diff --git a/src/kudu/util/curl_util.cc b/src/kudu/util/curl_util.cc
index 8e0756e1e..439ada168 100644
--- a/src/kudu/util/curl_util.cc
+++ b/src/kudu/util/curl_util.cc
@@ -25,6 +25,7 @@
#include <vector>
#include <curl/curl.h>
+#include <gflags/gflags.h>
#include <glog/logging.h>
#include "kudu/gutil/strings/substitute.h"
@@ -36,6 +37,10 @@ using std::string;
using std::vector;
using strings::Substitute;
+DEFINE_string(trusted_certificate_file, "",
+ "Path to a PEM file that contains certificate(s) to be trusted
when "
+ "Kudu acts as a client (e.g. when talking to a KMS service.");
+
namespace kudu {
namespace {
@@ -121,6 +126,9 @@ Status EasyCurl::DoRequest(const string& url,
if (!verify_peer_) {
CURL_RETURN_NOT_OK(curl_easy_setopt(curl_, CURLOPT_SSL_VERIFYHOST, 0));
CURL_RETURN_NOT_OK(curl_easy_setopt(curl_, CURLOPT_SSL_VERIFYPEER, 0));
+ } else if (!FLAGS_trusted_certificate_file.empty()) {
+ CURL_RETURN_NOT_OK(curl_easy_setopt(curl_, CURLOPT_CAINFO,
+
FLAGS_trusted_certificate_file.c_str()));
}
switch (auth_type_) {
