Todd Lipcon has submitted this change and it was merged. Change subject: KuduRPC integration with OpenSSL ......................................................................
KuduRPC integration with OpenSSL This patch adds SSL support for the RPC layer in Kudu. It uses the OpenSSL library for this purpose. This is achieved by subclassing 'Socket' to add 'SSLSocket' which calls into the OpenSSL library for auth/read/write/shutdown. SSL is enabled only at a 'Connection' object level, i.e. the AcceptorPool still only works with regular 'Socket's, and the reactor threads also use a regular 'Socket' on a new outgoing call. The first point of any SSL activity happens in the context of the negotiation pool, where the SSL handshake happens before the SASL handshake. On a successful handshake, further communication is encrypted on that 'Connection'. A 'SSLFactory' is created at the 'Messenger' level. This factory is in-charge of creating 'SSLSocket' objects when necessary and also keeps a track of the certificates, keys and the SSL context that is shared among all the sockets of that 'Messenger'. The x509_check_host() function is ported from OpenSSL-1.1.0b which we use when the version of OpenSSL detected is less than 1.0.2. It is added in util/x509_check_host.cc/h Added a parameter to the rpc-test to additionally run the tests with SSL enabled. Future TODOs: - Allow loading keys as strings vs files. (Need to use different APIs) - Consider porting x509_check_ip and x509_check_ip_ascii. Change-Id: I27167faa4e6a78e59b46093055b16682c93af0ea Reviewed-on: http://gerrit.cloudera.org:8080/4789 Reviewed-by: Sailesh Mukil <[email protected]> Tested-by: Kudu Jenkins Reviewed-by: Alexey Serbin <[email protected]> Reviewed-by: Todd Lipcon <[email protected]> --- M CMakeLists.txt M LICENSE.txt M NOTICE.txt M build-support/lint.sh M src/kudu/rpc/connection.cc M src/kudu/rpc/connection.h M src/kudu/rpc/messenger.cc M src/kudu/rpc/messenger.h M src/kudu/rpc/negotiation.cc M src/kudu/rpc/reactor.cc M src/kudu/rpc/rpc-test-base.h M src/kudu/rpc/rpc-test.cc M src/kudu/rpc/sasl_client.cc M src/kudu/rpc/sasl_client.h M src/kudu/rpc/sasl_rpc-test.cc M src/kudu/rpc/sasl_server.cc M src/kudu/rpc/sasl_server.h M src/kudu/util/CMakeLists.txt M src/kudu/util/net/net_util-test.cc M src/kudu/util/net/socket.cc M src/kudu/util/net/socket.h A src/kudu/util/net/ssl_factory.cc A src/kudu/util/net/ssl_factory.h A src/kudu/util/net/ssl_socket.cc A src/kudu/util/net/ssl_socket.h A src/kudu/util/x509_check_host.cc A src/kudu/util/x509_check_host.h 27 files changed, 1,373 insertions(+), 122 deletions(-) Approvals: Sailesh Mukil: Looks good to me, but someone else must approve Todd Lipcon: Looks good to me, approved Alexey Serbin: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/4789 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: I27167faa4e6a78e59b46093055b16682c93af0ea Gerrit-PatchSet: 9 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]>
