Todd Lipcon has posted comments on this change. Change subject: WIP: rpc: Initiate TLS connection upgrade following SASL negotiation ......................................................................
Patch Set 1: Regarding TLS-then-SASL vs SASL-then-TLS, I think there is one potentially important difference here: Previously we'd decided to use asymmetric authentication tokens -- i.e the client passes a master-signed token to tablet servers to authenticate itself. This token must be passed directly over the wire to the server as part of the connection authentication (unlike a symmetric scheme where the two peers could authenticate by passing only hashes of the token). Given that, the token-passing must happen _after_ an encrypted/server-authenticated channel is established. We were planning on using TLS+certs to ensure that the client doesn't pass a token to an impostor server. So, if we did SASL-then-TLS, the negotiation with tokens would have to look somewhat like: --> SASL NEGOTIATE <-- [allowed mechanisms] --> SASL "anonymous" <-- server "OK" --> TLS Upgrade (with the TLS hello) <-> [TLS handshake], verify certificate --> authentication token --> first call (could be pipelined with the token?) <-- authentication response and the negotiation with KRB5 would have to look like: --> SASL NEGOTIATE <-- [allowed mechs] --> SASL GSSAPI <--> [SASL negotiation] <-- SASL COMPLETE --> TLS Upgrade (with TLS hello) <-> [TLS handshake] <-- TLS server endpoint fingerprint, integrity-protected by SASL (channel binding) --> first call (has to wait for the channel binding) right? Perhaps we should move this to the google doc and try to flesh out the exact negotiation sequence. I'm thinking it might be possible to use fewer round trips but still be compatible, but a little hard to discuss via gerrit comments. -- To view, visit http://gerrit.cloudera.org:8080/5484 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: If44a71186eb2cdeebaf46cc372596f3ee6b47ac0 Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: No
