Alexey Serbin has posted comments on this change. Change subject: [TLS cert management] added protobuf interface ......................................................................
Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/5673/1/src/kudu/security/security.proto File src/kudu/security/security.proto: PS1, Line 50: // X509 formats. : enum DataFormat { : DER = 0; : PEM = 1; : } > per comment elsewhere, dunno if it's really advantageous to support both... That's pretty surprising -- PEM is a ubiquitous format. So, do you think we should leave only DER format in the context of this RPC interface? PS1, Line 114: prior/current/next > This makes it sound like there will always be three valid ones. From the cl After some consideration I think there is no 'next' certificate: it's always current and valid prior ones, if any. We switch to the newly one as soon as it's generated, making it current. When we start the very first time, there will be just the newly generated one. Depending on the parameters of pre-expire cert generation, there might be more than 3 valid cert. Of course, the parameters should be set to allow having not too many valid certs at a time, but I don't think we should put a limit on the number of those if we control the generation of the certs using just 2 parameters: cert validity interval (for how long the generated certs are valid, starting from now) and pre-expiration time (for how long before current cert expires generate a new one). However, I like the brevity and simplicity of 'all valid CA certs' :) Will just add that the current comes first. -- To view, visit http://gerrit.cloudera.org:8080/5673 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I9ff31e56be42bfa8d0f9b908ba2ccd2734407f55 Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Mike Percy <[email protected]> Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
