[kudu-CR] security: generate certs on the tserver, sign them on the master

Sun, 22 Jan 2017 21:34:36 -0800 

Hello Dan Burkert, Alexey Serbin, Kudu Jenkins,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/5766

to look at the new patch set (#2).

Change subject: security: generate certs on the tserver, sign them on the master
......................................................................

security: generate certs on the tserver, sign them on the master

This adds a bit of plumbing for the self-hosted PKI:

* Tablet Servers have a new TSCertManager instance which generate a
  private key on startup. They also generate a CSR and adopt a signed
  cert once provided. This is also a convenient place to stash the set
  of CA certs and plumb them through to the SSL library, though that
  isn't implemented yet.

* Similarly, the master has a MasterCertManager instance which generates
  a key and self-signed CA cert on startup. It can then sign certs
  provided by tablet servers. This may change a bit in the future as the
  CA public keys will likely have to be persisted in the catalog table,
  etc, but I figure this is at least a starting point to unblock other
  work.

* When the TS heartbeats, it checks if the cert manager has a signed
  cert yet. If not, it sends the CSR to the master in DER format.

* If the master gets a heartbeat with a CSR, it signs it and returns the
  signed cert in the heartbeat response. The tablet server then adopts
  this as its cert.

Note that this doesn't add any actual functionality, since the resulting
certs aren't actually attached to the RPC system in any way.
Additionally, there are plenty of TODOs which we'll need to address in
follow-on patches.

Change-Id: I3eb8ab4edc17e2fa1a54e0123a06dabc59a0489b
---
M src/kudu/integration-tests/registration-test.cc
M src/kudu/master/CMakeLists.txt
M src/kudu/master/master.cc
M src/kudu/master/master.h
M src/kudu/master/master.proto
A src/kudu/master/master_cert_manager.cc
A src/kudu/master/master_cert_manager.h
M src/kudu/master/master_service.cc
M src/kudu/server/server_base.h
M src/kudu/tserver/CMakeLists.txt
M src/kudu/tserver/heartbeater.cc
M src/kudu/tserver/tablet_server.cc
M src/kudu/tserver/tablet_server.h
A src/kudu/tserver/ts_cert_manager.cc
A src/kudu/tserver/ts_cert_manager.h
15 files changed, 508 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/66/5766/2
-- 
To view, visit http://gerrit.cloudera.org:8080/5766
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I3eb8ab4edc17e2fa1a54e0123a06dabc59a0489b
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Tidy Bot

Reply via email to