Hello Alexey Serbin,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/5766
to look at the new patch set (#5).
Change subject: security: generate certs on the tserver, sign them on the master
......................................................................
security: generate certs on the tserver, sign them on the master
This adds a bit of plumbing for the self-hosted PKI:
* Servers (both TS and Master) have a new ServerCertManager instance
which generate a private key on startup. They also generate a CSR and
adopt a signed cert once provided. This is also a convenient place to
stash the set of CA certs and plumb them through to the SSL library,
though that isn't implemented yet.
* Similarly, the master has a MasterCertAuthority instance which generates
a key and self-signed CA cert on startup. It can then sign certs
provided by other servers. This may change a bit in the future as the
CA cert will have to be loaded from the system tablet if it's
available, rather than generated on startup.
* When the TS heartbeats, it checks if the cert manager has a signed
cert yet. If not, it sends the CSR to the master in DER format.
* If the master gets a heartbeat with a CSR, it signs it and returns the
signed cert in the heartbeat response. The tablet server then adopts
this as its cert.
A number of items are left as follow-ons. I noted them with "TODO(PKI)"
so that they'll be easy to grep for before we call this feature done.
In particular:
* Currently the master doesn't yet sign its own cert. This is going to
have some interaction with the storage of certs in the catalog table,
so want to wait until that code is integrated before figuring out
where to plug this in.
* The built-in PKI stuff should have a flag to disable it. Again I
wasn't sure the best place to put it for now, and it's nice to get the
test coverage of this new code all the time. We can add this flag at
the same point when we add the appropriate flags to configure your own
PKI.
* Various other questions and vague thoughts that we can address as we
go.
Note that this doesn't add any actual functionality, since the resulting
certs aren't actually attached to the RPC system in any way.
Change-Id: I3eb8ab4edc17e2fa1a54e0123a06dabc59a0489b
---
M src/kudu/integration-tests/registration-test.cc
M src/kudu/master/CMakeLists.txt
M src/kudu/master/master.cc
M src/kudu/master/master.h
M src/kudu/master/master.proto
A src/kudu/master/master_cert_authority.cc
A src/kudu/master/master_cert_authority.h
M src/kudu/master/master_service.cc
M src/kudu/security/CMakeLists.txt
A src/kudu/security/server_cert_manager.cc
A src/kudu/security/server_cert_manager.h
M src/kudu/server/server_base.cc
M src/kudu/server/server_base.h
M src/kudu/tserver/CMakeLists.txt
M src/kudu/tserver/heartbeater.cc
15 files changed, 511 insertions(+), 11 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/66/5766/5
--
To view, visit http://gerrit.cloudera.org:8080/5766
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I3eb8ab4edc17e2fa1a54e0123a06dabc59a0489b
Gerrit-PatchSet: 5
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Tidy Bot
Gerrit-Reviewer: Todd Lipcon <[email protected]>
