Todd Lipcon has submitted this change and it was merged. Change subject: security: generate certs on the tserver, sign them on the master ......................................................................
security: generate certs on the tserver, sign them on the master This adds a bit of plumbing for the self-hosted PKI: * Servers (both TS and Master) have a new ServerCertManager instance which generate a private key on startup. They also generate a CSR and adopt a signed cert once provided. This is also a convenient place to stash the set of CA certs and plumb them through to the SSL library, though that isn't implemented yet. * Similarly, the master has a MasterCertAuthority instance which generates a key and self-signed CA cert on startup. It can then sign certs provided by other servers. This may change a bit in the future as the CA cert will have to be loaded from the system tablet if it's available, rather than generated on startup. * When the TS heartbeats, it checks if the cert manager has a signed cert yet. If not, it sends the CSR to the master in DER format. * If the master gets a heartbeat with a CSR, it signs it and returns the signed cert in the heartbeat response. The tablet server then adopts this as its cert. A number of items are left as follow-ons. I noted them with "TODO(PKI)" so that they'll be easy to grep for before we call this feature done. In particular: * Currently the master doesn't yet sign its own cert. This is going to have some interaction with the storage of certs in the catalog table, so want to wait until that code is integrated before figuring out where to plug this in. * The built-in PKI stuff should have a flag to disable it. Again I wasn't sure the best place to put it for now, and it's nice to get the test coverage of this new code all the time. We can add this flag at the same point when we add the appropriate flags to configure your own PKI. * Various other questions and vague thoughts that we can address as we go. Note that this doesn't add any actual functionality, since the resulting certs aren't actually attached to the RPC system in any way. Change-Id: I3eb8ab4edc17e2fa1a54e0123a06dabc59a0489b Reviewed-on: http://gerrit.cloudera.org:8080/5766 Reviewed-by: Dan Burkert <[email protected]> Tested-by: Todd Lipcon <[email protected]> --- M src/kudu/integration-tests/registration-test.cc M src/kudu/master/CMakeLists.txt M src/kudu/master/master.cc M src/kudu/master/master.h M src/kudu/master/master.proto A src/kudu/master/master_cert_authority.cc A src/kudu/master/master_cert_authority.h M src/kudu/master/master_service.cc M src/kudu/security/CMakeLists.txt A src/kudu/security/server_cert_manager.cc A src/kudu/security/server_cert_manager.h M src/kudu/server/server_base.cc M src/kudu/server/server_base.h M src/kudu/tserver/CMakeLists.txt M src/kudu/tserver/heartbeater.cc 15 files changed, 511 insertions(+), 11 deletions(-) Approvals: Dan Burkert: Looks good to me, approved Todd Lipcon: Verified -- To view, visit http://gerrit.cloudera.org:8080/5766 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: I3eb8ab4edc17e2fa1a54e0123a06dabc59a0489b Gerrit-PatchSet: 7 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]>
