Hello Todd Lipcon, Kudu Jenkins, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/5865 to look at the new patch set (#3). Change subject: [security] adjust TLS certificate verification ...................................................................... [security] adjust TLS certificate verification This commit adjusts when TLS certificate verification is performed in the client and server, and adds a test of negotiating GSSAPI with TLS. In the client, the server's cert is not verified when using the GSSAPI SASL mech, since Kerberos provides strong authn. In the server, client cert verification is disabled entirely. We'll have to turn it on in the future selectively when we add support for client certs. As part of this change, we no longer allow the SASL library to choose the mechanism to use. Instead, we determine the mechanism manually using a simple heuristic: prefer GSSAPI to PLAIN. When we add support for more mechanisms (e.g. KUDU_TOKEN), we'll update the heuristic accordingly. Change-Id: Id3b1698ccd8434b8d40d567e9d0fa506e4cdc0ca --- M src/kudu/rpc/client_negotiation.cc M src/kudu/rpc/client_negotiation.h M src/kudu/rpc/negotiation-test.cc M src/kudu/rpc/sasl_common.cc M src/kudu/rpc/sasl_common.h M src/kudu/rpc/sasl_helper.cc M src/kudu/rpc/sasl_helper.h M src/kudu/rpc/server_negotiation.cc M src/kudu/rpc/server_negotiation.h M src/kudu/security/tls_handshake.h 10 files changed, 180 insertions(+), 72 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/65/5865/3 -- To view, visit http://gerrit.cloudera.org:8080/5865 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: Id3b1698ccd8434b8d40d567e9d0fa506e4cdc0ca Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Henry Robinson <he...@cloudera.com> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <t...@apache.org>