[kudu-CR] [security] adjust TLS certificate verification

Thu, 02 Feb 2017 11:19:36 -0800 

Hello Todd Lipcon, Kudu Jenkins,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/5865

to look at the new patch set (#3).

Change subject: [security] adjust TLS certificate verification
......................................................................

[security] adjust TLS certificate verification

This commit adjusts when TLS certificate verification is performed in
the client and server, and adds a test of negotiating GSSAPI with TLS.
In the client, the server's cert is not verified when using the GSSAPI
SASL mech, since Kerberos provides strong authn. In the server, client
cert verification is disabled entirely. We'll have to turn it on in the
future selectively when we add support for client certs.

As part of this change, we no longer allow the SASL library to choose
the mechanism to use.  Instead, we determine the mechanism manually
using a simple heuristic: prefer GSSAPI to PLAIN. When we add support
for more mechanisms (e.g. KUDU_TOKEN), we'll update the heuristic
accordingly.

Change-Id: Id3b1698ccd8434b8d40d567e9d0fa506e4cdc0ca
---
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/client_negotiation.h
M src/kudu/rpc/negotiation-test.cc
M src/kudu/rpc/sasl_common.cc
M src/kudu/rpc/sasl_common.h
M src/kudu/rpc/sasl_helper.cc
M src/kudu/rpc/sasl_helper.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/rpc/server_negotiation.h
M src/kudu/security/tls_handshake.h
10 files changed, 180 insertions(+), 72 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/65/5865/3
-- 
To view, visit http://gerrit.cloudera.org:8080/5865
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id3b1698ccd8434b8d40d567e9d0fa506e4cdc0ca
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <danburk...@apache.org>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <danburk...@apache.org>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com>
Gerrit-Reviewer: Tidy Bot
Gerrit-Reviewer: Todd Lipcon <t...@apache.org>

Reply via email to