Todd Lipcon has submitted this change and it was merged. Change subject: [security] adjust TLS certificate verification ......................................................................
[security] adjust TLS certificate verification This commit adjusts when TLS certificate verification is performed in the client and server, and adds a test of negotiating GSSAPI with TLS. In the client, the server's cert is not verified when using the GSSAPI SASL mech, since Kerberos provides strong authn. In the server, client cert verification is disabled entirely. We'll have to turn it on in the future selectively when we add support for client certs. As part of this change, we no longer allow the SASL library to choose the mechanism to use. Instead, we determine the mechanism manually using a simple heuristic: prefer GSSAPI to PLAIN. When we add support for more mechanisms (e.g. KUDU_TOKEN), we'll update the heuristic accordingly. Change-Id: Id3b1698ccd8434b8d40d567e9d0fa506e4cdc0ca Reviewed-on: http://gerrit.cloudera.org:8080/5865 Reviewed-by: Alexey Serbin <[email protected]> Tested-by: Kudu Jenkins Reviewed-by: Todd Lipcon <[email protected]> --- M src/kudu/rpc/client_negotiation.cc M src/kudu/rpc/client_negotiation.h M src/kudu/rpc/negotiation-test.cc M src/kudu/rpc/sasl_common.cc M src/kudu/rpc/sasl_common.h M src/kudu/rpc/sasl_helper.cc M src/kudu/rpc/sasl_helper.h M src/kudu/rpc/server_negotiation.cc M src/kudu/rpc/server_negotiation.h M src/kudu/security/tls_handshake.h 10 files changed, 180 insertions(+), 72 deletions(-) Approvals: Todd Lipcon: Looks good to me, approved Alexey Serbin: Looks good to me, but someone else must approve Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/5865 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: Id3b1698ccd8434b8d40d567e9d0fa506e4cdc0ca Gerrit-PatchSet: 4 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Henry Robinson <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]>
