Todd Lipcon has posted comments on this change. Change subject: master: issue authentication tokens and CA certs to clients ......................................................................
Patch Set 6: (5 comments) http://gerrit.cloudera.org:8080/#/c/5871/6/src/kudu/master/authn_token_manager.cc File src/kudu/master/authn_token_manager.cc: PS6, Line 31: int64 > nit: is it crucial to have 64-bit number here? I suppose it's not crucial, since 32-bit already handles the next 60+ years, but it doesn't really harm anything and makes silly overflow bugs a little less likely. http://gerrit.cloudera.org:8080/#/c/5871/6/src/kudu/master/master.proto File src/kudu/master/master.proto: Line 560: message ConnectToMasterRequestPB { > It's worth noting that this is true for the CA cert as well - if the client Done PS6, Line 576: repeated bytes ca_cert_der = 3; > nit: is it worth adding the REDACT attribute? the CA cert is public information, don't think it's necessary to redact PS6, Line 581: optional security.SignedTokenPB authn_token = 4 > nit: consider adding the REDACT attribute since the auth_token is a piece o the signature itself inside SignedTokenPB is already marked as redacted. I think leaving the PB itself unredacted is useful since seeing the signing_key_seq_num can be useful for debugging, for example. http://gerrit.cloudera.org:8080/#/c/5871/6/src/kudu/master/master_cert_authority.h File src/kudu/master/master_cert_authority.h: PS6, Line 87: std::string > nit: is it possible to return const ref to the member here? Done -- To view, visit http://gerrit.cloudera.org:8080/5871 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I5969b8e125633b3b14364b98c0d0a992b162f302 Gerrit-PatchSet: 6 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
