Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/5955
to look at the new patch set (#2).
Change subject: WIP: generate self-signed certs on server startup, remove
server_cert_manager
......................................................................
WIP: generate self-signed certs on server startup, remove server_cert_manager
This builds off https://gerrit.cloudera.org/#/c/5948/, and adds the
removal of ServerCertManager in favor of rolling the functionality into
TlsContext. ServerCertManager and TlsContext previously had a lot of
overlap in functionality, and by having them separate it led to awkward
lifetime issues between them. It also incidently fixed a bug where the
server cert manager was giving a signed cert to the tls context, the tls
context rejected it, and the server cert manager still went on thinking
no signed cert was needed.
Before the servers get certs signed by the internal CA, we still need to
have some kind of cert to support GSSAPI-authenticated connections. This
patch makes the servers generate self-signed certs, and changes the RPC
layer to check whether the TlsContext has a cert in order to decide
whether to advertise TLS.
This also changes a bit of code to generate proper self-signed certs.
Self-signed certs need to have the 'keyCertSign' attribute set, or else
OpenSSL won't properly recognize the self-signature.
With this patch, TLS-capable clients and servers will now encrypt
traffic. I checked that using 'kudu table list' and tshark with a
vanilla configuration kudu-master running locally.
WIP:
- may not want to enable TLS by default until we have the localhost
'no-encryption' optimization in place
- registration test is failing because the tserver is not loading the
master's CA cert into its trust store.
Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622
---
M src/kudu/client/client-internal.cc
M src/kudu/integration-tests/registration-test.cc
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/messenger.cc
M src/kudu/rpc/messenger.h
M src/kudu/security/CMakeLists.txt
M src/kudu/security/ca/cert_management.cc
M src/kudu/security/ca/cert_management.h
M src/kudu/security/cert.cc
M src/kudu/security/cert.h
M src/kudu/security/crypto.cc
M src/kudu/security/crypto.h
M src/kudu/security/openssl_util.h
D src/kudu/security/server_cert_manager.cc
D src/kudu/security/server_cert_manager.h
M src/kudu/security/tls_context.cc
M src/kudu/security/tls_context.h
M src/kudu/security/tls_handshake-test.cc
M src/kudu/server/server_base.cc
M src/kudu/server/server_base.h
M src/kudu/tserver/heartbeater.cc
21 files changed, 611 insertions(+), 376 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/55/5955/2
--
To view, visit http://gerrit.cloudera.org:8080/5955
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Tidy Bot
Gerrit-Reviewer: Todd Lipcon <[email protected]>
