Todd Lipcon has submitted this change and it was merged. Change subject: [security] generate self-signed certs on server startup ......................................................................
[security] generate self-signed certs on server startup Masters and tablet servers now generate a keypair and self-signed cert at startup for accepting TLS connections. Additionally, the tablet server will now request and receive a CA-signed cert from the Master during heartbeat. As a result, connections between servers and between servers and TLS-capable clients will now use TLS. The responsibilies of ServerCertManager have been rolled into TlsContext, since they overlapped a great deal. This resulted in an overall simpler flow for acquiring, storing, and using TLS certs. This also changes a bit of code to generate proper self-signed certs. Self-signed certs need to have the 'keyCertSign' attribute set, or else OpenSSL won't properly recognize the self-signature. Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622 Reviewed-on: http://gerrit.cloudera.org:8080/5955 Tested-by: Kudu Jenkins Reviewed-by: Todd Lipcon <[email protected]> --- M src/kudu/integration-tests/registration-test.cc M src/kudu/master/master.proto M src/kudu/master/master_service.cc M src/kudu/rpc/client_negotiation.cc M src/kudu/rpc/messenger.cc M src/kudu/rpc/messenger.h M src/kudu/security/CMakeLists.txt M src/kudu/security/ca/cert_management.cc M src/kudu/security/ca/cert_management.h M src/kudu/security/cert.cc M src/kudu/security/cert.h M src/kudu/security/crypto.cc M src/kudu/security/crypto.h M src/kudu/security/openssl_util.h D src/kudu/security/server_cert_manager.cc D src/kudu/security/server_cert_manager.h M src/kudu/security/tls_context.cc M src/kudu/security/tls_context.h M src/kudu/security/tls_handshake-test.cc M src/kudu/server/server_base.cc M src/kudu/server/server_base.h M src/kudu/tserver/heartbeater.cc 22 files changed, 622 insertions(+), 363 deletions(-) Approvals: Todd Lipcon: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/5955 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622 Gerrit-PatchSet: 9 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]>
