Todd Lipcon has posted comments on this change. Change subject: [security] tailored TokenSigner for system catalog ......................................................................
Patch Set 13: (4 comments) http://gerrit.cloudera.org:8080/#/c/5930/13/src/kudu/security/token_signer.cc File src/kudu/security/token_signer.cc: PS13, Line 100: // If it's past the key's activity period, it's too late to use it : // for signing: do not consider it as an active key candidate. : no need to change this, but I wonder whether we should still consider it, even if it's past this period. Isn't it better to have _some_ key to use for signing (even if it's past-due for rotation) rather than have to generate a new one which hasn't propagated yet? It's likely a moot point because it only matters if your cluster goes down for a day, but maybe we could just remove these lines. PS13, Line 107: // The criterion is: : // (expire_time - validity_interval) + 2 * rotation_interval <= now : // : nit: no need to duplicate the contents of the below statement PS13, Line 191: // The criterion is: : // (expire_time - validity_interval) + rotation_interval <= now : nit: this is just repeating what's in the code just below Line 252: // (expire_time - validity_interval) + 2 * rotation_interval <= now same -- To view, visit http://gerrit.cloudera.org:8080/5930 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ie2417e2ccba6a1114db366b2f642f95362bf479c Gerrit-PatchSet: 13 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
