Alexey Serbin has posted comments on this change. Change subject: master: complete hooking up tokens and IPKI ......................................................................
Patch Set 3: (2 comments) http://gerrit.cloudera.org:8080/#/c/6075/3/src/kudu/master/catalog_manager.cc File src/kudu/master/catalog_manager.cc: PS3, Line 781: auto* tls = master_->mutable_tls_context(); : RETURN_NOT_OK_PREPEND(tls->AddTrustedCertificate(ca->ca_cert()), : "could not trust master CA cert"); : // If we haven't signed our own server cert yet, do so. : boost::optional<security::CertSignRequest> csr = : tls->GetCsrIfNecessary(); : if (csr) { : Cert cert; : RETURN_NOT_OK_PREPEND(ca->SignServerCSR(*csr, &cert), : "couldn't self-sign master cert with CA cert"); : RETURN_NOT_OK_PREPEND(tls->AdoptSignedCert(cert), : "couldn't adopt signed master cert"); As I understand, CheckInitCertAuthority() is called only in the context of become-a-leader-callback. If I'm not mistaken, follower masters also need their server certs. If so, consider moving this into some other place. With c06a3bc66e59e9467b599e85714825347aacf7ec just committed, the CheckInitCertAuthority is split into LoadCertAuthorityInfo ()/StoreCertAuthorityInfo() and InitCertAuthority(). With that, I think it's possible to call LoadCertAuthorityInfo() and then call the piece of code above in the CatalogManagerBgTasks::Run(). http://gerrit.cloudera.org:8080/#/c/6075/3/src/kudu/security/tls_context.cc File src/kudu/security/tls_context.cc: Line 157: return Status::OK(); nit: does it make sense to add a log about an attempt to add already present cert? -- To view, visit http://gerrit.cloudera.org:8080/6075 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I3dfadb427491c7b406ad2d2bc1245b3a1cdb9170 Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
