Todd Lipcon has submitted this change and it was merged. Change subject: master: complete hooking up tokens and IPKI ......................................................................
master: complete hooking up tokens and IPKI This makes a few changes necessary to complete hooking up the master with the IPKI system and tokens: * When a master first becomes leader, it uses the CA cert to sign its own server cert, and then adopts it. To make this code a little less messy, I made AddTrustedCertificate idempotent rather than returning AlreadyPresent() if the cert was already trusted. * The TokenSigner's associated TokenVerifier is now passed in as a constructor argument rather than constructed as part of the signer. This allows the Signer to be hooked up to the same Verifier used by the Messenger to verify incoming connections using TOKEN authentication. I took the most expedient path here of using shared ownership, since the Messenger lifecycle is quite tricky and I wasn't completely sure that the teardown sequence would be safe with single-ownership. The chances of shared_ptr cycles should be low since TokenVerifier is a standalone class. This also adds a new simple test which verifies that, when starting a master, it learns about a TSK and signs its own cert. Change-Id: I3dfadb427491c7b406ad2d2bc1245b3a1cdb9170 Reviewed-on: http://gerrit.cloudera.org:8080/6075 Reviewed-by: Dan Burkert <[email protected]> Reviewed-by: Alexey Serbin <[email protected]> Tested-by: Kudu Jenkins --- M src/kudu/client/client-internal.cc M src/kudu/integration-tests/delete_table-test.cc M src/kudu/integration-tests/master_failover-itest.cc M src/kudu/integration-tests/token_signer-itest.cc M src/kudu/master/catalog_manager.cc M src/kudu/master/master-test.cc M src/kudu/master/master.cc M src/kudu/master/master_cert_authority.cc M src/kudu/master/master_cert_authority.h M src/kudu/rpc/messenger.h M src/kudu/rpc/negotiation-test.cc M src/kudu/security/tls_context.cc M src/kudu/security/tls_context.h M src/kudu/security/token-test.cc M src/kudu/security/token_signer.cc M src/kudu/security/token_signer.h 16 files changed, 96 insertions(+), 33 deletions(-) Approvals: Dan Burkert: Looks good to me, approved Alexey Serbin: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/6075 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: I3dfadb427491c7b406ad2d2bc1245b3a1cdb9170 Gerrit-PatchSet: 5 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]>
