Todd Lipcon has submitted this change and it was merged.
Change subject: [security] security-flags
......................................................................
[security] security-flags
This commit introduces, removes, and renames security flags in an effort
to make the flags more consistent, more understandable, and easier to
use from the command line. Affected flags:
--rpc_authentication
This is a new flag which will apply to Kudu servers and the kudu
command line tool which will allow operators to configure a policy
for authentication of RPC connections. The possible values are
'enabled', 'disabled', and 'required'. Three states are necessary
(as opposed to just 'disabled' and 'required') in order to provide a
graceful upgrade path for clusters from unsecured to secured.
'enabled' is the default. A follow up commit will hook this flag
into the RPC system to ensure that authentication is enforced as
necessary.
--rpc_encryption
This is a new flag which will apply to Kudu servers and the 'kudu'
command line tool which allows operators to configure a policy for
encryption on RPC connections. This is a tristate flag for the same
reasons as outlined in --rpc_authentication. A follow up commit will
hook this flag into the RPC system to ensure that encryption is
enforced as necessary.
--server_require_kerberos
This flag has been removed, and in it's place the --keytab and
--rpc_authentication=required flags are provided. --keytab is used
to enable Kerberos authentication on a server, and
--rpc_authentication=required is used to ensure that all RPCs use
authentication.
--rpc_certificate_file
--rpc_ssl_server_certificate
--rpc_certificate_file is replacing --rpc_ssl_server_certificate.
The latter has a few issues. 1) It's not strictly a server flag, it
also applies to the kudu CLI tool. 3) It's not consistent with the
similar --webserver_certificate_file flag.
--rpc_private_key_file
--rpc_ssl_private_key
--rpc_private_key_file is replacing --rpc_ssl_private_key. Same
reasons as --rpc_cert.
--rpc_ca_certificate_file
--rpc_ssl_certificate_authority
--rpc_ca_certificate_file is replacing
--rpc_ssl_certificate_authority. Same reasons as --rpc_cert.
Change-Id: Iaa53348b8969e83d9f794e1e0553bdec12252d9a
Reviewed-on: http://gerrit.cloudera.org:8080/6052
Tested-by: Kudu Jenkins
Reviewed-by: Todd Lipcon <[email protected]>
Reviewed-by: Alexey Serbin <[email protected]>
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/rpc/messenger.cc
M src/kudu/rpc/messenger.h
M src/kudu/rpc/negotiation.cc
M src/kudu/rpc/rpc-test-base.h
M src/kudu/rpc/sasl_common.cc
7 files changed, 123 insertions(+), 50 deletions(-)
Approvals:
Todd Lipcon: Looks good to me, approved
Alexey Serbin: Looks good to me, approved
Kudu Jenkins: Verified
--
To view, visit http://gerrit.cloudera.org:8080/6052
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Iaa53348b8969e83d9f794e1e0553bdec12252d9a
Gerrit-PatchSet: 7
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <[email protected]>
