Hello Tidy Bot, Dan Burkert, Kudu Jenkins, Adar Dembo, Todd Lipcon,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/9052
to look at the new patch set (#9).
Change subject: KUDU-1927: no half-baked responses on ConnectToMaster
......................................................................
KUDU-1927: no half-baked responses on ConnectToMaster
Do not send half-baked responses to clients from a master that declares
itself a leader if its catalog manager/CA authority/TokenSigner
are not in proper state.
While working on AuthTokenIssuingTest.ChannelConfidentiality test,
I noticed that implementation of MasterServiceImpl::ConnectToMaster()
allowed for getting a success response without proper authn/security
information in case if the master hasn't been established as a leader
yet. By examining the code further I found that could happen not
only at the very first startup of a master, but also during master
re-elections in case of multi-master setup.
If a legit client connects to master but it does not get CA cert and
authn token, it might be a situation when it works flawlessly with
masters and tablet servers using its Kerberos credentials, but the
exported authentication credentials contain neither CA cert nor authn
token. The latter is very surprising in cases when the credentials
are later imported by other Kudu client applications that do not have
Kerberos credentials in their environment. If so, the client is not
able to connect to a secured Kudu cluster at all.
Added a dedicated integration test to verify that the new implementation
does not allow for such a behavior. In addition, updated the already
existing AuthTokenIssuingTest.ChannelConfidentiality test so now it
provides some coverage for the new code as well.
Change-Id: Ib9c906863f5f0e1995041281b122135e1b2cd3a4
---
M src/kudu/client/client.h
M src/kudu/integration-tests/master_cert_authority-itest.cc
M src/kudu/integration-tests/security-itest.cc
M src/kudu/master/catalog_manager.cc
M src/kudu/master/master_cert_authority.cc
M src/kudu/master/master_cert_authority.h
M src/kudu/master/master_service.cc
7 files changed, 199 insertions(+), 65 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/52/9052/9
--
To view, visit http://gerrit.cloudera.org:8080/9052
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib9c906863f5f0e1995041281b122135e1b2cd3a4
Gerrit-Change-Number: 9052
Gerrit-PatchSet: 9
Gerrit-Owner: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Adar Dembo <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Dan Burkert <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Tidy Bot
Gerrit-Reviewer: Todd Lipcon <[email protected]>
