Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17731 )
Change subject: KUDU-1921 Add ability to require auth/encryption to C++ client ...................................................................... Patch Set 2: Code-Review+1 (3 comments) Overall looks good to me, just a request to evaluate adding a few more test scenarios and clarify on the behavior of the client in an edge case when the client is trying to connect via loopback network interface. http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/client/client.h File src/kudu/client/client.h: http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/client/client.h@336 PS2, Line 336: If the server doesn't support : /// encryption, or it's disabled, the client will fail to connect. Maybe, it's worth clarifying on the expected client's behavior when the client requires encryption, but it tries to connect to a Kudu server via a loopback/local connection in the presence of the --rpc_encrypt_loopback_connections=false flag at the server side? Would client fail or succeed in such a case? http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/integration-tests/security-itest.cc File src/kudu/integration-tests/security-itest.cc: http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/integration-tests/security-itest.cc@669 PS2, Line 669: } Does it make sense to add the following scenario for a non-secure cluster: a client requires encryption, and masters are running with --rpc_authentication=disabled flag added (the client should be able to connect successfully)? http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/integration-tests/security-itest.cc@688 PS2, Line 688: Does it make sense to add a 'mixed' scenario for a non-secure cluster, where a client would require encryption, and masters are running with regular flags, but tablet servers have --rpc_authentication=disabled flag added? I guess the point is to make sure the client gets appropriate error status when it tries to read or write to a tablet server. Yes, that's rather a weird configuration settings, but the idea is to be sure we know the client behaves as expected in such a case. -- To view, visit http://gerrit.cloudera.org:8080/17731 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ia3e800eb7c4e2f8787f0adf1f040d47358d29320 Gerrit-Change-Number: 17731 Gerrit-PatchSet: 2 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Tue, 27 Jul 2021 23:33:16 +0000 Gerrit-HasComments: Yes
