Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/17731 )
Change subject: KUDU-1921 Add ability to require auth/encryption to C++ client ...................................................................... Patch Set 2: (4 comments) http://gerrit.cloudera.org:8080/#/c/17731/2//COMMIT_MSG Commit Message: PS2: > Just curious, how do we expect applications to use this? Taking Impala's Ku I think it could be used like that, yes. I considered adding some logic to figure out if it should be enabled based on the availability of a ticket cache for example, but I decided it's best to let users/clients decide how to go about it instead of annoying one set of users and leading another to a false sense of security. In Impala's case specifically, I think the approach you described makes sense. http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/client/client.h File src/kudu/client/client.h: http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/client/client.h@336 PS2, Line 336: If the server doesn't support : /// encryption, or it's disabled, the client will fail to connect. > I guess the point is to clarify whether auth-only (without encryption or in It should work, but now that I think about it, I wonder if it's a good idea. Maybe it could be still downgraded this way. What do you think? http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/integration-tests/security-itest.cc File src/kudu/integration-tests/security-itest.cc: http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/integration-tests/security-itest.cc@669 PS2, Line 669: } > Does it make sense to add the following scenario for a non-secure cluster: Actually that's not a valid setup, if rpc_encryption is disabled, rpc_authentication must be disabled as well: https://github.com/apache/kudu/blob/d0734a1bf8bd45b016fbffa983fbb8c483ed94c9/src/kudu/server/server_base.cc#L350-L355 http://gerrit.cloudera.org:8080/#/c/17731/2/src/kudu/integration-tests/security-itest.cc@688 PS2, Line 688: > Does it make sense to add a 'mixed' scenario for a non-secure cluster, wher It seems it's not a valid setup and the cluster itself won't be able to start. The tablet servers will try to Ping() master, but it will be unauthorized. -- To view, visit http://gerrit.cloudera.org:8080/17731 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ia3e800eb7c4e2f8787f0adf1f040d47358d29320 Gerrit-Change-Number: 17731 Gerrit-PatchSet: 2 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Comment-Date: Wed, 28 Jul 2021 17:46:28 +0000 Gerrit-HasComments: Yes
