Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18870 )
Change subject: KUDU-3392 Support trusting custom certificates ...................................................................... KUDU-3392 Support trusting custom certificates Right now, Kudu can only talk to Ranger KMS over TLS when its certificate is trusted on the OS level (installed in /etc/pki). By adding a new flag to trust a PEM file in a custom location, users don't need to install Ranger KMS's certificate in a central location, they can simply provide the PEM file when starting up Kudu servers. Right now, Ranger KMS is the only such service (Kudu talks to Ranger Admin using its Java client within a subprocess, which uses an XML config file to set the truststore location), but it's possible that in the future, Kudu will act as a client to other services, so the new flag, -trusted_certificate_file, sets the trust in a central location, in curl_util using CURLOPT_CAINFO. A webserver-test has been updated to use the new trusted certificate flag instead of disabling verifying the peer. The test certificate used in this test had to be updated as well, as the original one had CN=MyName, so the verification failed. It was valid only until 2027 as well. The new certificate expires in 100 years and CN=127.0.0.1. Issuer: C=US, L=Default City, O=Apache Software Foundation, CN=127.0.0.1/[email protected] Validity Not Before: Aug 23 08:47:48 2022 GMT Not After : Jul 30 08:47:48 2122 GMT Subject: C=US, L=Default City, O=Apache Software Foundation, CN=127.0.0.1/[email protected] Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005 Reviewed-on: http://gerrit.cloudera.org:8080/18870 Tested-by: Kudu Jenkins Reviewed-by: Zoltan Chovan <[email protected]> Reviewed-by: Alexey Serbin <[email protected]> --- M src/kudu/security/test/test_certs.cc M src/kudu/server/webserver-test.cc M src/kudu/util/curl_util.cc 3 files changed, 48 insertions(+), 34 deletions(-) Approvals: Kudu Jenkins: Verified Zoltan Chovan: Looks good to me, but someone else must approve Alexey Serbin: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/18870 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005 Gerrit-Change-Number: 18870 Gerrit-PatchSet: 5 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Zoltan Chovan <[email protected]>
