Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/19709 )
Change subject: [jwt] Verify JWKS URL server TLS certificate by default ...................................................................... Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/19709/1/src/kudu/util/curl_util.cc File src/kudu/util/curl_util.cc: http://gerrit.cloudera.org:8080/#/c/19709/1/src/kudu/util/curl_util.cc@168 PS1, Line 168: FLAGS_trusted_certificate_file > EasyCurl class is common utility class. It could be used to download files We already use this flag to verify certificates when communicating with Ranger KMS. Ideally, both Ranger KMS and JWKS server should present a certificate that is signed by a CA that is trusted globally on all servers. If this is not the case, they'd still likely use a local CA that signs all internal certificates, and if they don't install it on each server in /etc/ssl/certs, they can point this flag to a file containing this CA certificate. Worst case, they can use a single file containing multiple certificates in PEM format, and point this flag to that file. I disagree that each server we connect to should use its own trusted certificate file, that seems to go against how certificates should normally work. -- To view, visit http://gerrit.cloudera.org:8080/19709 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I0fd7b53d651786bbe57642dd14cd477055b80c78 Gerrit-Change-Number: 19709 Gerrit-PatchSet: 1 Gerrit-Owner: Zoltan Chovan <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Wenzhe Zhou <[email protected]> Gerrit-Reviewer: Zoltan Chovan <[email protected]> Gerrit-Comment-Date: Tue, 11 Apr 2023 09:50:15 +0000 Gerrit-HasComments: Yes
