[kudu-CR] KUDU-3448 Add support for encrypting existing keys

Mon, 26 Jun 2023 04:08:35 -0700 

Hello Marton Greber, Tidy Bot, Zoltan Chovan, Alexey Serbin, Kudu Jenkins, 
Abhishek Chennaka,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/20050

to look at the new patch set (#10).

Change subject: KUDU-3448 Add support for encrypting existing keys
......................................................................

KUDU-3448 Add support for encrypting existing keys

On an existing cluster before KUDU-3448, the IPKI and TSK private keys
were stored in clear text. With KUDU-3448, it is now possible to encrypt
these keys, but without this commit, it's not possible to use this
feature in an existing cluster.

This commit introduces a fallback when trying to decrypt the stored
private keys, so that if that fails, it tries to read it without
decrypting it.

If it succeeds to read the IPKI private key, it encrypts it using the
password, and rewrites it in the sys-catalog table. It does no such
thing with the TSK, as they will be rolled out soon anyway, but it
encrypts the new keys, so it's still not possible to go back from
encrypted TSKs after a new key has been generated.

This commit doesn't make it possible to rotate the IPKI key.

Change-Id: Ide6ec4fb86325897f2b011aee9643d276044279d
---
M src/kudu/integration-tests/security-itest.cc
M src/kudu/master/catalog_manager.cc
M src/kudu/master/catalog_manager.h
M src/kudu/master/sys_catalog.cc
M src/kudu/master/sys_catalog.h
M src/kudu/security/token_signing_key.cc
6 files changed, 145 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/50/20050/10
--
To view, visit http://gerrit.cloudera.org:8080/20050
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ide6ec4fb86325897f2b011aee9643d276044279d
Gerrit-Change-Number: 20050
Gerrit-PatchSet: 10
Gerrit-Owner: Attila Bukor <[email protected]>
Gerrit-Reviewer: Abhishek Chennaka <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Attila Bukor <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Marton Greber <[email protected]>
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Reviewer: Zoltan Chovan <[email protected]>

Reply via email to