Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/20050 )
Change subject: KUDU-3448 Add support for encrypting existing keys ...................................................................... KUDU-3448 Add support for encrypting existing keys On an existing cluster before KUDU-3448, the IPKI and TSK private keys were stored in clear text. With KUDU-3448, it is now possible to encrypt these keys, but without this commit, it's not possible to use this feature in an existing cluster. This commit introduces a fallback when trying to decrypt the stored private keys, so that if that fails, it tries to read it without decrypting it. If it succeeds to read the IPKI private key, it encrypts it using the password, and rewrites it in the sys-catalog table. It does no such thing with the TSK, as they will be rolled out soon anyway, but it encrypts the new keys, so it's still not possible to go back from encrypted TSKs after a new key has been generated. This commit doesn't make it possible to rotate the IPKI key. Change-Id: Ide6ec4fb86325897f2b011aee9643d276044279d Reviewed-on: http://gerrit.cloudera.org:8080/20050 Reviewed-by: Alexey Serbin <[email protected]> Tested-by: Alexey Serbin <[email protected]> --- M src/kudu/integration-tests/security-itest.cc M src/kudu/master/catalog_manager.cc M src/kudu/master/catalog_manager.h M src/kudu/master/sys_catalog.cc M src/kudu/master/sys_catalog.h M src/kudu/security/token_signing_key.cc 6 files changed, 153 insertions(+), 4 deletions(-) Approvals: Alexey Serbin: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/20050 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Ide6ec4fb86325897f2b011aee9643d276044279d Gerrit-Change-Number: 20050 Gerrit-PatchSet: 13 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Abhishek Chennaka <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Marton Greber <[email protected]> Gerrit-Reviewer: Tidy Bot (241) Gerrit-Reviewer: Zoltan Chovan <[email protected]>
