Hello Todd Lipcon, Alexey Serbin,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/5865
to review the following change.
Change subject: [security] adjust TLS certificate verification
......................................................................
[security] adjust TLS certificate verification
This commit adjusts when TLS certificate verification is performed in
the client and server, and adds a test of negotiating GSSAPI with TLS.
In the client, the server's cert is not verified when using the GSSAPI
SASL mech, since Kerberos provides strong authn. In the server, client
cert verification is disabled entirely. We'll have to turn it on in the
future selectively when we add support for client certs.
As part of this change, we no longer allow the SASL library to choose
the mechanism to use. Instead, we determine the mechanism manually
using a simple heuristic: prefer GSSAPI to PLAIN. When we add support
for more mechanisms (e.g. KUDU_TOKEN), we'll update the heuristic
accordingly.
Change-Id: Id3b1698ccd8434b8d40d567e9d0fa506e4cdc0ca
---
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/client_negotiation.h
M src/kudu/rpc/negotiation-test.cc
M src/kudu/rpc/sasl_common.cc
M src/kudu/rpc/sasl_common.h
M src/kudu/rpc/sasl_helper.cc
M src/kudu/rpc/sasl_helper.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/rpc/server_negotiation.h
M src/kudu/security/tls_handshake.h
10 files changed, 109 insertions(+), 70 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/65/5865/1
--
To view, visit http://gerrit.cloudera.org:8080/5865
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id3b1698ccd8434b8d40d567e9d0fa506e4cdc0ca
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <danburk...@apache.org>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <t...@apache.org>
