[kudu-CR] WIP: generate self-signed certs on server startup, remove server cert manager

Dan Burkert (Code Review) Thu, 09 Feb 2017 00:57:55 -0800

Hello Todd Lipcon, Alexey Serbin,

I'd like you to do a code review.  Please visit


    http://gerrit.cloudera.org:8080/5955

to review the following change.

Change subject: WIP: generate self-signed certs on server startup, remove 
server_cert_manager
......................................................................

WIP: generate self-signed certs on server startup, remove server_cert_manager

This builds off https://gerrit.cloudera.org/#/c/5948/, and adds the
removal of ServerCertManager in favor of rolling the functionality into
TlsContext. ServerCertManager and TlsContext previously had a lot of
overlap in functionality, and by having them separate it led to awkward
lifetime issues between them.

Before the servers get certs signed by the internal CA, we still need to
have some kind of cert to support GSSAPI-authenticated connections. This
patch makes the servers generate self-signed certs, and changes the RPC
layer to check whether the TlsContext has a cert in order to decide
whether to advertise TLS.

This also changes a bit of code to generate proper self-signed certs.
Self-signed certs need to have the 'keyCertSign' attribute set, or else
OpenSSL won't properly recognize the self-signature.

With this patch, TLS-capable clients and servers will now encrypt
traffic. I checked that using 'kudu table list' and tshark with a
vanilla configuration kudu-master running locally.

WIP:
- may not want to enable TLS by default until we have the localhost
  'no-encryption' optimization in place

Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622
---
M src/kudu/client/client-internal.cc
M src/kudu/integration-tests/registration-test.cc
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/messenger.cc
M src/kudu/security/CMakeLists.txt
M src/kudu/security/ca/cert_management.cc
M src/kudu/security/ca/cert_management.h
M src/kudu/security/cert.cc
M src/kudu/security/cert.h
M src/kudu/security/crypto.cc
M src/kudu/security/crypto.h
M src/kudu/security/openssl_util.h
D src/kudu/security/server_cert_manager.cc
D src/kudu/security/server_cert_manager.h
M src/kudu/security/tls_context.cc
M src/kudu/security/tls_context.h
M src/kudu/security/tls_handshake-test.cc
M src/kudu/server/server_base.cc
M src/kudu/server/server_base.h
M src/kudu/tserver/heartbeater.cc
20 files changed, 538 insertions(+), 345 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/55/5955/1
-- 
To view, visit http://gerrit.cloudera.org:8080/5955
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <danburk...@apache.org>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Todd Lipcon <t...@apache.org>

[kudu-CR] WIP: generate self-signed certs on server startup, remove server cert manager

Reply via email to