Hello Todd Lipcon, Alexey Serbin, I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/5955 to review the following change. Change subject: WIP: generate self-signed certs on server startup, remove server_cert_manager ...................................................................... WIP: generate self-signed certs on server startup, remove server_cert_manager This builds off https://gerrit.cloudera.org/#/c/5948/, and adds the removal of ServerCertManager in favor of rolling the functionality into TlsContext. ServerCertManager and TlsContext previously had a lot of overlap in functionality, and by having them separate it led to awkward lifetime issues between them. Before the servers get certs signed by the internal CA, we still need to have some kind of cert to support GSSAPI-authenticated connections. This patch makes the servers generate self-signed certs, and changes the RPC layer to check whether the TlsContext has a cert in order to decide whether to advertise TLS. This also changes a bit of code to generate proper self-signed certs. Self-signed certs need to have the 'keyCertSign' attribute set, or else OpenSSL won't properly recognize the self-signature. With this patch, TLS-capable clients and servers will now encrypt traffic. I checked that using 'kudu table list' and tshark with a vanilla configuration kudu-master running locally. WIP: - may not want to enable TLS by default until we have the localhost 'no-encryption' optimization in place Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622 --- M src/kudu/client/client-internal.cc M src/kudu/integration-tests/registration-test.cc M src/kudu/rpc/client_negotiation.cc M src/kudu/rpc/messenger.cc M src/kudu/security/CMakeLists.txt M src/kudu/security/ca/cert_management.cc M src/kudu/security/ca/cert_management.h M src/kudu/security/cert.cc M src/kudu/security/cert.h M src/kudu/security/crypto.cc M src/kudu/security/crypto.h M src/kudu/security/openssl_util.h D src/kudu/security/server_cert_manager.cc D src/kudu/security/server_cert_manager.h M src/kudu/security/tls_context.cc M src/kudu/security/tls_context.h M src/kudu/security/tls_handshake-test.cc M src/kudu/server/server_base.cc M src/kudu/server/server_base.h M src/kudu/tserver/heartbeater.cc 20 files changed, 538 insertions(+), 345 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/55/5955/1 -- To view, visit http://gerrit.cloudera.org:8080/5955 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622 Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org>