[kudu-CR] [security] generate self-signed certs on server startup

Fri, 10 Feb 2017 16:12:07 -0800 

Hello Kudu Jenkins,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/5955

to look at the new patch set (#4).

Change subject: [security] generate self-signed certs on server startup
......................................................................

[security] generate self-signed certs on server startup

Masters and tablet servers now generate a keypair and self-signed cert
at startup for accepting TLS connections. Additionally, the tablet
server will now request and receive a CA-signed cert from the Master
during heartbeat. As a result, connections between servers and between
servers and TLS-capable clients will now use TLS.

The responsibilies of ServerCertManager have been rolled into
TlsContext, since they overlapped a great deal. This resulted in an
overall simpler flow for acquiring, storing, and using TLS certs.

This also changes a bit of code to generate proper self-signed certs.
Self-signed certs need to have the 'keyCertSign' attribute set, or else
OpenSSL won't properly recognize the self-signature.

Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622
---
M src/kudu/integration-tests/registration-test.cc
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/messenger.cc
M src/kudu/rpc/messenger.h
M src/kudu/security/CMakeLists.txt
M src/kudu/security/ca/cert_management.cc
M src/kudu/security/ca/cert_management.h
M src/kudu/security/cert.cc
M src/kudu/security/cert.h
M src/kudu/security/crypto.cc
M src/kudu/security/crypto.h
M src/kudu/security/openssl_util.h
D src/kudu/security/server_cert_manager.cc
D src/kudu/security/server_cert_manager.h
M src/kudu/security/tls_context.cc
M src/kudu/security/tls_context.h
M src/kudu/security/tls_handshake-test.cc
M src/kudu/server/server_base.cc
M src/kudu/server/server_base.h
M src/kudu/tserver/heartbeater.cc
22 files changed, 627 insertions(+), 372 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/55/5955/4
-- 
To view, visit http://gerrit.cloudera.org:8080/5955
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622
Gerrit-PatchSet: 4
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <danburk...@apache.org>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Tidy Bot
Gerrit-Reviewer: Todd Lipcon <t...@apache.org>

Reply via email to