Hello Kudu Jenkins, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/5955 to look at the new patch set (#4). Change subject: [security] generate self-signed certs on server startup ...................................................................... [security] generate self-signed certs on server startup Masters and tablet servers now generate a keypair and self-signed cert at startup for accepting TLS connections. Additionally, the tablet server will now request and receive a CA-signed cert from the Master during heartbeat. As a result, connections between servers and between servers and TLS-capable clients will now use TLS. The responsibilies of ServerCertManager have been rolled into TlsContext, since they overlapped a great deal. This resulted in an overall simpler flow for acquiring, storing, and using TLS certs. This also changes a bit of code to generate proper self-signed certs. Self-signed certs need to have the 'keyCertSign' attribute set, or else OpenSSL won't properly recognize the self-signature. Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622 --- M src/kudu/integration-tests/registration-test.cc M src/kudu/master/master.proto M src/kudu/master/master_service.cc M src/kudu/rpc/client_negotiation.cc M src/kudu/rpc/messenger.cc M src/kudu/rpc/messenger.h M src/kudu/security/CMakeLists.txt M src/kudu/security/ca/cert_management.cc M src/kudu/security/ca/cert_management.h M src/kudu/security/cert.cc M src/kudu/security/cert.h M src/kudu/security/crypto.cc M src/kudu/security/crypto.h M src/kudu/security/openssl_util.h D src/kudu/security/server_cert_manager.cc D src/kudu/security/server_cert_manager.h M src/kudu/security/tls_context.cc M src/kudu/security/tls_context.h M src/kudu/security/tls_handshake-test.cc M src/kudu/server/server_base.cc M src/kudu/server/server_base.h M src/kudu/tserver/heartbeater.cc 22 files changed, 627 insertions(+), 372 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/55/5955/4 -- To view, visit http://gerrit.cloudera.org:8080/5955 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ie785cc80d1cd8275defa3987f8e2a3bbcae02622 Gerrit-PatchSet: 4 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <t...@apache.org>