Dan Burkert has posted comments on this change. Change subject: [security] fixed shortened TSK validity interval ......................................................................
Patch Set 1: (2 comments) Do we have a (slow) test case that goes through a full cycle of keys after issuing a token, and making sure it can't be verified? I think that would have caught this issue. http://gerrit.cloudera.org:8080/#/c/6536/1/src/kudu/security/token_signer.h File src/kudu/security/token_signer.h: Line 143: // Day 1 2 3 4 5 6 7 It may be possible to reuse the diagram above by explaining that the TSK validity must be as long as the 'inactivity interval', which I think make intuitive sense. Line 193: // key_validity = key_rotation + authn_token_validity. Does this need to be updated as well? -- To view, visit http://gerrit.cloudera.org:8080/6536 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I84f9789276c4b48a3ba5274393fe30c8bf3ea85d Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
