Todd Lipcon has posted comments on this change. Change subject: KUDU-1965: Allow user provided TLS certificates to work with KRPC ......................................................................
Patch Set 3: (1 comment) http://gerrit.cloudera.org:8080/#/c/6555/3/src/kudu/rpc/server_negotiation.cc File src/kudu/rpc/server_negotiation.cc: Line 629: if (!cert.is_user_provided()) { > Ideally Kudu could support either IPKI certs or external certs in the same In that case, I guess we'd need to extend the 'authenticated_user_' part to include the type of cert? What shortname (unix user equivalent) would we assign to a host cert? Also we should be a little bit careful here, because IIRC the way Impala works today is that it is using GSSAPI SASL plus certs, but the authentication info is coming from GSSAPI. With KRPC, if we have certs on both sides, we'll try to use the cert for authentication, and not SASL. This is "good" but could end up with a wider set of authenticatable users than intended. Essentially we dont want to silently switch authentication mechanisms on users. -- To view, visit http://gerrit.cloudera.org:8080/6555 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ica6e2bacb378553723467f0dc54a166885db1e4d Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-HasComments: Yes