Sailesh Mukil has posted comments on this change. Change subject: KUDU-1965: Allow user provided TLS certificates to work with KRPC ......................................................................
Patch Set 3: (2 comments) http://gerrit.cloudera.org:8080/#/c/6555/3/src/kudu/rpc/server_negotiation.cc File src/kudu/rpc/server_negotiation.cc: Line 629: if (!cert.is_user_provided()) { > I guess it depends how we configure the handshake from the server side. Cur Ah I see. Thanks for pointing that out, I wasn't aware of that. I was working on making messenger options configurable: https://gerrit.cloudera.org/#/c/6520/ But I can see how this patch, the above patch and doing hostname verification are all related. It looks like the hostname verification in TlsHandshake can be enabled if host-based PKI certs are provided as a first step. Enabling it for IPKI certs seems like a larger project based on the description in KUDU-1886. I tried out both IPKI and host-based PKI certs after uncommenting out the hostname verification and sure enough, it worked for host-based PKI and failed for IPKI, as expected. Line 629: if (!cert.is_user_provided()) { > In that case, I guess we'd need to extend the 'authenticated_user_' part to I'm not very familiar with that part of the code, but I assume you're talking about using one of these SetAuthenticatedBy*() methods? https://github.com/apache/kudu/blob/master/src/kudu/rpc/remote_user.h#L68 Is a shortname required even for the internal servers to talk to each other? I'm guessing yes, since we would only want the "kudu" (or "impala") users from a remote internal server to be able to talk to another internal node. In which case, do we need to do both AuthenticateBySasl() and AuthenticateByCertificate() for host-based PKI? -- To view, visit http://gerrit.cloudera.org:8080/6555 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ica6e2bacb378553723467f0dc54a166885db1e4d Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-HasComments: Yes