Dan Burkert has posted comments on this change. Change subject: KUDU-1955 refuse to use world-readable keytabs ......................................................................
Patch Set 2: (7 comments) http://gerrit.cloudera.org:8080/#/c/7249/2/src/kudu/integration-tests/security-itest.cc File src/kudu/integration-tests/security-itest.cc: Line 232: TEST_F(SecurityITest, TestWorldReadableKeytab) { Can you add a test for the cert case as well? http://gerrit.cloudera.org:8080/#/c/7249/2/src/kudu/rpc/messenger.cc File src/kudu/rpc/messenger.cc: Line 273: RETURN_NOT_OK(Env::Default()->FileIsWorldReadable(FLAGS_rpc_private_key_file, did you try adding this check to the ValidateExternalPkiFlags method? I think it would be better there if possible. Line 274: &world_readable_private_key)); alignment Line 276: return Status::InvalidArgument(Substitute( Same comment about InvalidArgument as in the other check. http://gerrit.cloudera.org:8080/#/c/7249/2/src/kudu/security/init.cc File src/kudu/security/init.cc: Line 455: return Status::InvalidArgument(Substitute( Status::InvalidArgument can take an optional second string parameter which is equivalent to joining with ': ', so you can drop the Substitute call and just pass the string and flag: return Status::InvalidArgument( "cannot use keytab file with world-readable permissions: $0", FLAGS_keytab_file); http://gerrit.cloudera.org:8080/#/c/7249/2/src/kudu/util/env.h File src/kudu/util/env.h: PS2, Line 333: O capitalization http://gerrit.cloudera.org:8080/#/c/7249/2/src/kudu/util/env_posix.cc File src/kudu/util/env_posix.cc: PS2, Line 1564: OVERRIDE use lowercase 'override' -- To view, visit http://gerrit.cloudera.org:8080/7249 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ic2ee84e71023304f0743ba0ad37ebb1eef24abc6 Gerrit-PatchSet: 2 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Sam Okrent <samuel.okr...@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-HasComments: Yes
