[kudu-CR] KUDU-3448 Add support for encrypting TSKs

Thu, 11 May 2023 10:03:17 -0700 

Hello Mahesh Reddy, Marton Greber, Zoltan Chovan, Alexey Serbin, Ashwani Raina, 
Kudu Jenkins, Abhishek Chennaka, Ádám Bakai,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/19617

to look at the new patch set (#8).

Change subject: KUDU-3448 Add support for encrypting TSKs
......................................................................

KUDU-3448 Add support for encrypting TSKs

In a previous patch, support for encrypting IPKI root CA private keys
has been added. This is a follow up patch, to add encryption support for
token signing keys as well. It is controlled by a new flag:
--tsk_private_key_password_cmd.

If this flag is set, the token signing keys will be stored in the
syscatalog table in encrypted form (AES-256-CBC with PKCS#8 encoding).

Token signing keys rotate automatically in Kudu, but for now, at least,
encryption of TSKs can't be turned on or off on an existing master, so
if this flag is set on the first startup of a master, it must be set to
a command that outputs the same password as on initialization, and vice
versa, it must not be provided on later master startups if it wasn't
provided on initialization.

Change-Id: Id8d770de7ed824cfc725003bbe77f1e42629029b
---
M src/kudu/integration-tests/catalog_manager_tsk-itest.cc
M src/kudu/master/master-test.cc
M src/kudu/security/token_signing_key.cc
3 files changed, 36 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/17/19617/8
--
To view, visit http://gerrit.cloudera.org:8080/19617
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id8d770de7ed824cfc725003bbe77f1e42629029b
Gerrit-Change-Number: 19617
Gerrit-PatchSet: 8
Gerrit-Owner: Attila Bukor <abu...@apache.org>
Gerrit-Reviewer: Abhishek Chennaka <achenn...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <ale...@apache.org>
Gerrit-Reviewer: Ashwani Raina <ara...@cloudera.com>
Gerrit-Reviewer: Attila Bukor <abu...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Mahesh Reddy <mre...@cloudera.com>
Gerrit-Reviewer: Marton Greber <greber...@gmail.com>
Gerrit-Reviewer: Zoltan Chovan <zcho...@cloudera.com>
Gerrit-Reviewer: Ádám Bakai <aba...@cloudera.com>

Reply via email to