[kudu-CR] KUDU-3448 Add support for encrypting existing keys

Mon, 12 Jun 2023 13:25:09 -0700 

Hello Marton Greber, Zoltan Chovan, Alexey Serbin, Kudu Jenkins, Abhishek 
Chennaka,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/20050

to look at the new patch set (#2).

Change subject: KUDU-3448 Add support for encrypting existing keys
......................................................................

KUDU-3448 Add support for encrypting existing keys

On an existing cluster before KUDU-3448, the IPKI and TSK private keys
were stored in clear text. With KUDU-3448, it is now possible to encrypt
these keys, but without this commit, it's not possible to use this
feature in an existing cluster.

This commit introduces a fallback when trying to decrypt the stored
private keys, so that if that fails, it tries to read it without
decrypting it.

If it succeeds to read the IPKI private key, it encrypts it using the
password, and rewrites it in the sys-catalog table. It does no such
thing with the TSK, as they will be rolled out soon anyway, but it
encrypts the new keys, so it's still not possible to go back from
encrypted TSKs after a new key has been generated.

This commit doesn't make it possible to rotate they IPKI key.

A test verifying the cert authority can't be rewritten in the
sys-catalog table has been deleted, as the cert authority can be
rewritten now.

Change-Id: Ide6ec4fb86325897f2b011aee9643d276044279d
---
M src/kudu/master/catalog_manager.cc
M src/kudu/master/sys_catalog-test.cc
M src/kudu/master/sys_catalog.cc
M src/kudu/security/token_signing_key.cc
4 files changed, 50 insertions(+), 22 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/50/20050/2
--
To view, visit http://gerrit.cloudera.org:8080/20050
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ide6ec4fb86325897f2b011aee9643d276044279d
Gerrit-Change-Number: 20050
Gerrit-PatchSet: 2
Gerrit-Owner: Attila Bukor <abu...@apache.org>
Gerrit-Reviewer: Abhishek Chennaka <achenn...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <ale...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Marton Greber <greber...@gmail.com>
Gerrit-Reviewer: Zoltan Chovan <zcho...@cloudera.com>

Reply via email to