You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Alexey Serbin (Code Review)" <ge...@cloudera.org> on 2017/03/01 02:08:17 UTC
[kudu-CR] [security] use 512 bit RSA keys for TSK in tests
Alexey Serbin has uploaded a new change for review.
http://gerrit.cloudera.org:8080/6194
Change subject: [security] use 512 bit RSA keys for TSK in tests
......................................................................
[security] use 512 bit RSA keys for TSK in tests
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
---
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
6 files changed, 14 insertions(+), 14 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/94/6194/1
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has submitted this change and it was merged.
Change subject: [security] use shorter RSA keys in tests
......................................................................
[security] use shorter RSA keys in tests
When running tests, use the following RSA private keys:
* TSK: 512 bit
* certificate authority: 1024 bit
* server: 1024 bit
The 512 bit length is the minimum for TSK keys since we use SHA256
for signing/verification of tokens. The 768 bit length is the minimum
for TLS-related keys since we use stronger cipher suites from TLS v1.2
(one of the suites in use is ECDHE-RSA-AES256-GCM-SHA384). However,
Java default security policies require at least 1024-bit RSA keys for
certificates used in validation chains, so using that for the external
mini-cluster. For uniformity, minimum 1024 bit keys are used for
RSA keys throughout C++-only tests.
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Reviewed-on: http://gerrit.cloudera.org:8080/6194
Reviewed-by: Dan Burkert <da...@apache.org>
Tested-by: Kudu Jenkins
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/integration-tests/external_mini_cluster.h
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
8 files changed, 49 insertions(+), 32 deletions(-)
Approvals:
Dan Burkert: Looks good to me, approved
Kudu Jenkins: Verified
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 9
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change.
Change subject: [security] use shorter RSA keys in tests
......................................................................
Patch Set 1:
(3 comments)
http://gerrit.cloudera.org:8080/#/c/6194/1/src/kudu/integration-tests/external_mini_cluster.cc
File src/kudu/integration-tests/external_mini_cluster.cc:
Line 1021: // Generate smaller RSA keys for tests. We are using strong/high TLS v1.2
> oh, duh... sorry
np, I actually found it's not possible to add it for tablet servers since they don't know about that flag.
It seems the way how we start/restart daemons for external mini-cluster needs some minor refactoring -- I'll do that as well as a part of this commit.
Line 1026: flags.push_back("--tsk_num_rsa_bits=512");
> Also need to add an equivalent in the Java ExternalMiniCluster
Done
http://gerrit.cloudera.org:8080/#/c/6194/1/src/kudu/security/token_signer.cc
File src/kudu/security/token_signer.cc:
Line 39: DEFINE_int32(tsk_num_rsa_bits, 2048,
> Could you also mark this flag experimental while you are here?
Done
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes
[kudu-CR] [security] use 512 bit RSA keys for TSK in tests
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has posted comments on this change.
Change subject: [security] use 512 bit RSA keys for TSK in tests
......................................................................
Patch Set 1:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/6194/1/src/kudu/integration-tests/external_mini_cluster.cc
File src/kudu/integration-tests/external_mini_cluster.cc:
Line 1021: // Generate smaller RSA keys for tests. We are using strong/high TLS v1.2
what about the external tablet server? this is just the master
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes
[kudu-CR] [security] use 512 bit RSA keys for TSK in tests
Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change.
Change subject: [security] use 512 bit RSA keys for TSK in tests
......................................................................
Patch Set 1:
(3 comments)
http://gerrit.cloudera.org:8080/#/c/6194/1/src/kudu/integration-tests/external_mini_cluster.cc
File src/kudu/integration-tests/external_mini_cluster.cc:
Line 1021: // Generate smaller RSA keys for tests. We are using strong/high TLS v1.2
> what about the external tablet server? this is just the master
It should only be necessary on the master.
Line 1026: flags.push_back("--tsk_num_rsa_bits=512");
Also need to add an equivalent in the Java ExternalMiniCluster
http://gerrit.cloudera.org:8080/#/c/6194/1/src/kudu/security/token_signer.cc
File src/kudu/security/token_signer.cc:
Line 39: DEFINE_int32(tsk_num_rsa_bits, 2048,
Could you also mark this flag experimental while you are here?
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change.
Change subject: [security] use shorter RSA keys in tests
......................................................................
Patch Set 7:
> Yah I think it's probably simpler to just go back to 1024 on the
> JVM. I didn't forsee this complication when I suggested changing
> the java version. I couldn't find any page that listed the default
> key size, much less the default key size for JDK 9. If it _is_
> being bumped for JDK 9 that's a good argument to keep it.
OK, this sounds reasonable. I'll remove that and return back to 1024 its. We can put those property files back, if necessary. I agree it's better to keep the project repo cleaner. Sorry for wasting time on this.
I will update this patch shortly.
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 7
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has posted comments on this change.
Change subject: [security] use shorter RSA keys in tests
......................................................................
Patch Set 7:
Would like to see Dan's opinion. Just thinking any case we can avoid complexity in our build/test stuff, we should probably try to do so. (eg who knows if various IDEs will pick up the new flags in the right way, etc)
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 7
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/6194
to look at the new patch set (#2).
Change subject: [security] use shorter RSA keys in tests
......................................................................
[security] use shorter RSA keys in tests
When running tests, use the following RSA private keys:
* TSK: 512 bit
* certificate authority: 768 bit
* server: 768 bit
The 512 bit length is the minimum for TSK keys since we use SHA256
for signing/verification of tokens. The 768 bit length is the minimum
for TLS-related keys since we use stronger cipher suites from TLS v1.2
(one of the suites in use is ECDHE-RSA-AES256-GCM-SHA384).
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/integration-tests/external_mini_cluster.h
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
8 files changed, 46 insertions(+), 35 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/94/6194/2
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] [security] use 512 bit RSA keys for TSK in tests
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has posted comments on this change.
Change subject: [security] use 512 bit RSA keys for TSK in tests
......................................................................
Patch Set 1:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/6194/1/src/kudu/integration-tests/external_mini_cluster.cc
File src/kudu/integration-tests/external_mini_cluster.cc:
Line 1021: // Generate smaller RSA keys for tests. We are using strong/high TLS v1.2
> It should only be necessary on the master.
oh, duh... sorry
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: Yes
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/6194
to look at the new patch set (#3).
Change subject: [security] use shorter RSA keys in tests
......................................................................
[security] use shorter RSA keys in tests
When running tests, use the following RSA private keys:
* TSK: 512 bit
* certificate authority: 768 bit
* server: 768 bit
The 512 bit length is the minimum for TSK keys since we use SHA256
for signing/verification of tokens. The 768 bit length is the minimum
for TLS-related keys since we use stronger cipher suites from TLS v1.2
(one of the suites in use is ECDHE-RSA-AES256-GCM-SHA384).
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/integration-tests/external_mini_cluster.h
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
8 files changed, 47 insertions(+), 35 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/94/6194/3
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/6194
to look at the new patch set (#8).
Change subject: [security] use shorter RSA keys in tests
......................................................................
[security] use shorter RSA keys in tests
When running tests, use the following RSA private keys:
* TSK: 512 bit
* certificate authority: 1024 bit
* server: 1024 bit
The 512 bit length is the minimum for TSK keys since we use SHA256
for signing/verification of tokens. The 768 bit length is the minimum
for TLS-related keys since we use stronger cipher suites from TLS v1.2
(one of the suites in use is ECDHE-RSA-AES256-GCM-SHA384). However,
Java default security policies require at least 1024-bit RSA keys for
certificates used in validation chains, so using that for the external
mini-cluster. For uniformity, minimum 1024 bit keys are used for
RSA keys throughout C++-only tests.
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/integration-tests/external_mini_cluster.h
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
8 files changed, 49 insertions(+), 32 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/94/6194/8
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 8
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change.
Change subject: [security] use shorter RSA keys in tests
......................................................................
Patch Set 7:
Yah I think it's probably simpler to just go back to 1024 on the JVM. I didn't forsee this complication when I suggested changing the java version. I couldn't find any page that listed the default key size, much less the default key size for JDK 9. If it _is_ being bumped for JDK 9 that's a good argument to keep it.
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 7
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/6194
to look at the new patch set (#7).
Change subject: [security] use shorter RSA keys in tests
......................................................................
[security] use shorter RSA keys in tests
When running tests, use the following RSA private keys:
* TSK: 512 bit
* certificate authority: 768 bit
* server: 768 bit
The 512 bit length is the minimum for TSK keys since we use SHA256
for signing/verification of tokens. The 768 bit length is the minimum
for TLS-related keys since we use stronger cipher suites from TLS v1.2
(one of the suites in use is ECDHE-RSA-AES256-GCM-SHA384).
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
---
A java/kudu-client-tools/src/test/resources/security.properties
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
A java/kudu-client/src/test/resources/security.properties
A java/kudu-flume-sink/src/test/resources/security.properties
A java/kudu-mapreduce/src/test/resources/security.properties
A java/kudu-spark/src/test/resources/security.properties
M java/pom.xml
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/integration-tests/external_mini_cluster.h
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
14 files changed, 226 insertions(+), 37 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/94/6194/7
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 7
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has posted comments on this change.
Change subject: [security] use shorter RSA keys in tests
......................................................................
Patch Set 7:
is all of this extra security properties stuff "worth it" to go from 1024-bit to 768-bit?
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 7
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/6194
to look at the new patch set (#4).
Change subject: [security] use shorter RSA keys in tests
......................................................................
[security] use shorter RSA keys in tests
When running tests, use the following RSA private keys:
* TSK: 512 bit
* certificate authority: 768 bit
* server: 768 bit
The 512 bit length is the minimum for TSK keys since we use SHA256
for signing/verification of tokens. The 768 bit length is the minimum
for TLS-related keys since we use stronger cipher suites from TLS v1.2
(one of the suites in use is ECDHE-RSA-AES256-GCM-SHA384).
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
A java/kudu-client/src/test/resources/security.properties
M java/pom.xml
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/integration-tests/external_mini_cluster.h
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
10 files changed, 86 insertions(+), 37 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/94/6194/4
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 4
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change.
Change subject: [security] use shorter RSA keys in tests
......................................................................
Patch Set 8: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 8
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has posted comments on this change.
Change subject: [security] use shorter RSA keys in tests
......................................................................
Patch Set 7:
> is all of this extra security properties stuff "worth it" to go
> from 1024-bit to 768-bit?
Well, that's a good question. But consider this: next time they release update to JDK and deprecate even 1024 bit keys. Sure, we can defer this up to that time (which might be never).
So, what's you resolution then? Get back to 1024 bits and remove Java property files?
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 7
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/6194
to look at the new patch set (#5).
Change subject: [security] use shorter RSA keys in tests
......................................................................
[security] use shorter RSA keys in tests
When running tests, use the following RSA private keys:
* TSK: 512 bit
* certificate authority: 768 bit
* server: 768 bit
The 512 bit length is the minimum for TSK keys since we use SHA256
for signing/verification of tokens. The 768 bit length is the minimum
for TLS-related keys since we use stronger cipher suites from TLS v1.2
(one of the suites in use is ECDHE-RSA-AES256-GCM-SHA384).
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
---
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
A java/kudu-client/src/test/resources/security.properties
A java/kudu-mapreduce/src/test/resources/security.properties
A java/kudu-spark/src/test/resources/security.properties
M java/pom.xml
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/integration-tests/external_mini_cluster.h
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
12 files changed, 156 insertions(+), 37 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/94/6194/5
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 5
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] [security] use shorter RSA keys in tests
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/6194
to look at the new patch set (#6).
Change subject: [security] use shorter RSA keys in tests
......................................................................
[security] use shorter RSA keys in tests
When running tests, use the following RSA private keys:
* TSK: 512 bit
* certificate authority: 768 bit
* server: 768 bit
The 512 bit length is the minimum for TSK keys since we use SHA256
for signing/verification of tokens. The 768 bit length is the minimum
for TLS-related keys since we use stronger cipher suites from TLS v1.2
(one of the suites in use is ECDHE-RSA-AES256-GCM-SHA384).
Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
---
A java/kudu-client-tools/src/test/resources/security.properties
M java/kudu-client/src/test/java/org/apache/kudu/client/MiniKuduCluster.java
A java/kudu-client/src/test/resources/security.properties
A java/kudu-mapreduce/src/test/resources/security.properties
A java/kudu-spark/src/test/resources/security.properties
M java/pom.xml
M src/kudu/integration-tests/external_mini_cluster.cc
M src/kudu/integration-tests/external_mini_cluster.h
M src/kudu/master/master-test.cc
M src/kudu/rpc/negotiation-test.cc
M src/kudu/security/token-test.cc
M src/kudu/security/token_signer.cc
M src/kudu/util/test_util.cc
13 files changed, 191 insertions(+), 37 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/94/6194/6
--
To view, visit http://gerrit.cloudera.org:8080/6194
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I180908763a1c520d8a6d8bbaaf981add9396db99
Gerrit-PatchSet: 6
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: David Ribeiro Alves <dr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>