You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Todd Lipcon (Code Review)" <ge...@cloudera.org> on 2017/03/10 00:34:01 UTC
[kudu-CR] Update security-related TODOs
Hello Dan Burkert, Alexey Serbin,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/6337
to review the following change.
Change subject: Update security-related TODOs
......................................................................
Update security-related TODOs
heartbeater.cc:
We decided not to implement rotation of the IPKI CA cert. This removes a
TODO referring to this unimplemented feature.
master.proto:
Remove a TODO about whether the client should specify whether it wants
a certificate and CA info. No compelling reason to do this that we've
seen so far.
token_verifier.cc:
Removed a TODO about triggering an out-of-band heartbeat to fetch a
new TSK if a client provides an unknown one. Given that we don't start
using new TSKs until a long time period has elapsed, it seems unlikely
that an expedited heartbeat would increase our chances of fetching it
beyond the normal heartbeats that we're always running.
token_verifier.h:
Removed a TODO about expiring old token keys from the storage. Given
each key is only a few hundred bytes, and we rotate once a day, it
doesn't seem like a real concern for current use cases.
token_signer.h:
Remove a TODO about attempting to enforce the constraint of rotation
intevals and validity interals. Given the way that the user-facing
configuration ended up, it doesn't seem to be a real concern anymore.
For all other cases of TODO(ipki) or TODO(security), filed JIRAs and
changed the TODO to point to the JIRA.
Change-Id: Ibcbef1c1ec75a1e78e6bc892880f6e986508e8f1
---
M src/kudu/integration-tests/delete_table-test.cc
M src/kudu/master/catalog_manager.cc
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/messenger.cc
M src/kudu/rpc/messenger.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/security/tls_context.cc
M src/kudu/security/tls_handshake.cc
M src/kudu/security/token_signer.h
M src/kudu/security/token_verifier.cc
M src/kudu/security/token_verifier.h
M src/kudu/tserver/heartbeater.cc
M src/kudu/tserver/scanners.cc
15 files changed, 26 insertions(+), 37 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/37/6337/1
--
To view, visit http://gerrit.cloudera.org:8080/6337
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibcbef1c1ec75a1e78e6bc892880f6e986508e8f1
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
[kudu-CR] Update security-related TODOs
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has submitted this change and it was merged.
Change subject: Update security-related TODOs
......................................................................
Update security-related TODOs
heartbeater.cc:
We decided not to implement rotation of the IPKI CA cert. This removes a
TODO referring to this unimplemented feature.
master.proto:
Remove a TODO about whether the client should specify whether it wants
a certificate and CA info. No compelling reason to do this that we've
seen so far.
token_verifier.cc:
Removed a TODO about triggering an out-of-band heartbeat to fetch a
new TSK if a client provides an unknown one. Given that we don't start
using new TSKs until a long time period has elapsed, it seems unlikely
that an expedited heartbeat would increase our chances of fetching it
beyond the normal heartbeats that we're always running.
token_verifier.h:
Removed a TODO about expiring old token keys from the storage. Given
each key is only a few hundred bytes, and we rotate once a day, it
doesn't seem like a real concern for current use cases.
token_signer.h:
Remove a TODO about attempting to enforce the constraint of rotation
intevals and validity interals. Given the way that the user-facing
configuration ended up, it doesn't seem to be a real concern anymore.
For all other cases of TODO(ipki) or TODO(security), filed JIRAs and
changed the TODO to point to the JIRA.
Change-Id: Ibcbef1c1ec75a1e78e6bc892880f6e986508e8f1
Reviewed-on: http://gerrit.cloudera.org:8080/6337
Tested-by: Kudu Jenkins
Reviewed-by: Dan Burkert <da...@apache.org>
---
M src/kudu/integration-tests/delete_table-test.cc
M src/kudu/master/catalog_manager.cc
M src/kudu/master/master.proto
M src/kudu/master/master_service.cc
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/messenger.cc
M src/kudu/rpc/messenger.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/security/tls_context.cc
M src/kudu/security/tls_handshake.cc
M src/kudu/security/token_signer.h
M src/kudu/security/token_verifier.cc
M src/kudu/security/token_verifier.h
M src/kudu/tserver/heartbeater.cc
M src/kudu/tserver/scanners.cc
15 files changed, 26 insertions(+), 37 deletions(-)
Approvals:
Dan Burkert: Looks good to me, approved
Kudu Jenkins: Verified
--
To view, visit http://gerrit.cloudera.org:8080/6337
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ibcbef1c1ec75a1e78e6bc892880f6e986508e8f1
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] Update security-related TODOs
Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change.
Change subject: Update security-related TODOs
......................................................................
Patch Set 1: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/6337
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: Ibcbef1c1ec75a1e78e6bc892880f6e986508e8f1
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-HasComments: No