[1/2] kudu git commit: rpc: move UserCredentials to separate .h/cc file

[to...@apache.org]

Repository: kudu
Updated Branches:
  refs/heads/master a09450465 -> a29871f30


rpc: move UserCredentials to separate .h/cc file

Change-Id: I679d248e83da0aeed47957d958b0152ca4bac6cd
Reviewed-on: http://gerrit.cloudera.org:8080/5997
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <as...@cloudera.com>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/c4b44dc1
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/c4b44dc1
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/c4b44dc1

Branch: refs/heads/master
Commit: c4b44dc141dbd03bf332e86db9a7ea73197679dd
Parents: a094504
Author: Todd Lipcon <to...@apache.org>
Authored: Tue Feb 14 00:00:33 2017 -0800
Committer: Todd Lipcon <to...@apache.org>
Committed: Tue Feb 14 17:20:22 2017 +0000

----------------------------------------------------------------------
 src/kudu/master/master_service.cc |  2 +-
 src/kudu/rpc/CMakeLists.txt       |  1 +
 src/kudu/rpc/outbound_call.cc     | 35 -------------------
 src/kudu/rpc/outbound_call.h      | 31 +----------------
 src/kudu/rpc/user_credentials.cc  | 63 ++++++++++++++++++++++++++++++++++
 src/kudu/rpc/user_credentials.h   | 57 ++++++++++++++++++++++++++++++
 6 files changed, 123 insertions(+), 66 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/c4b44dc1/src/kudu/master/master_service.cc
----------------------------------------------------------------------
diff --git a/src/kudu/master/master_service.cc b/src/kudu/master/master_service.cc
index 2ea29db..53b2503 100644
--- a/src/kudu/master/master_service.cc
+++ b/src/kudu/master/master_service.cc
@@ -30,7 +30,7 @@
 #include "kudu/master/ts_descriptor.h"
 #include "kudu/master/ts_manager.h"
 #include "kudu/rpc/rpc_context.h"
-#include "kudu/rpc/outbound_call.h" // for UserCredentials
+#include "kudu/rpc/user_credentials.h"
 #include "kudu/server/webserver.h"
 #include "kudu/util/flag_tags.h"
 #include "kudu/util/pb_util.h"

http://git-wip-us.apache.org/repos/asf/kudu/blob/c4b44dc1/src/kudu/rpc/CMakeLists.txt
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/CMakeLists.txt b/src/kudu/rpc/CMakeLists.txt
index fa21551..95b4268 100644
--- a/src/kudu/rpc/CMakeLists.txt
+++ b/src/kudu/rpc/CMakeLists.txt
@@ -66,6 +66,7 @@ set(KRPC_SRCS
     service_if.cc
     service_pool.cc
     service_queue.cc
+    user_credentials.cc
     transfer.cc
 )
 

http://git-wip-us.apache.org/repos/asf/kudu/blob/c4b44dc1/src/kudu/rpc/outbound_call.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/outbound_call.cc b/src/kudu/rpc/outbound_call.cc
index 6952cc3..dafcf2f 100644
--- a/src/kudu/rpc/outbound_call.cc
+++ b/src/kudu/rpc/outbound_call.cc
@@ -354,41 +354,6 @@ void OutboundCall::DumpPB(const DumpRunningRpcsRequestPB& req,
 }
 
 ///
-/// UserCredentials
-///
-
-UserCredentials::UserCredentials() {}
-
-bool UserCredentials::has_real_user() const {
-  return !real_user_.empty();
-}
-
-void UserCredentials::set_real_user(const string& real_user) {
-  real_user_ = real_user;
-}
-
-void UserCredentials::CopyFrom(const UserCredentials& other) {
-  real_user_ = other.real_user_;
-}
-
-string UserCredentials::ToString() const {
-  // Does not print the password.
-  return StringPrintf("{real_user=%s}", real_user_.c_str());
-}
-
-size_t UserCredentials::HashCode() const {
-  size_t seed = 0;
-  if (has_real_user()) {
-    boost::hash_combine(seed, real_user());
-  }
-  return seed;
-}
-
-bool UserCredentials::Equals(const UserCredentials& other) const {
-  return real_user() == other.real_user();
-}
-
-///
 /// ConnectionId
 ///
 

http://git-wip-us.apache.org/repos/asf/kudu/blob/c4b44dc1/src/kudu/rpc/outbound_call.h
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/outbound_call.h b/src/kudu/rpc/outbound_call.h
index 7df4a31..fbaaa31 100644
--- a/src/kudu/rpc/outbound_call.h
+++ b/src/kudu/rpc/outbound_call.h
@@ -30,6 +30,7 @@
 #include "kudu/rpc/remote_method.h"
 #include "kudu/rpc/response_callback.h"
 #include "kudu/rpc/transfer.h"
+#include "kudu/rpc/user_credentials.h"
 #include "kudu/util/locks.h"
 #include "kudu/util/monotime.h"
 #include "kudu/util/net/sockaddr.h"
@@ -52,36 +53,6 @@ class InboundTransfer;
 class RpcCallInProgressPB;
 class RpcController;
 
-// Client-side user credentials, such as a user's username & password.
-// In the future, we will add Kerberos credentials.
-//
-// TODO(mpercy): this is actually used server side too -- should
-// we instead introduce a RemoteUser class or something?
-// TODO(todd): this should move into a standalone header.
-class UserCredentials {
- public:
-   UserCredentials();
-
-  // Real user.
-  bool has_real_user() const;
-  void set_real_user(const std::string& real_user);
-  const std::string& real_user() const { return real_user_; }
-
-  // Copy state from another object to this one.
-  void CopyFrom(const UserCredentials& other);
-
-  // Returns a string representation of the object, not including the password field.
-  std::string ToString() const;
-
-  std::size_t HashCode() const;
-  bool Equals(const UserCredentials& other) const;
-
- private:
-  // Remember to update HashCode() and Equals() when new fields are added.
-  std::string real_user_;
-
-  DISALLOW_COPY_AND_ASSIGN(UserCredentials);
-};
 
 // Used to key on Connection information.
 // For use as a key in an unordered STL collection, use ConnectionIdHash and ConnectionIdEqual.

http://git-wip-us.apache.org/repos/asf/kudu/blob/c4b44dc1/src/kudu/rpc/user_credentials.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/user_credentials.cc b/src/kudu/rpc/user_credentials.cc
new file mode 100644
index 0000000..5065271
--- /dev/null
+++ b/src/kudu/rpc/user_credentials.cc
@@ -0,0 +1,63 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "kudu/rpc/user_credentials.h"
+
+#include <string>
+
+#include <boost/functional/hash.hpp>
+
+#include "kudu/gutil/strings/substitute.h"
+
+using std::string;
+
+namespace kudu {
+namespace rpc {
+
+UserCredentials::UserCredentials() {}
+
+bool UserCredentials::has_real_user() const {
+  return !real_user_.empty();
+}
+
+void UserCredentials::set_real_user(const string& real_user) {
+  real_user_ = real_user;
+}
+
+void UserCredentials::CopyFrom(const UserCredentials& other) {
+  real_user_ = other.real_user_;
+}
+
+string UserCredentials::ToString() const {
+  // Does not print the password.
+  return strings::Substitute("{real_user=$0}", real_user_);
+}
+
+size_t UserCredentials::HashCode() const {
+  size_t seed = 0;
+  if (has_real_user()) {
+    boost::hash_combine(seed, real_user());
+  }
+  return seed;
+}
+
+bool UserCredentials::Equals(const UserCredentials& other) const {
+  return real_user() == other.real_user();
+}
+
+} // namespace rpc
+} // namespace kudu

http://git-wip-us.apache.org/repos/asf/kudu/blob/c4b44dc1/src/kudu/rpc/user_credentials.h
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/user_credentials.h b/src/kudu/rpc/user_credentials.h
new file mode 100644
index 0000000..ebeccb2
--- /dev/null
+++ b/src/kudu/rpc/user_credentials.h
@@ -0,0 +1,57 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+#pragma once
+
+#include <string>
+
+#include "kudu/gutil/macros.h"
+
+namespace kudu {
+namespace rpc {
+
+// Client-side user credentials, such as a user's username & password.
+// In the future, we will add Kerberos credentials.
+//
+// TODO(mpercy): this is actually used server side too -- should
+// we instead introduce a RemoteUser class or something?
+class UserCredentials {
+ public:
+   UserCredentials();
+
+  // Real user.
+  bool has_real_user() const;
+  void set_real_user(const std::string& real_user);
+  const std::string& real_user() const { return real_user_; }
+
+  // Copy state from another object to this one.
+  void CopyFrom(const UserCredentials& other);
+
+  // Returns a string representation of the object, not including the password field.
+  std::string ToString() const;
+
+  std::size_t HashCode() const;
+  bool Equals(const UserCredentials& other) const;
+
+ private:
+  // Remember to update HashCode() and Equals() when new fields are added.
+  std::string real_user_;
+
+  DISALLOW_COPY_AND_ASSIGN(UserCredentials);
+};
+
+} // namespace rpc
+} // namespace kudu

[2/2] kudu git commit: Fix TLS_AUTHENTICATION_ONLY detection

[to...@apache.org]

Fix TLS_AUTHENTICATION_ONLY detection

The patch which added support for TLS_AUTHENTICATION_ONLY had a serious bug: it
always got enabled due to a typo in Socket::IsLoopbackConnection. This fixes the
typo and also adds some trace messages in negotiation when TLS-only auth
is negotiated.

I manually verified on an Impala cluster that tshark showed encrypted traffic
between nodes and plaintext on the loopback interface after fixing this issue
(previously I saw plaintext everywhere!)

Change-Id: I76fd3bb7c64c6b831f406912852b064f9fec3d00
Reviewed-on: http://gerrit.cloudera.org:8080/5996
Tested-by: Kudu Jenkins
Reviewed-by: Dan Burkert <da...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/a29871f3
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/a29871f3
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/a29871f3

Branch: refs/heads/master
Commit: a29871f306464c5ef5f586431ac6f4f1bed026ae
Parents: c4b44dc
Author: Todd Lipcon <to...@apache.org>
Authored: Mon Feb 13 23:21:11 2017 -0800
Committer: Todd Lipcon <to...@apache.org>
Committed: Tue Feb 14 18:41:38 2017 +0000

----------------------------------------------------------------------
 src/kudu/rpc/client_negotiation.cc | 1 +
 src/kudu/rpc/server_negotiation.cc | 1 +
 src/kudu/util/net/socket.cc        | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/a29871f3/src/kudu/rpc/client_negotiation.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/client_negotiation.cc b/src/kudu/rpc/client_negotiation.cc
index 4319183..934b714 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -418,6 +418,7 @@ Status ClientNegotiation::HandleTlsHandshake(const NegotiatePB& response) {
 
   if (ContainsKey(server_features_, TLS_AUTHENTICATION_ONLY) &&
       ContainsKey(client_features_, TLS_AUTHENTICATION_ONLY)) {
+    TRACE("Negotiated auth-only TLS");
     return tls_handshake_.FinishNoWrap(*socket_);
   }
   return tls_handshake_.Finish(&socket_);

http://git-wip-us.apache.org/repos/asf/kudu/blob/a29871f3/src/kudu/rpc/server_negotiation.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/server_negotiation.cc b/src/kudu/rpc/server_negotiation.cc
index 00c66e8..078acc7 100644
--- a/src/kudu/rpc/server_negotiation.cc
+++ b/src/kudu/rpc/server_negotiation.cc
@@ -408,6 +408,7 @@ Status ServerNegotiation::HandleTlsHandshake(const NegotiatePB& request) {
   // TLS handshake is finished.
   if (ContainsKey(server_features_, TLS_AUTHENTICATION_ONLY) &&
       ContainsKey(client_features_, TLS_AUTHENTICATION_ONLY)) {
+    TRACE("Negotiated auth-only TLS");
     return tls_handshake_.FinishNoWrap(*socket_);
   }
   return tls_handshake_.Finish(&socket_);

http://git-wip-us.apache.org/repos/asf/kudu/blob/a29871f3/src/kudu/util/net/socket.cc
----------------------------------------------------------------------
diff --git a/src/kudu/util/net/socket.cc b/src/kudu/util/net/socket.cc
index 85e858a..c0945ca 100644
--- a/src/kudu/util/net/socket.cc
+++ b/src/kudu/util/net/socket.cc
@@ -299,7 +299,7 @@ Status Socket::GetPeerAddress(Sockaddr *cur_addr) const {
 bool Socket::IsLoopbackConnection() const {
   Sockaddr local, remote;
   if (!GetSocketAddress(&local).ok()) return false;
-  if (!GetSocketAddress(&remote).ok()) return false;
+  if (!GetPeerAddress(&remote).ok()) return false;
 
   // Compare without comparing ports.
   local.set_port(0);