You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by to...@apache.org on 2017/02/22 02:00:49 UTC

[4/6] kudu git commit: [security] leader master sends public TSKs to tservers

[security] leader master sends public TSKs to tservers

Leader master responds with list of public TSK parts to tablet servers
in TSHeartbeatResponsePB.tsks field.

Added a small integration test for verification.

Change-Id: Idd65bda944be9d365580e2d4b37b293b4dcff3e0
Reviewed-on: http://gerrit.cloudera.org:8080/6065
Reviewed-by: Alexey Serbin <as...@cloudera.com>
Tested-by: Kudu Jenkins


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/6ec83123
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/6ec83123
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/6ec83123

Branch: refs/heads/master
Commit: 6ec831234fd1682c22a6a2cb547dbaff96188f95
Parents: b5734ea
Author: Alexey Serbin <as...@cloudera.com>
Authored: Fri Feb 17 17:22:50 2017 -0800
Committer: Alexey Serbin <as...@cloudera.com>
Committed: Wed Feb 22 01:44:09 2017 +0000

----------------------------------------------------------------------
 src/kudu/integration-tests/registration-test.cc | 10 ++++++++++
 src/kudu/master/master.proto                    |  1 -
 src/kudu/master/master_service.cc               | 11 ++++++++++-
 3 files changed, 20 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/6ec83123/src/kudu/integration-tests/registration-test.cc
----------------------------------------------------------------------
diff --git a/src/kudu/integration-tests/registration-test.cc b/src/kudu/integration-tests/registration-test.cc
index 168ce9e..fa91d7a 100644
--- a/src/kudu/integration-tests/registration-test.cc
+++ b/src/kudu/integration-tests/registration-test.cc
@@ -33,6 +33,7 @@
 #include "kudu/master/ts_descriptor.h"
 #include "kudu/security/test/test_certs.h"
 #include "kudu/security/tls_context.h"
+#include "kudu/security/token_verifier.h"
 #include "kudu/tserver/mini_tablet_server.h"
 #include "kudu/tserver/tablet_server.h"
 #include "kudu/util/curl_util.h"
@@ -221,6 +222,15 @@ TEST_F(RegistrationTest, TestTSGetsSignedX509Certificate) {
     }, MonoDelta::FromSeconds(10));
 }
 
+// Check that after the tablet server registers, it gets the list of valid
+// public token signing keys.
+TEST_F(RegistrationTest, TestTSGetsTskList) {
+  MiniTabletServer* ts = cluster_->mini_tablet_server(0);
+  AssertEventually([&](){
+      ASSERT_FALSE(ts->server()->token_verifier().ExportKeys().empty());
+    });
+}
+
 // Test that, if the tserver has HTTPS enabled, the master links to it
 // via https:// URLs and not http://.
 TEST_F(RegistrationTest, TestExposeHttpsURLs) {

http://git-wip-us.apache.org/repos/asf/kudu/blob/6ec83123/src/kudu/master/master.proto
----------------------------------------------------------------------
diff --git a/src/kudu/master/master.proto b/src/kudu/master/master.proto
index 37deba4..9846968 100644
--- a/src/kudu/master/master.proto
+++ b/src/kudu/master/master.proto
@@ -608,7 +608,6 @@ message ConnectToMasterResponsePB {
 
   // If the client requested an authentication token, and security is
   // enabled on the cluster, the master returns a signed authn token.
-  // TODO(PKI): implement me!
   optional security.SignedTokenPB authn_token = 4;
 }
 

http://git-wip-us.apache.org/repos/asf/kudu/blob/6ec83123/src/kudu/master/master_service.cc
----------------------------------------------------------------------
diff --git a/src/kudu/master/master_service.cc b/src/kudu/master/master_service.cc
index 2e28f07..4352025 100644
--- a/src/kudu/master/master_service.cc
+++ b/src/kudu/master/master_service.cc
@@ -32,6 +32,7 @@
 #include "kudu/rpc/user_credentials.h"
 #include "kudu/server/webserver.h"
 #include "kudu/security/token_signer.h"
+#include "kudu/security/token_verifier.h"
 #include "kudu/util/flag_tags.h"
 #include "kudu/util/pb_util.h"
 
@@ -164,7 +165,15 @@ void MasterServiceImpl::TSHeartbeat(const TSHeartbeatRequestPB* req,
     resp->add_ca_cert_der(server_->cert_authority()->ca_cert_der());
   }
 
-  // TODO(aserbin): 7. Send any active CA certs which the TS doesn't have.
+  // 7. Only leaders send public parts of non-expired TSK
+  // which the TS doesn't have.
+  if (is_leader_master && req->has_latest_tsk_seq_num()) {
+    auto tsk_public_keys = server_->token_signer()->verifier().ExportKeys(
+        req->latest_tsk_seq_num());
+    for (auto& key : tsk_public_keys) {
+      resp->add_tsks()->Swap(&key);
+    }
+  }
 
   rpc->RespondSuccess();
 }