You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by to...@apache.org on 2017/02/22 02:00:49 UTC
[4/6] kudu git commit: [security] leader master sends public TSKs to
tservers
[security] leader master sends public TSKs to tservers
Leader master responds with list of public TSK parts to tablet servers
in TSHeartbeatResponsePB.tsks field.
Added a small integration test for verification.
Change-Id: Idd65bda944be9d365580e2d4b37b293b4dcff3e0
Reviewed-on: http://gerrit.cloudera.org:8080/6065
Reviewed-by: Alexey Serbin <as...@cloudera.com>
Tested-by: Kudu Jenkins
Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/6ec83123
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/6ec83123
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/6ec83123
Branch: refs/heads/master
Commit: 6ec831234fd1682c22a6a2cb547dbaff96188f95
Parents: b5734ea
Author: Alexey Serbin <as...@cloudera.com>
Authored: Fri Feb 17 17:22:50 2017 -0800
Committer: Alexey Serbin <as...@cloudera.com>
Committed: Wed Feb 22 01:44:09 2017 +0000
----------------------------------------------------------------------
src/kudu/integration-tests/registration-test.cc | 10 ++++++++++
src/kudu/master/master.proto | 1 -
src/kudu/master/master_service.cc | 11 ++++++++++-
3 files changed, 20 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kudu/blob/6ec83123/src/kudu/integration-tests/registration-test.cc
----------------------------------------------------------------------
diff --git a/src/kudu/integration-tests/registration-test.cc b/src/kudu/integration-tests/registration-test.cc
index 168ce9e..fa91d7a 100644
--- a/src/kudu/integration-tests/registration-test.cc
+++ b/src/kudu/integration-tests/registration-test.cc
@@ -33,6 +33,7 @@
#include "kudu/master/ts_descriptor.h"
#include "kudu/security/test/test_certs.h"
#include "kudu/security/tls_context.h"
+#include "kudu/security/token_verifier.h"
#include "kudu/tserver/mini_tablet_server.h"
#include "kudu/tserver/tablet_server.h"
#include "kudu/util/curl_util.h"
@@ -221,6 +222,15 @@ TEST_F(RegistrationTest, TestTSGetsSignedX509Certificate) {
}, MonoDelta::FromSeconds(10));
}
+// Check that after the tablet server registers, it gets the list of valid
+// public token signing keys.
+TEST_F(RegistrationTest, TestTSGetsTskList) {
+ MiniTabletServer* ts = cluster_->mini_tablet_server(0);
+ AssertEventually([&](){
+ ASSERT_FALSE(ts->server()->token_verifier().ExportKeys().empty());
+ });
+}
+
// Test that, if the tserver has HTTPS enabled, the master links to it
// via https:// URLs and not http://.
TEST_F(RegistrationTest, TestExposeHttpsURLs) {
http://git-wip-us.apache.org/repos/asf/kudu/blob/6ec83123/src/kudu/master/master.proto
----------------------------------------------------------------------
diff --git a/src/kudu/master/master.proto b/src/kudu/master/master.proto
index 37deba4..9846968 100644
--- a/src/kudu/master/master.proto
+++ b/src/kudu/master/master.proto
@@ -608,7 +608,6 @@ message ConnectToMasterResponsePB {
// If the client requested an authentication token, and security is
// enabled on the cluster, the master returns a signed authn token.
- // TODO(PKI): implement me!
optional security.SignedTokenPB authn_token = 4;
}
http://git-wip-us.apache.org/repos/asf/kudu/blob/6ec83123/src/kudu/master/master_service.cc
----------------------------------------------------------------------
diff --git a/src/kudu/master/master_service.cc b/src/kudu/master/master_service.cc
index 2e28f07..4352025 100644
--- a/src/kudu/master/master_service.cc
+++ b/src/kudu/master/master_service.cc
@@ -32,6 +32,7 @@
#include "kudu/rpc/user_credentials.h"
#include "kudu/server/webserver.h"
#include "kudu/security/token_signer.h"
+#include "kudu/security/token_verifier.h"
#include "kudu/util/flag_tags.h"
#include "kudu/util/pb_util.h"
@@ -164,7 +165,15 @@ void MasterServiceImpl::TSHeartbeat(const TSHeartbeatRequestPB* req,
resp->add_ca_cert_der(server_->cert_authority()->ca_cert_der());
}
- // TODO(aserbin): 7. Send any active CA certs which the TS doesn't have.
+ // 7. Only leaders send public parts of non-expired TSK
+ // which the TS doesn't have.
+ if (is_leader_master && req->has_latest_tsk_seq_num()) {
+ auto tsk_public_keys = server_->token_signer()->verifier().ExportKeys(
+ req->latest_tsk_seq_num());
+ for (auto& key : tsk_public_keys) {
+ resp->add_tsks()->Swap(&key);
+ }
+ }
rpc->RespondSuccess();
}