You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@kudu.apache.org by "Alexey Serbin (Code Review)" <ge...@cloudera.org> on 2021/03/31 06:57:38 UTC

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Alexey Serbin has uploaded this change for review. ( http://gerrit.cloudera.org:8080/17245


Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow for backward compatibility of Java
clients of prior versions to work with newer, TLSv1.3-capable
Kudu servers.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Java client and a Kudu cluster.  The
newly added scenario runs only if both the JVM and the node's OpenSSL
library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
2 files changed, 169 insertions(+), 20 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/45/17245/1
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 1
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17245 )

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Patch Set 3: Verified+1

unrelated test failure in org.apache.kudu.client.TestMultipleLeaderFailover


-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Thu, 01 Apr 2021 18:00:41 +0000
Gerrit-HasComments: No

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17245 )

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Patch Set 8: Verified+1

unrelated test failure in TxnParticipantTest.TestConcurrentOps


-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 8
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Greg Solovyev <gs...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Wed, 07 Apr 2021 00:44:06 +0000
Gerrit-HasComments: No

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Hello Kudu Jenkins, Andrew Wong, Grant Henke, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17245

to look at the new patch set (#3).

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow for backward compatibility of Java
clients of prior versions to work with newer, TLSv1.3-capable
Kudu servers.  In other words, TLSv1.2 is the highest protocol version
that Kudu Java clients of prior versions are able to use even if talking
to newer Kudu servers which are capable talking TLSv1.3.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Java client and a Kudu cluster.  The
newly added scenario runs only if both the JVM and the node's OpenSSL
library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
2 files changed, 235 insertions(+), 20 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/45/17245/3
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has removed a vote on this change.

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Removed Verified-1 by Kudu Jenkins (120)
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 8
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Greg Solovyev <gs...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/17245 )

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow Kudu Java clients of prior versions
talking with newer, TLSv1.3-capable Kudu servers.  In other words,
TLSv1.2 is the highest protocol version that Kudu Java clients of prior
versions are able to use even if talking to newer Kudu servers which
are now capable talking TLSv1.3.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Kudu Java client and a Kudu cluster.
The newly added scenario runs only if both the JVM and the node's
OpenSSL library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Reviewed-on: http://gerrit.cloudera.org:8080/17245
Tested-by: Alexey Serbin <as...@cloudera.com>
Reviewed-by: Grant Henke <gr...@apache.org>
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
M java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java
3 files changed, 302 insertions(+), 33 deletions(-)

Approvals:
  Alexey Serbin: Verified
  Grant Henke: Looks good to me, approved

-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 9
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Greg Solovyev <gs...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Hello Kudu Jenkins, Andrew Wong, Grant Henke, Greg Solovyev, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17245

to look at the new patch set (#8).

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow Kudu Java clients of prior versions
talking with newer, TLSv1.3-capable Kudu servers.  In other words,
TLSv1.2 is the highest protocol version that Kudu Java clients of prior
versions are able to use even if talking to newer Kudu servers which
are now capable talking TLSv1.3.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Kudu Java client and a Kudu cluster.
The newly added scenario runs only if both the JVM and the node's
OpenSSL library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
M java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java
3 files changed, 302 insertions(+), 33 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/45/17245/8
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 8
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Greg Solovyev <gs...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Hello Kudu Jenkins, Andrew Wong, Grant Henke, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17245

to look at the new patch set (#5).

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow Kudu Java clients of prior versions
talking with newer, TLSv1.3-capable Kudu servers.  In other words,
TLSv1.2 is the highest protocol version that Kudu Java clients of prior
versions are able to use even if talking to newer Kudu servers which
are now capable talking TLSv1.3.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Kudu Java client and a Kudu cluster.
The newly added scenario runs only if both the JVM and the node's
OpenSSL library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
2 files changed, 282 insertions(+), 32 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/45/17245/5
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 5
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has removed a vote on this change.

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Removed Verified-1 by Kudu Jenkins (120)
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: deleteVote
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Hello Kudu Jenkins, Andrew Wong, Grant Henke, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17245

to look at the new patch set (#6).

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow Kudu Java clients of prior versions
talking with newer, TLSv1.3-capable Kudu servers.  In other words,
TLSv1.2 is the highest protocol version that Kudu Java clients of prior
versions are able to use even if talking to newer Kudu servers which
are now capable talking TLSv1.3.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Kudu Java client and a Kudu cluster.
The newly added scenario runs only if both the JVM and the node's
OpenSSL library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
2 files changed, 288 insertions(+), 32 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/45/17245/6
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 6
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Hello Kudu Jenkins, Andrew Wong, Grant Henke, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17245

to look at the new patch set (#2).

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow for backward compatibility of Java
clients of prior versions to work with newer, TLSv1.3-capable
Kudu servers.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Java client and a Kudu cluster.  The
newly added scenario runs only if both the JVM and the node's OpenSSL
library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
2 files changed, 169 insertions(+), 20 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/45/17245/2
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Hello Kudu Jenkins, Andrew Wong, Grant Henke, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17245

to look at the new patch set (#7).

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow Kudu Java clients of prior versions
talking with newer, TLSv1.3-capable Kudu servers.  In other words,
TLSv1.2 is the highest protocol version that Kudu Java clients of prior
versions are able to use even if talking to newer Kudu servers which
are now capable talking TLSv1.3.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Kudu Java client and a Kudu cluster.
The newly added scenario runs only if both the JVM and the node's
OpenSSL library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
M java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java
3 files changed, 298 insertions(+), 33 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/45/17245/7
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 7
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17245 )

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Patch Set 7:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/17245/7/java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
File java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java:

http://gerrit.cloudera.org:8080/#/c/17245/7/java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java@56
PS7, Line 56: public class TestNegotiationTLSv13 {
> Maybe add a note here that TestNegotiator has the tests for TLS versions ea
Done


http://gerrit.cloudera.org:8080/#/c/17245/7/java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java
File java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java:

PS7: 
> Perhaps just add a TODO by the ENABLED_PROTOCOLS to enhance the test for v1
Done



-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 7
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Greg Solovyev <gs...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Tue, 06 Apr 2021 22:03:34 +0000
Gerrit-HasComments: Yes

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17245 )

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Patch Set 2:

> Build Failed
 > 
 > http://jenkins.kudu.apache.org/job/kudu-gerrit/23558/ : FAILURE

This is funny: the JVM didn't report any issue with SSLContext.getInstance("TLSv1.3"), but it was unable to use TLSv1.3:

15:32.818210 (+    99us) server_negotiation.cc:385] Sending RPC error: FATAL_UNAUTHORIZED: Runtime error: TLS Handshake error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1655


I know the new test scenario works as intended for
  openjdk 11.0.10 2021-01-19
  OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
  OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)

but it seems in JVM used in dist-tests that's not working as expected.


-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Wed, 31 Mar 2021 17:09:56 +0000
Gerrit-HasComments: No

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Grant Henke (Code Review)" <ge...@cloudera.org>.

Grant Henke has posted comments on this change. ( http://gerrit.cloudera.org:8080/17245 )

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Patch Set 8: Code-Review+2


-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 8
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Greg Solovyev <gs...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Wed, 07 Apr 2021 12:43:21 +0000
Gerrit-HasComments: No

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Grant Henke (Code Review)" <ge...@cloudera.org>.

Grant Henke has posted comments on this change. ( http://gerrit.cloudera.org:8080/17245 )

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Patch Set 7:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/17245/7/java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
File java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java:

http://gerrit.cloudera.org:8080/#/c/17245/7/java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java@56
PS7, Line 56: public class TestNegotiationTLSv13 {
Maybe add a note here that TestNegotiator has the tests for TLS versions earlier than 1.3 and add a note in that test about this one.


http://gerrit.cloudera.org:8080/#/c/17245/7/java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java
File java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java:

PS7: 
> The story with making TLSv1.3-related updates to this test.   I didn't know
Perhaps just add a TODO by the ENABLED_PROTOCOLS to enhance the test for v1.3?



-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 7
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Greg Solovyev <gs...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Tue, 06 Apr 2021 14:15:39 +0000
Gerrit-HasComments: Yes

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Hello Kudu Jenkins, Andrew Wong, Grant Henke, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/17245

to look at the new patch set (#4).

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................

KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

With this patch, Kudu Java client is able to talk TLSv1.3 to the server
side.  Essentially, this is about adding TLSv1.3 ciphers into the list
of preferred cipher suites in Negotiator.java and sending a chunk of
data produced by the final TLSv1.3 handshake iteration to the server
when the client senses that the TLS handshake is done.

Prior to this patch, Kudu Java client didn't support TLSv1.3 for RPC
because:
  * It didn't have ciphers required for TLSv1.3
  * It didn't send back the last chunk of data to the server side
    in the end of the TLS handshake process

The former is crucial to allow for backward compatibility of Java
clients of prior versions to work with newer, TLSv1.3-capable
Kudu servers.  In other words, TLSv1.2 is the highest protocol version
that Kudu Java clients of prior versions are able to use even if talking
to newer Kudu servers which are capable talking TLSv1.3.

This patch also contains a new test scenario to verify the functionality
of TLSv1.3-enabled RPC between a Java client and a Kudu cluster.  The
newly added scenario runs only if both the JVM and the node's OpenSSL
library support TLSv1.3.

Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
A java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiationTLSv13.java
2 files changed, 206 insertions(+), 20 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/45/17245/4
-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 4
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/17245 )

Change subject: KUDU-2871 support TLSv1.3 in Kudu RPC (Java part)
......................................................................


Patch Set 7:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/17245/7/java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java
File java/kudu-client/src/test/java/org/apache/kudu/client/TestNegotiator.java:

PS7: 
The story with making TLSv1.3-related updates to this test.   I didn't know this tests existed: first I found /TestNegotiation.java and created TestNegotiationTLSv13.java to add a scenario based on external mini-cluster.  Only later on I found this one, and I realized it would require making changes in the way how this scenario updated Netty pipeline after Negotiator senses that the TLS handshake is complete but it still has some data to be sent to the server side.  So, given I had already implemented a thorough test scenario to make sure Kudu Java client can talk TLSv1.3 with Kudu servers, I decided not to update this test scenario to work for TLSv1.3 but rather limit it to TLSv1.2 and prior protocol versions.

Let me know if there is a need to make this scenario work for TLSv1.3 as well.  If so, I'd rather to do that in a separate changelist.



-- 
To view, visit http://gerrit.cloudera.org:8080/17245
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I884170bdbded8b4017a80db34ecc0a755426c5c2
Gerrit-Change-Number: 17245
Gerrit-PatchSet: 7
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Andrew Wong <aw...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@apache.org>
Gerrit-Reviewer: Greg Solovyev <gs...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Comment-Date: Mon, 05 Apr 2021 23:08:55 +0000
Gerrit-HasComments: Yes