You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Alexey Serbin (Code Review)" <ge...@cloudera.org> on 2017/05/05 02:54:09 UTC
[kudu-CR](branch-1.3.x) KUDU-1981 Kudu should run at hosts len(FQDN) > 64
Hello Dan Burkert, Kudu Jenkins,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/6805
to review the following change.
Change subject: KUDU-1981 Kudu should run at hosts len(FQDN) > 64
......................................................................
KUDU-1981 Kudu should run at hosts len(FQDN) > 64
This is a fix for KUDU-1981: with security enabled, Kudu servers cannot
start at machines with len(FQDN) > 64. Prior to this fix, the host FQDN
was put into the CSR's CN (common name) field while generating
self-signed certificate for server RPC messenger. Per RFC5280, the CN
field cannot contain strings longer than 64 characters long, and it
seems OpenSSL enforces that limit as required.
The idea is to put FQDNs into the SAN X509v3 extension field as 'DNS'
fields. That makes it possible to have names in the SAN which are even
longer than 255 characters. This patch returns back a part of the
SAN-related functionality which had been implemented initially in
cert_management.cc and then removed since it was not used back then.
This patch also adds a couple of unit tests to cover the new
functionality and to make sure it's possible to set CN field of CSR to
64-chars length value and have corresponding X509 certificate generated
with no issues.
Change-Id: Ie142e76e9b2dcef3e07dd33d82b6758c746ced19
Reviewed-on: http://gerrit.cloudera.org:8080/6734
Tested-by: Kudu Jenkins
Reviewed-by: Dan Burkert <da...@apache.org>
(cherry picked from commit eccafbcfbd41324164f7df10219a2b9c3d161269)
---
M src/kudu/integration-tests/master_cert_authority-itest.cc
M src/kudu/security/ca/cert_management-test.cc
M src/kudu/security/ca/cert_management.cc
M src/kudu/security/ca/cert_management.h
M src/kudu/security/cert-test.cc
M src/kudu/security/cert.cc
M src/kudu/security/cert.h
M src/kudu/security/test/test_certs.cc
M src/kudu/security/test/test_certs.h
M src/kudu/security/tls_context.cc
10 files changed, 232 insertions(+), 74 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/05/6805/1
--
To view, visit http://gerrit.cloudera.org:8080/6805
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie142e76e9b2dcef3e07dd33d82b6758c746ced19
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: branch-1.3.x
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
[kudu-CR](branch-1.3.x) KUDU-1981 Kudu should run at hosts len(FQDN) > 64
Posted by "Jean-Daniel Cryans (Code Review)" <ge...@cloudera.org>.
Jean-Daniel Cryans has posted comments on this change.
Change subject: KUDU-1981 Kudu should run at hosts len(FQDN) > 64
......................................................................
Patch Set 1: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/6805
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie142e76e9b2dcef3e07dd33d82b6758c746ced19
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: branch-1.3.x
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Jean-Daniel Cryans <jd...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-HasComments: No
[kudu-CR](branch-1.3.x) KUDU-1981 Kudu should run at hosts len(FQDN) > 64
Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.
Alexey Serbin has submitted this change and it was merged.
Change subject: KUDU-1981 Kudu should run at hosts len(FQDN) > 64
......................................................................
KUDU-1981 Kudu should run at hosts len(FQDN) > 64
This is a fix for KUDU-1981: with security enabled, Kudu servers cannot
start at machines with len(FQDN) > 64. Prior to this fix, the host FQDN
was put into the CSR's CN (common name) field while generating
self-signed certificate for server RPC messenger. Per RFC5280, the CN
field cannot contain strings longer than 64 characters long, and it
seems OpenSSL enforces that limit as required.
The idea is to put FQDNs into the SAN X509v3 extension field as 'DNS'
fields. That makes it possible to have names in the SAN which are even
longer than 255 characters. This patch returns back a part of the
SAN-related functionality which had been implemented initially in
cert_management.cc and then removed since it was not used back then.
This patch also adds a couple of unit tests to cover the new
functionality and to make sure it's possible to set CN field of CSR to
64-chars length value and have corresponding X509 certificate generated
with no issues.
Change-Id: Ie142e76e9b2dcef3e07dd33d82b6758c746ced19
Reviewed-on: http://gerrit.cloudera.org:8080/6734
Tested-by: Kudu Jenkins
Reviewed-by: Dan Burkert <da...@apache.org>
(cherry picked from commit eccafbcfbd41324164f7df10219a2b9c3d161269)
Reviewed-on: http://gerrit.cloudera.org:8080/6805
Reviewed-by: Jean-Daniel Cryans <jd...@apache.org>
---
M src/kudu/integration-tests/master_cert_authority-itest.cc
M src/kudu/security/ca/cert_management-test.cc
M src/kudu/security/ca/cert_management.cc
M src/kudu/security/ca/cert_management.h
M src/kudu/security/cert-test.cc
M src/kudu/security/cert.cc
M src/kudu/security/cert.h
M src/kudu/security/test/test_certs.cc
M src/kudu/security/test/test_certs.h
M src/kudu/security/tls_context.cc
10 files changed, 232 insertions(+), 74 deletions(-)
Approvals:
Jean-Daniel Cryans: Looks good to me, approved
Kudu Jenkins: Verified
--
To view, visit http://gerrit.cloudera.org:8080/6805
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ie142e76e9b2dcef3e07dd33d82b6758c746ced19
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: branch-1.3.x
Gerrit-Owner: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@apache.org>
Gerrit-Reviewer: Jean-Daniel Cryans <jd...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>