You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@kudu.apache.org by "Attila Bukor (Code Review)" <ge...@cloudera.org> on 2022/08/19 16:20:48 UTC

[kudu-CR] KUDU-3392 Support trusting custom certificates

Attila Bukor has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18870


Change subject: KUDU-3392 Support trusting custom certificates
......................................................................

KUDU-3392 Support trusting custom certificates

Right now, Kudu can only talk to Ranger KMS over TLS when its
certificate is trusted on the OS level (installed in /etc/pki). By
adding a new flag to trust a PEM file in a custom location, users don't
need to install Ranger KMS's certificate in a central location, they can
simply provide the PEM file when starting up Kudu servers. Right now,
Ranger KMS is the only such service (Kudu talks to Ranger Admin using
its Java client within a subprocess, which uses an XML config file to
set the truststore location), but it's possible that in the future, Kudu
will act as a client to other services, so the new flag,
-trusted_certificate_file, sets the trust in a central location, in
curl_util using CURLOPT_CAINFO.

Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
---
M src/kudu/util/curl_util.cc
1 file changed, 9 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/70/18870/1
-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 1
Gerrit-Owner: Attila Bukor <ab...@apache.org>

[kudu-CR] KUDU-3392 Support trusting custom certificates

Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.

Hello Kudu Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/18870

to look at the new patch set (#2).

Change subject: KUDU-3392 Support trusting custom certificates
......................................................................

KUDU-3392 Support trusting custom certificates

Right now, Kudu can only talk to Ranger KMS over TLS when its
certificate is trusted on the OS level (installed in /etc/pki). By
adding a new flag to trust a PEM file in a custom location, users don't
need to install Ranger KMS's certificate in a central location, they can
simply provide the PEM file when starting up Kudu servers. Right now,
Ranger KMS is the only such service (Kudu talks to Ranger Admin using
its Java client within a subprocess, which uses an XML config file to
set the truststore location), but it's possible that in the future, Kudu
will act as a client to other services, so the new flag,
-trusted_certificate_file, sets the trust in a central location, in
curl_util using CURLOPT_CAINFO.

Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
---
M src/kudu/util/curl_util.cc
1 file changed, 10 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/70/18870/2
-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 2
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)

[kudu-CR] KUDU-3392 Support trusting custom certificates

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/18870 )

Change subject: KUDU-3392 Support trusting custom certificates
......................................................................


Patch Set 2:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/18870/2//COMMIT_MSG
Commit Message:

PS2: 
It would be great to add a test to be able to spot regressions.  I guess there is a way to run kudu embedded webserver with a self-signed cert and make a request to the TLS-protected endpoint using this new provision.



-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 2
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan <zc...@cloudera.com>
Gerrit-Comment-Date: Sat, 20 Aug 2022 17:09:01 +0000
Gerrit-HasComments: Yes

[kudu-CR] KUDU-3392 Support trusting custom certificates

Posted by "Zoltan Chovan (Code Review)" <ge...@cloudera.org>.

Zoltan Chovan has posted comments on this change. ( http://gerrit.cloudera.org:8080/18870 )

Change subject: KUDU-3392 Support trusting custom certificates
......................................................................


Patch Set 4: Code-Review+1


-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 4
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan <zc...@cloudera.com>
Gerrit-Comment-Date: Tue, 23 Aug 2022 15:23:34 +0000
Gerrit-HasComments: No

[kudu-CR] KUDU-3392 Support trusting custom certificates

Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.

Hello Zoltan Chovan, Alexey Serbin, Kudu Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/18870

to look at the new patch set (#3).

Change subject: KUDU-3392 Support trusting custom certificates
......................................................................

KUDU-3392 Support trusting custom certificates

Right now, Kudu can only talk to Ranger KMS over TLS when its
certificate is trusted on the OS level (installed in /etc/pki). By
adding a new flag to trust a PEM file in a custom location, users don't
need to install Ranger KMS's certificate in a central location, they can
simply provide the PEM file when starting up Kudu servers. Right now,
Ranger KMS is the only such service (Kudu talks to Ranger Admin using
its Java client within a subprocess, which uses an XML config file to
set the truststore location), but it's possible that in the future, Kudu
will act as a client to other services, so the new flag,
-trusted_certificate_file, sets the trust in a central location, in
curl_util using CURLOPT_CAINFO.

A webserver-test has been updated to use the new trusted certificate
flag instead of disabling verifying the peer. The test certificate used
in this test had to be updated as well, as the original one had
CN=MyName, so the verification failed. It was valid only until 2027 as
well. The new certificate expires in 100 years and CN=127.0.0.1.

Issuer: C=US, L=Default City, O=Apache Software Foundation, CN=127.0.0.1/emailAddress=dev@kudu.apache.org
Validity
    Not Before: Aug 23 08:47:48 2022 GMT
    Not After : Jul 30 08:47:48 2122 GMT
Subject: C=US, L=Default City, O=Apache Software Foundation, CN=127.0.0.1/emailAddress=dev@kudu.apache.org

Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
---
M src/kudu/security/test/test_certs.cc
M src/kudu/server/webserver-test.cc
M src/kudu/util/curl_util.cc
3 files changed, 47 insertions(+), 34 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/70/18870/3
-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 3
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan <zc...@cloudera.com>

[kudu-CR] KUDU-3392 Support trusting custom certificates

Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.

Hello Zoltan Chovan, Alexey Serbin, Kudu Jenkins, 

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/18870

to look at the new patch set (#4).

Change subject: KUDU-3392 Support trusting custom certificates
......................................................................

KUDU-3392 Support trusting custom certificates

Right now, Kudu can only talk to Ranger KMS over TLS when its
certificate is trusted on the OS level (installed in /etc/pki). By
adding a new flag to trust a PEM file in a custom location, users don't
need to install Ranger KMS's certificate in a central location, they can
simply provide the PEM file when starting up Kudu servers. Right now,
Ranger KMS is the only such service (Kudu talks to Ranger Admin using
its Java client within a subprocess, which uses an XML config file to
set the truststore location), but it's possible that in the future, Kudu
will act as a client to other services, so the new flag,
-trusted_certificate_file, sets the trust in a central location, in
curl_util using CURLOPT_CAINFO.

A webserver-test has been updated to use the new trusted certificate
flag instead of disabling verifying the peer. The test certificate used
in this test had to be updated as well, as the original one had
CN=MyName, so the verification failed. It was valid only until 2027 as
well. The new certificate expires in 100 years and CN=127.0.0.1.

Issuer: C=US, L=Default City, O=Apache Software Foundation, CN=127.0.0.1/emailAddress=dev@kudu.apache.org
Validity
    Not Before: Aug 23 08:47:48 2022 GMT
    Not After : Jul 30 08:47:48 2122 GMT
Subject: C=US, L=Default City, O=Apache Software Foundation, CN=127.0.0.1/emailAddress=dev@kudu.apache.org

Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
---
M src/kudu/security/test/test_certs.cc
M src/kudu/server/webserver-test.cc
M src/kudu/util/curl_util.cc
3 files changed, 48 insertions(+), 34 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/70/18870/4
-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 4
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan <zc...@cloudera.com>

[kudu-CR] KUDU-3392 Support trusting custom certificates

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18870 )

Change subject: KUDU-3392 Support trusting custom certificates
......................................................................

KUDU-3392 Support trusting custom certificates

Right now, Kudu can only talk to Ranger KMS over TLS when its
certificate is trusted on the OS level (installed in /etc/pki). By
adding a new flag to trust a PEM file in a custom location, users don't
need to install Ranger KMS's certificate in a central location, they can
simply provide the PEM file when starting up Kudu servers. Right now,
Ranger KMS is the only such service (Kudu talks to Ranger Admin using
its Java client within a subprocess, which uses an XML config file to
set the truststore location), but it's possible that in the future, Kudu
will act as a client to other services, so the new flag,
-trusted_certificate_file, sets the trust in a central location, in
curl_util using CURLOPT_CAINFO.

A webserver-test has been updated to use the new trusted certificate
flag instead of disabling verifying the peer. The test certificate used
in this test had to be updated as well, as the original one had
CN=MyName, so the verification failed. It was valid only until 2027 as
well. The new certificate expires in 100 years and CN=127.0.0.1.

Issuer: C=US, L=Default City, O=Apache Software Foundation, CN=127.0.0.1/emailAddress=dev@kudu.apache.org
Validity
    Not Before: Aug 23 08:47:48 2022 GMT
    Not After : Jul 30 08:47:48 2122 GMT
Subject: C=US, L=Default City, O=Apache Software Foundation, CN=127.0.0.1/emailAddress=dev@kudu.apache.org

Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Reviewed-on: http://gerrit.cloudera.org:8080/18870
Tested-by: Kudu Jenkins
Reviewed-by: Zoltan Chovan <zc...@cloudera.com>
Reviewed-by: Alexey Serbin <al...@apache.org>
---
M src/kudu/security/test/test_certs.cc
M src/kudu/server/webserver-test.cc
M src/kudu/util/curl_util.cc
3 files changed, 48 insertions(+), 34 deletions(-)

Approvals:
  Kudu Jenkins: Verified
  Zoltan Chovan: Looks good to me, but someone else must approve
  Alexey Serbin: Looks good to me, approved

-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 5
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan <zc...@cloudera.com>

[kudu-CR] KUDU-3392 Support trusting custom certificates

Posted by "Alexey Serbin (Code Review)" <ge...@cloudera.org>.

Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/18870 )

Change subject: KUDU-3392 Support trusting custom certificates
......................................................................


Patch Set 4: Code-Review+2

(1 comment)

http://gerrit.cloudera.org:8080/#/c/18870/2/src/kudu/server/webserver-test.cc
File src/kudu/server/webserver-test.cc:

http://gerrit.cloudera.org:8080/#/c/18870/2/src/kudu/server/webserver-test.cc@417
PS2, Line 417: ASSERT_STR_CONTAINS(buf_.ToS
Yep, this seems a good one me.  As for the test coverage for set_verify_peer(false) case, we do still coverage in WebserverCrawlITest.TestAllWebPages where the TLS certification verification is disabled.

Thanks for adding the coverage for the newly introducing functionality!



-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 4
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan <zc...@cloudera.com>
Gerrit-Comment-Date: Tue, 23 Aug 2022 19:13:11 +0000
Gerrit-HasComments: Yes

[kudu-CR] KUDU-3392 Support trusting custom certificates

Posted by "Attila Bukor (Code Review)" <ge...@cloudera.org>.

Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/18870 )

Change subject: KUDU-3392 Support trusting custom certificates
......................................................................


Patch Set 3:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/18870/2//COMMIT_MSG
Commit Message:

PS2: 
> It would be great to add a test to be able to spot regressions.  I guess th
Good idea, changed an existing test to use it.



-- 
To view, visit http://gerrit.cloudera.org:8080/18870
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib5a69ba54ad9c0029b83417bdb4dca65b6313005
Gerrit-Change-Number: 18870
Gerrit-PatchSet: 3
Gerrit-Owner: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Alexey Serbin <al...@apache.org>
Gerrit-Reviewer: Attila Bukor <ab...@apache.org>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan <zc...@cloudera.com>
Gerrit-Comment-Date: Tue, 23 Aug 2022 09:15:51 +0000
Gerrit-HasComments: Yes