You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by al...@apache.org on 2020/03/09 04:11:04 UTC

[kudu] 02/02: [test-util] set OpenSSL security level for kudu CLI

This is an automated email from the ASF dual-hosted git repository.

alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git

commit 05dd6f8d8c9ea8c10012bc7e90b19beabc74d303
Author: Alexey Serbin <al...@apache.org>
AuthorDate: Fri Mar 6 16:09:55 2020 -0800

    [test-util] set OpenSSL security level for kudu CLI
    
    This patch adds --openssl_security_level_override=1 option for all kudu
    CLI invocations run via RunKuduTool() utility function.  With that, the
    client-side parts of the kudu CLI are able to verify certificates signed
    by shorter keys generated for test scenarios even when run on
    contemporary Linux OS distributions like RHEL/CentOS 8.x where the
    OpenSSL library is built with default security level 2.
    
    This is a follow-up to 93e85876f472b2668604ce5c15eafb17ce303989.
    
    Change-Id: I318621bc453ac5e25cd80070a9f3e56455e3f73b
    Reviewed-on: http://gerrit.cloudera.org:8080/15384
    Tested-by: Alexey Serbin <as...@cloudera.com>
    Reviewed-by: Adar Dembo <ad...@cloudera.com>
---
 src/kudu/tools/tool_test_util.cc | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/kudu/tools/tool_test_util.cc b/src/kudu/tools/tool_test_util.cc
index a0cbbcb..59c3696 100644
--- a/src/kudu/tools/tool_test_util.cc
+++ b/src/kudu/tools/tool_test_util.cc
@@ -55,8 +55,10 @@ Status RunKuduTool(const vector<string>& args, string* out, string* err,
                    const std::string& in) {
   vector<string> total_args = { GetKuduToolAbsolutePath() };
 
-  // Speed up filesystem-based operations.
+  // Some scenarios might add unsafe flags for testing purposes.
   total_args.emplace_back("--unlock_unsafe_flags");
+
+  // Speed up filesystem-based operations.
   total_args.emplace_back("--never_fsync");
 
   // Do not colorize glog's output (i.e. messages logged via LOG()) even
@@ -65,6 +67,12 @@ Status RunKuduTool(const vector<string>& args, string* out, string* err,
   // (e.g., the exact location of some substring/character in the output line).
   total_args.emplace_back("--nocolorlogtostderr");
 
+  // Kudu masters and tablet servers run as a part of external mini-cluster use
+  // shorter keys. Newer OS distros have OpenSSL built with the default security
+  // level higher than 1, so it's necessary to override it on the client
+  // side as well to allow clients to accept and verify TLS certificates.
+  total_args.emplace_back("--openssl_security_level_override=1");
+
   total_args.insert(total_args.end(), args.begin(), args.end());
   return Subprocess::Call(total_args, in, out, err);
 }