You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by ad...@apache.org on 2020/03/25 20:07:23 UTC
[kudu] branch master updated: [python] KUDU-3087 use 2048-bit RSA
keys for CA and server certs
This is an automated email from the ASF dual-hosted git repository.
adar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 11d6686 [python] KUDU-3087 use 2048-bit RSA keys for CA and server certs
11d6686 is described below
commit 11d6686432b7ce980310447f4b8e44150d3f6f93
Author: Alexey Serbin <al...@apache.org>
AuthorDate: Tue Mar 24 20:34:24 2020 -0700
[python] KUDU-3087 use 2048-bit RSA keys for CA and server certs
In changelist 3343144fe, the external mini-cluster is configured to use
768-bit RSA cryptography for CA and server TLS certificates. To
make this work with OpenSSL 1.1.x, it's necessary to set security
level to 0 for the client side. That's done for C++ and Java tests in
the mentioned changelist, but Python tests were not updated
correspondingly.
This patch addresses the described issue for tests in the kudu-python
project. Since kudu-python is a wrapper around kudu-client C++ library,
it's not trivial to configure the security level using gflags in a
non-invasive way. The solution is to make kudu-master and kudu-tserver
processes using 2048-bit RSA keys instead of 768-bit ones, allowing the
tests in kudu-python to pass on contemporary or security-hardened Linux
distros which set security level 2 by default for the OpenSSL library.
This is a follow-up to 3343144fefaad5a30e95e21297c64c78e308fa1f.
Change-Id: I740d81291832bfc28c395443f2c01b0c9a7dbadf
Reviewed-on: http://gerrit.cloudera.org:8080/15554
Tested-by: Alexey Serbin <as...@cloudera.com>
Reviewed-by: <hu...@gmail.com>
Reviewed-by: Grant Henke <gr...@apache.org>
Reviewed-by: Adar Dembo <ad...@cloudera.com>
---
python/kudu/tests/common.py | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/python/kudu/tests/common.py b/python/kudu/tests/common.py
index e1629ea..3841eda 100644
--- a/python/kudu/tests/common.py
+++ b/python/kudu/tests/common.py
@@ -70,11 +70,25 @@ class KuduTestBase(object):
#
# Only make one replica so that our tests don't need to worry about
# setting consistency modes.
+ #
+ # By default, components of the external mini-cluster harness are run
+ # with shortest keys to save CPU resources and speed up tests. In
+ # contemporary or security-hardened OS distros that requires customizing
+ # OpenSSL's security level at the client side, lowering it down to 0
+ # (otherwise, the client side rejects certificates signed by
+ # not-strong-enough keys). Since customization of the security level
+ # for the kudu-client library via gflags is not trivial, let's override
+ # the length of the RSA keys used for CA and server certificates,
+ # making them acceptable even at OpenSSL's security level 2.
cls.send_and_receive(
p, { "create_cluster" :
{ "numMasters" : cls.NUM_MASTER_SERVERS,
"numTservers" : cls.NUM_TABLET_SERVERS,
- "extraMasterFlags" : [ "--default_num_replicas=1" ]}})
+ "extraMasterFlags" : [
+ "--default_num_replicas=1",
+ "--ipki_ca_key_size=2048",
+ "--ipki_server_key_size=2048" ],
+ "extraTserverFlags" : [ "--ipki_server_key_size=2048" ]}})
cls.send_and_receive(p, { "start_cluster" : {}})
# Get information about the cluster's masters.