kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a...@apache.org
Subject [kudu] branch master updated: [python] KUDU-3087 use 2048-bit RSA keys for CA and server certs
Date Wed, 25 Mar 2020 20:07:23 GMT
This is an automated email from the ASF dual-hosted git repository.

adar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git


The following commit(s) were added to refs/heads/master by this push:
     new 11d6686  [python] KUDU-3087 use 2048-bit RSA keys for CA and server certs
11d6686 is described below

commit 11d6686432b7ce980310447f4b8e44150d3f6f93
Author: Alexey Serbin <alexey@apache.org>
AuthorDate: Tue Mar 24 20:34:24 2020 -0700

    [python] KUDU-3087 use 2048-bit RSA keys for CA and server certs
    
    In changelist 3343144fe, the external mini-cluster is configured to use
    768-bit RSA cryptography for CA and server TLS certificates.  To
    make this work with OpenSSL 1.1.x, it's necessary to set security
    level to 0 for the client side.  That's done for C++ and Java tests in
    the mentioned changelist, but Python tests were not updated
    correspondingly.
    
    This patch addresses the described issue for tests in the kudu-python
    project.  Since kudu-python is a wrapper around kudu-client C++ library,
    it's not trivial to configure the security level using gflags in a
    non-invasive way.  The solution is to make kudu-master and kudu-tserver
    processes using 2048-bit RSA keys instead of 768-bit ones, allowing the
    tests in kudu-python to pass on contemporary or security-hardened Linux
    distros which set security level 2 by default for the OpenSSL library.
    
    This is a follow-up to 3343144fefaad5a30e95e21297c64c78e308fa1f.
    
    Change-Id: I740d81291832bfc28c395443f2c01b0c9a7dbadf
    Reviewed-on: http://gerrit.cloudera.org:8080/15554
    Tested-by: Alexey Serbin <aserbin@cloudera.com>
    Reviewed-by: <huangtianhua223@gmail.com>
    Reviewed-by: Grant Henke <granthenke@apache.org>
    Reviewed-by: Adar Dembo <adar@cloudera.com>
---
 python/kudu/tests/common.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/python/kudu/tests/common.py b/python/kudu/tests/common.py
index e1629ea..3841eda 100644
--- a/python/kudu/tests/common.py
+++ b/python/kudu/tests/common.py
@@ -70,11 +70,25 @@ class KuduTestBase(object):
         #
         # Only make one replica so that our tests don't need to worry about
         # setting consistency modes.
+        #
+        # By default, components of the external mini-cluster harness are run
+        # with shortest keys to save CPU resources and speed up tests. In
+        # contemporary or security-hardened OS distros that requires customizing
+        # OpenSSL's security level at the client side, lowering it down to 0
+        # (otherwise, the client side rejects certificates signed by
+        # not-strong-enough keys). Since customization of the security level
+        # for the kudu-client library via gflags is not trivial, let's override
+        # the length of the RSA keys used for CA and server certificates,
+        # making them acceptable even at OpenSSL's security level 2.
         cls.send_and_receive(
             p, { "create_cluster" :
                  { "numMasters" : cls.NUM_MASTER_SERVERS,
                    "numTservers" : cls.NUM_TABLET_SERVERS,
-                   "extraMasterFlags" : [ "--default_num_replicas=1" ]}})
+                   "extraMasterFlags" : [
+                       "--default_num_replicas=1",
+                       "--ipki_ca_key_size=2048",
+                       "--ipki_server_key_size=2048" ],
+                   "extraTserverFlags" : [ "--ipki_server_key_size=2048" ]}})
         cls.send_and_receive(p, { "start_cluster" : {}})
 
         # Get information about the cluster's masters.


Mime
View raw message