apache /
kudu /
3aeb9139992eab62160b85bb1e51d44301549569 KUDU-3448 Add support for encrypting TSKs
In a previous patch, support for encrypting IPKI root CA private keys
has been added. This is a follow up patch, to add encryption support for
token signing keys as well. It is controlled by a new flag:
--tsk_private_key_password_cmd.
If this flag is set, the token signing keys will be stored in the
syscatalog table in encrypted form (AES-256-CBC with PKCS#8 encoding).
Token signing keys rotate automatically in Kudu, but for now, at least,
encryption of TSKs can't be turned on or off on an existing master, so
if this flag is set on the first startup of a master, it must be set to
a command that outputs the same password as on initialization, and vice
versa, it must not be provided on later master startups if it wasn't
provided on initialization.
Change-Id: Id8d770de7ed824cfc725003bbe77f1e42629029b
Reviewed-on: http://gerrit.cloudera.org:8080/19617
Tested-by: Attila Bukor <abukor@apache.org>
Reviewed-by: Alexey Serbin <alexey@apache.org>
3 files changed
