-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[#6740]: Update clients to support mTLS in YB clusters.
Summary: Since the coreDB supports mutual TLS, we need to ensure all RPC clients allow for that mode of connection. This diff adds the required code for yb-client to ensure proper functioning with mTLS enabled universes.
Test Plan:
Tested by creating an rf-1 yugabyted cluster with mTLS enabled. Used yb-cli to test for the following cases:
1) yb-cli passes all the flags correctly:
```
yb> connect --masters 127.0.0.1:7100 --certFile
/Users/yugabyte/Desktop/yugabyte-2.5.1.0/certs/ca.crt --clientCertFile
/Users/yugabyte/Desktop/yugabyte-2.5.1.0/certs/node.127.0.0.1.crt --clientKey
/Users/yugabyte/Desktop/yugabyte-2.5.1.0/certs/node.127.0.0.1.key
Connected to database at 127.0.0.1:7100
yb> list masters
Got 1 masters [(index) HostName Port UUID IsLeader State]:
(1) 127.0.0.1 7100 d1b54ed4e0cd4a6dbe4b7aa8b4ad7926 true ALIVE
Time taken: 609 ms.
yb> list tablet-servers
Got 1 tablet servers [(index) HostName Port UUID]:
(1) 127.0.0.1 9100 c675511bf3a54782bcc10981e1b5a6b4
Time taken: 12 ms.
```
2) yb-cli doesn't pass the client cert and key.
```
yb> connect --masters 127.0.0.1:7100 --certFile
/Users/yugabyte/Desktop/yugabyte-2.5.1.0/certs/ca.crt
Connected to database at 127.0.0.1:7100
yb> list masters
Failed to fetch masters info for database at 127.0.0.1:7100, error:
org.yb.client.NonRecoverableException: Too many attempts: YRpc(method=ListMasters,
service=yb.master.MasterService, tablet=null, attempt=6, maxAttempts=100,
DeadlineTracker(timeout=10000, elapsed=8154), Deferred@1289590497(state=PENDING, result=null,
callback=(continuation of Deferred@1364209305 after retry RPC after error@1902091760) ->
(continuation of Deferred@1611313267 after retry RPC after error@683610023) -> (continuation of
Deferred@1524561648 after retry RPC after error@536367732) -> (continuation of Deferred@712153672
after retry RPC after error@23484913) -> (continuation of Deferred@1822428066 after retry RPC after
error@80644961), errback=(continuation of Deferred@1364209305 after retry RPC after
error@1902091760) -> (continuation of Deferred@1611313267 after retry RPC after error@683610023) ->
(continuation of Deferred@1524561648 after retry RPC after error@536367732) -> (continuation of
Deferred@712153672 after retry RPC after error@23484913) -> (continuation of Deferred@1822428066
after retry RPC after error@80644961)))
```
The following error was also observed on the master:
```
I1223 15:28:22.020306 237490176 secure_stream.cc:546] SECURE[S] kHandshake { local: 127.0.0.1:7100
remote: 127.0.0.1:56103 }: Handshake failed: Network error (yb/rpc/secure_stream.cc:674): Handshake
failed: peer did not return a certificate, address: 127.0.0.1, hostname:
```
Reviewers: bogdan, sergei, sanketh
Reviewed By: sanketh
Subscribers: jenkins-bot, yugaware
Differential Revision: https://phabricator.dev.yugabyte.com/D10207- Loading branch information
Showing
20 changed files
with
405 additions
and
52 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.