New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AMBARI-24776. Allow the agent's SSL certificate data to be accessible by heartbeat handlers (amagyar) #2457
Conversation
… by heartbeat handers (amagyar)
Refer to this link for build results (access rights to CI server needed): |
retest this please |
Refer to this link for build results (access rights to CI server needed): |
@mpapirkovskyy , Can you review this? I think you have been working with this interface for a while. |
I have few design related discussion points:
Do we really need transient shared secret? If yes we should consider another key regeneration strategy which will allow to decrypt older configs also. |
@mpapirkovskyy , Thanks for taking a look. 1. Why not to allow agent encrypt shared secret itself before storing? data transfer is already encrypted and we will need agent logic anyway. But this is matter of taste. This is a great idea. Initially, I was under the impression that the agent wrote the command.json file out to disk before looking at it. However if the agent processes the file (which I think is a newer concept), then going this route would be ideal for many reasons. 2. Transient shared secret will add a lot of complexities in server restart process: This is a newer concept that I was not aware of. Thanks for pointing it out. @zeroflag , with this information in mind, let's rethink the architecture. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let rethink this...
What changes were proposed in this pull request?
The agents certificate should be accessible from the heartbeat controller. The public key may be used to encrypt data for the agent.
We get the certificate from the servlet request in a HandshakeInterceptor and store it in a map which is accessible via headerAccessor.getSessionAttributes().
How was this patch tested?