Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rpc: *almost* use tenant client certs #51498

Closed
wants to merge 5 commits into from
Closed

rpc: *almost* use tenant client certs #51498

wants to merge 5 commits into from

Conversation

tbg
Copy link
Member

@tbg tbg commented Jul 16, 2020

  • rpc: add TenantID to rpc.ContextOptions
  • security: slight test improvement
  • rpc: pass TenantID to SecurityContext to CertManager
  • security: use a single test_certs di
  • rpc: almost use tenant client certs (on tenants)

As of the last commit, tenants would use their proper tenant client certs if it
weren't for a manual override that was added.

This override exists because the KV layer can not yet authenticate
tenant client certs (this will change soon, in a follow-up to #50503).

However, uncommenting both the override and the hack in
pkg/security/securitytest/test_certs/regenerate.sh to make the tenant
client certs match those used by the KV nodes gives early validation
that this "will work" once the KV side plays ball.

Touches #47898.

tbg added 5 commits July 16, 2020 10:17
@tbg
rpc: add TenantID to rpc.ContextOptions
63287d7 
This is currently unused, but already initialized correctly: it's always
SystemTenantID except on SQL tenant servers, where it's the tenant's ID.

Release note: None
@tbg
security: slight test improvement
c3008cc 
I worried for a short while that this would always return nil, but it
does not.

Release note: None
@tbg
rpc: pass TenantID to SecurityContext to CertManager
f3a1dca 
This makes sure that a certificate manager for an `rpc.Context` for a
given tenant is aware of the tenant ID.

This is not used yet, but a new TODO (to be addressed shortly) hints
at where this will be used during dialing: when we're a tenant, use
the tenant client certs instead of the client certs.

Release note: None
@tbg
security: use a single test_certs di
ffacd15 
I had previously made sure that the multi-tenancy certs were in a
different subdirectory, but in hindsight this is not worth the
hassle.

Release note: None
@tbg
rpc: *almost* use tenant client certs (on tenants)
eefc166 
As of this commit, tenants would use their proper tenant client certs if
it weren't for a manual override that was added.

This override exists because the KV layer can not yet authenticate
tenant client certs (this will change soon, in a follow-up to cockroachdb#50503).

However, uncommenting both the override and the hack in
`pkg/security/securitytest/test_certs/regenerate.sh` to make the tenant
client certs match those used by the KV nodes gives early validation
that this "will work" once the KV side plays ball.

Touches cockroachdb#47898.

Release note: None
@tbg tbg requested a review from a team as a code owner July 16, 2020 08:18
@tbg tbg added the A-multitenancy Related to multi-tenancy label Jul 16, 2020
@tbg tbg requested a review from nvanbenschoten July 16, 2020 08:18
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@tbg
Copy link
Member Author

tbg commented Jul 16, 2020

Subsumed into #51503

@tbg tbg closed this Jul 16, 2020
@tbg tbg deleted the tenant-rpc-ctx branch July 16, 2020 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nvanbenschoten nvanbenschoten Awaiting requested review from nvanbenschoten

Assignees
No one assigned
Labels
A-multitenancy Related to multi-tenancy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tbg @cockroach-teamcity