MuTual | A Dataset for Multi-Turn Dialogue Reasoning | Natural Language Processing library

Do you want this?

So is there any way to acquire those locks only if all of them are available?

No. Not with standard library mutex at least. There is no way to "check" if a lock is available, or "try" acquiring a lock. Every call of Lock() will block until locking is successful.

The implementation of mutex relies on atomic operations which only act on a single value at once. In order to achieve what you describe, you'd need some kind of "meta locking" where execution of the lock and unlock methods are themselves protected by a lock, but this probably isn't necessary just to have correct and safe locking in your program:

Penelope Stevens' comment explains correctly: As long as the order of acquisition is consistent between different goroutines, you won't get deadlocks, even for arbitrary subsets of the locks, if each goroutine eventually releases the locks it acquires.

If the structure of your program provides some obvious locking order, then use that. If not, you can create your own special mutex type that has intrinsic ordering.

This problem was resolved by programmatically setting encryptionUser parameter to already parsed and built (from policy.xml) RampartConfig object inside Policy object. Build Policy object from configuration file, then go through the Assertions, find RamparConfig object among them and set the property.

OK, finally I've solved it. The key point here is the part of DestinationRule spec, which says:

• credentialName -> NOTE: This field is currently applicable only at gateways. Sidecars will continue to use the certificate paths.

So I've modified the following manifests:

client deployment of sleep.yml (to mount certs)

As I found out at a similar question here on SO, I did a bad mistake. Apparently, it's not a good idea to perform the signIn- or createUser-functionality on server side. This should be done on client side. In the question mentioned above are some good reasons for doing that on server side but in my case it's quite ok to run it on client side.

Thanks to Frank van Puffelen for leading the way (see one of the comments in the question mentioned above).

I found your point there and here is the answer, one paragraph before

Because the same self-signed certificate is used in this example, ensure that only your certificate can be used.

for some reason they chose to use same certificate for server and client (maybe for simplicity?) which is indeed a *BAD* practice in real world. Sharing same certificate between different entities never was a good idea. Client and server certificates must be different.

Certificate-based client authentication is more difficult, because you need to have a an account directory to validate client certificate against. For example, Active Directory. This directory should implement certificate <-> principal mapping. When you receive the certificate, you search for principal in directory and if found, you can uniquely distinguish clients, validate their permissions, rights and perform logging.

If no mapping found -- reject authentication, because you don't know the client.

If you don't care in distinguishing clients, then you clearly don't need mutual authentication.

And never hardcore client certificates/thumbprints in code, because they are periodically changed, therefore external account directory (which is updated using out-of-band process) is necessary.

Though, you can implement the logic when arbitrary clients can connect to your server only when they have certificate issued by your private CA. It is valid scenario. In this case, you don't need external account directory and you validate that client certificate is issued by exact, or by one of pre-defined CAs in the list, then you allow subsequent communication. But they still are anonymous to your system.

Edits based on your additions:

If your case fits last paragraph, then:

• validate general chain (i.e. time validity, extensions, revocation, etc.)
• validate that immediate issuer is in the explicit list of approved by you CAs (private)

The answer is no to both questions. The elasticsearch output support client certificates (using the keystore option) and non-name-matched certificates (through the ssl_certificate_verification option) but the input supports neither.

I'd use a property:

I believe the problem might be related to this code: