You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Bharat Viswanadham (Jira)" <ji...@apache.org> on 2021/03/31 16:18:00 UTC
[jira] [Comment Edited] (HDDS-4915) [SCM HA Security] Integrate
CertClient
[ https://issues.apache.org/jira/browse/HDDS-4915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17312505#comment-17312505 ]
Bharat Viswanadham edited comment on HDDS-4915 at 3/31/21, 4:17 PM:
--------------------------------------------------------------------
*Tested following scenario:*
*Scenario1:*
Docker-compose up
Kill Leader SCM
*Test*
kinit -kt /etc/security/keytabs/testuser.keytab testuser/scm2.org@EXAMPLE.COM
ozone admin pipeline list
ozone sh volume create /vol1
ozone sh bucket create /vol1/buck1
ozone sh key put /vol1/buck1/key1 /etc/hadoop/core-site.xml
ozone sh key list /vol1/bucket1/key1
ozone sh key get /vol1/bucket1/key1 /tmp/key1
diff /tmp/key1 /etc/hadoop/core-site.xml
*Scenario2:*
OM1 got cert from SCM1
OM2 OM3 got cert from new SCM leader and datanode1/datanode2/datanode3 got cert from SCM1
docker-compose up --build kdc kms scm1.org scm2.org scm3.org
docker-compose up --build om1
docker-compose up —build datanode1 datanode2 datanode3
docker ps | grep "scm1.org" | cut -f 1
docker stop<<containerid>>
docker-compose up —build om2 om3
Log to one of scm2
docker ps | grep "scm1.org" | cut -f 1
docker exec -it <<containerid>
Test
kinit -kt /etc/security/keytabs/testuser.keytab testuser/scm2.org@EXAMPLE.COM
ozone admin pipeline list
(Check pipeline in open state for ratis 3 node)
ozone sh volume create /vol1
ozone sh bucket create /vol1/buck1
ozone sh key put /vol1/buck1/key1 /etc/hadoop/core-site.xml
ozone sh key list /vol1/bucket1/key1
ozone sh key get /vol1/bucket1/key1 /tmp/key1
diff /tmp/key1 /etc/hadoop/core-site.xml
*Scenario3:*
OM1/Datanode1 got cert from SCM1
OM2 OM3 got cert from new SCM leader and datanode2/datanode3 got cert from new SCM leader
docker-compose up --build kdc kms scm1.org scm2.org scm3.org
docker-compose up --build om1 datanode1
docker ps | grep "scm1.org" | cut -f 1
docker stop<<containerid>>
docker-compose up —build om2 om3 datanode2 datanode3
Log to one of scm2
docker ps | grep "scm1.org" | cut -f 1
docker exec -it <<containerid>
Test
kinit -kt /etc/security/keytabs/testuser.keytab testuser/scm2.org@EXAMPLE.COM
ozone admin pipeline list
(Check pipeline in open state for ratis 3 node)
ozone sh volume create /vol1
ozone sh bucket create /vol1/buck1
ozone sh key put /vol1/buck1/key1 /etc/hadoop/core-site.xml
ozone sh key list /vol1/bucket1/key1
ozone sh key get /vol1/bucket1/key1 /tmp/key1
diff /tmp/key1 /etc/hadoop/core-site.xml
was (Author: bharatviswa):
*Tested following scenario:*
*Scenario1:*
Docker-compose up
Kill Leader SCM
*Test*
kinit -kt /etc/security/keytabs/testuser.keytab testuser/scm2.org@EXAMPLE.COM
ozone admin pipeline list
ozone sh volume create /vol1
ozone sh bucket create /vol1/buck1
ozone sh key put /vol1/buck1/key1 /etc/hadoop/core-site.xml
ozone sh key list /vol1/bucket1/key1
ozone sh key get /vol1/bucket1/key1 /tmp/key1
diff /tmp/key1 /etc/hadoop/core-site.xml
*Scenario2:*
OM1 got cert from SCM1
OM2 OM3 got cert from new SCM leader and datanode1/datanode2/datanode3 got cert from SCM1
docker-compose up --build idc kms scm1.org scm2.org scm3.org
docker-compose up --build om1
docker-compose up —build datanode1 datanode2 datanode3
docker ps | grep "scm1.org" | cut -f 1
docker stop<<containerid>>
docker-compose up —build om2 om3
Log to one of scm2
docker ps | grep "scm1.org" | cut -f 1
docker exec -it <<containerid>
Test
kinit -kt /etc/security/keytabs/testuser.keytab testuser/scm2.org@EXAMPLE.COM
ozone admin pipeline list
(Check pipeline in open state for ratis 3 node)
ozone sh volume create /vol1
ozone sh bucket create /vol1/buck1
ozone sh key put /vol1/buck1/key1 /etc/hadoop/core-site.xml
ozone sh key list /vol1/bucket1/key1
ozone sh key get /vol1/bucket1/key1 /tmp/key1
diff /tmp/key1 /etc/hadoop/core-site.xml
*Scenario3:*
OM1/Datanode1 got cert from SCM1
OM2 OM3 got cert from new SCM leader and datanode2/datanode3 got cert from new SCM leader
docker-compose up --build idc kms scm1.org scm2.org scm3.org
docker-compose up --build om1 datanode1
docker ps | grep "scm1.org" | cut -f 1
docker stop<<containerid>>
docker-compose up —build om2 om3 datanode2 datanode3
Log to one of scm2
docker ps | grep "scm1.org" | cut -f 1
docker exec -it <<containerid>
Test
kinit -kt /etc/security/keytabs/testuser.keytab testuser/scm2.org@EXAMPLE.COM
ozone admin pipeline list
(Check pipeline in open state for ratis 3 node)
ozone sh volume create /vol1
ozone sh bucket create /vol1/buck1
ozone sh key put /vol1/buck1/key1 /etc/hadoop/core-site.xml
ozone sh key list /vol1/bucket1/key1
ozone sh key get /vol1/bucket1/key1 /tmp/key1
diff /tmp/key1 /etc/hadoop/core-site.xml
> [SCM HA Security] Integrate CertClient
> --------------------------------------
>
> Key: HDDS-4915
> URL: https://issues.apache.org/jira/browse/HDDS-4915
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Bharat Viswanadham
> Assignee: Bharat Viswanadham
> Priority: Major
> Labels: pull-request-available
>
> *This Jira is to implement*
> 1. Use RootCertificate server to issue certs for SCM
> 2. Use scmCertificatServer to issue certs for DN/OM. (This cert server got certs from RootCertificate Server)
> 3. Start RootCertificate server only on primary SCM.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org