You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Sammi Chen (Jira)" <ji...@apache.org> on 2023/01/06 13:08:00 UTC
[jira] [Resolved] (HDDS-7708) No check for certificate duration config scenarios
[ https://issues.apache.org/jira/browse/HDDS-7708?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sammi Chen resolved HDDS-7708.
------------------------------
Fix Version/s: 1.4.0
Resolution: Fixed
> No check for certificate duration config scenarios
> --------------------------------------------------
>
> Key: HDDS-7708
> URL: https://issues.apache.org/jira/browse/HDDS-7708
> Project: Apache Ozone
> Issue Type: Bug
> Components: SCM
> Affects Versions: 1.3.0
> Reporter: Soumitra Sulav
> Assignee: Ashish Kumar
> Priority: Critical
> Labels: pki, pull-request-available
> Fix For: 1.4.0
>
>
> *Issue :*
> While validating the config duration with multiple negative scenarios and below were the observations :
> Config duration accepts 0D as the duration.
> Config duration accepts negative days -1D as the duration.
> No check was added for hdds.x509.renew.grace.duration value
> The only check available currently is for hdds.x509.default.duration not greater than hdds.x509.max.duration.
> The logging message is wrong and the config order is reversed.
> Scenarios Tried :
> Unnatural sequence
> Max = 0 | Def = 2 | Grace = 1 Failed
> Max = 5 | Def = 0 | Grace = 1 Restarted
> Max = 5 | Def = 2 | Grace = 0 Restarted
> Max = 5 | Def = 6 | Grace = 1 Failed
> Max = 5 | Def = 2 | Grace = 3 Restarted
> Max = 5 | Def = 2 | Grace = 6 Restarted
> Negative values
> Max = -5 | Def = 2 | Grace = 1 Failed
> Max = 5 | Def = -2 | Grace = 1 Restarted
> Max = 5 | Def = 2 | Grace = -1 Restarted
> Fractional values
> Max = 5.25 | Def = 2 | Grace = 1 Failed
> Max = 5 | Def = 2.5 | Grace = 1 Failed
> Max = 5 | Def = 2 | Grace = 1.75 Failed
> The scenarios where the restart could go through should have actually failed to start.
> +Error with Logging Message.+
> Scenario 1 where Max Duration is 0D and Default Duration is 2D.
> *Stacktrace :*
> [root@quasar-gvwabo-2 ~]# vim /var/log/hadoop-ozone/ozone-scm.log
> 2022-12-22 08:57:25,296 ERROR org.apache.hadoop.hdds.security.x509.SecurityConfig: Certificate duration PT0S should not be greater than Maximum Certificate duration PT48H
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org