[GitHub] [ozone] Xushaohong commented on pull request #2686: HDDS-5686. Support transfer leadership in raft based ha cluster

[GitBox <gi...@apache.org>]

Xushaohong commented on pull request #2686:
URL: https://github.com/apache/ozone/pull/2686#issuecomment-940973319


   > > > i am not sure, if the cmd does any authetication/security validation here. The raft client is directly talking to the raft server. We need to fit the cmd to security model in ozone.
   > > > cc @bharatviswa504
   > > 
   > > 
   > > This implementation looks a little tricky, it's indeed directly talking to the raft server. I agree that authentication/security should be added in the future. : )
   > 
   > One idea might be similar to DN, contact OM and get list of CA and use that in setting up with raft client. And we can make this an admin command, and in secure cluster we need kerberos ticket to run this command.
   > 
   > For security question this way we can solve it. And also we need this security/authorization implemented, otherwise this command cannot work in a secure cluster.
   > 
   > Sample code:
   > 
   > ```
   >     final GrpcTlsConfig tlsConfig = RatisHelper.createTlsClientConfig(new
   >         SecurityConfig(ozoneConf), caCerts);
   > ```
   > 
   > And use this tlsConfig when creating RaftClient. Here caCerts is obtained from OM getServiceList Call. You can refer RpcClient and XceiverClientManager for this.
   
   
   @bharatviswa504 PSTK~ Thx


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org