You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by sa...@apache.org on 2023/04/04 07:15:29 UTC

[ozone] branch master updated: HDDS-8135. Incorrect synchronization during certificate renewal in DefaultCertificateClient. (#4381)

This is an automated email from the ASF dual-hosted git repository.

sammichen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new e22a8f6103 HDDS-8135. Incorrect synchronization during certificate renewal in DefaultCertificateClient. (#4381)
e22a8f6103 is described below

commit e22a8f610390df8589dbacbe6e6be2a64044e19f
Author: Istvan Fajth <fa...@gmail.com>
AuthorDate: Tue Apr 4 09:15:23 2023 +0200

    HDDS-8135. Incorrect synchronization during certificate renewal in DefaultCertificateClient. (#4381)
---
 .../client/DefaultCertificateClient.java           | 29 ++++++++--------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
index 97c07f4e10..ade505d3f8 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -53,8 +53,6 @@ import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Consumer;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -122,20 +120,11 @@ public abstract class DefaultCertificateClient implements CertificateClient {
   private KeyStoresFactory serverKeyStoresFactory;
   private KeyStoresFactory clientKeyStoresFactory;
 
-  // Lock to protect the certificate renew process, to make sure there is only
-  // one renew process is ongoing at one time.
-  // Certificate renew steps:
-  //  1. generate new keys and sign new certificate, persist all data to disk
-  //  2. switch on disk new keys and certificate with current ones
-  //  3. save new certificate ID into service VERSION file
-  //  4. refresh in memory certificate ID and reload all new certificates
-  private Lock renewLock = new ReentrantLock();
-
   private ScheduledExecutorService executorService;
   private Consumer<String> certIdSaveCallback;
   private Runnable shutdownCallback;
   private SCMSecurityProtocolClientSideTranslatorPB scmSecurityProtocolClient;
-  private Set<CertificateNotification> notificationReceivers;
+  private final Set<CertificateNotification> notificationReceivers;
   private static UserGroupInformation ugi;
 
   protected DefaultCertificateClient(SecurityConfig securityConfig, Logger log,
@@ -935,7 +924,8 @@ public abstract class DefaultCertificateClient implements CertificateClient {
   @Override
   public synchronized void close() throws IOException {
     if (executorService != null) {
-      executorService.shutdown();
+      executorService.shutdownNow();
+      executorService = null;
     }
 
     if (serverKeyStoresFactory != null) {
@@ -1249,9 +1239,14 @@ public abstract class DefaultCertificateClient implements CertificateClient {
 
     @Override
     public void run() {
-
-      renewLock.lock();
-      try {
+      // Lock to protect the certificate renew process, to make sure there is
+      // only one renew process is ongoing at one time.
+      // Certificate renew steps:
+      //  1. generate new keys and sign new certificate, persist data to disk
+      //  2. switch on disk new keys and certificate with current ones
+      //  3. save new certificate ID into service VERSION file
+      //  4. refresh in memory certificate ID and reload all new certificates
+      synchronized (DefaultCertificateClient.class) {
         X509Certificate currentCert = getCertificate();
         Duration timeLeft = timeBeforeExpiryGracePeriod(currentCert);
         if (timeLeft.isZero()) {
@@ -1288,8 +1283,6 @@ public abstract class DefaultCertificateClient implements CertificateClient {
           notificationReceivers.forEach(r -> r.notifyCertificateRenewed(
               certClient, currentCert.getSerialNumber().toString(), newCertId));
         }
-      } finally {
-        renewLock.unlock();
       }
     }
   }


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org