You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "István Fajth (Jira)" <ji...@apache.org> on 2023/01/07 01:20:00 UTC
[jira] [Commented] (HDDS-7708) No check for certificate duration config scenarios
[ https://issues.apache.org/jira/browse/HDDS-7708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17655618#comment-17655618 ]
István Fajth commented on HDDS-7708:
------------------------------------
Hi [~ssulav],
this one was going through under my radar, but after the fact I would still like to add a note here.
Most of the things I agree with, we should not allow negative days, and we should not allow to have a certificate that is valid longer than the max value that is great to add. Grace period is the same, we should not allow it to go negative, but I believe 0 and arbitrarily large values for the grace period are coming in handy especially for testing not for real use cases.
Two scenarios where it is handy:
- Checking renew after certificates expired. For this you would need a grace period of 0, so any renewal can happen just after expiration for sure.
- Checking renew right after the system initialized itself. For this you would need a longer grace period than certificate lifetime, so that certs are renewable by the next restart that does not need to wait for anything else.
Let me know if you disagree, if you agree, then I will create a new JIRA to ease these checks a bit.
> No check for certificate duration config scenarios
> --------------------------------------------------
>
> Key: HDDS-7708
> URL: https://issues.apache.org/jira/browse/HDDS-7708
> Project: Apache Ozone
> Issue Type: Bug
> Components: SCM
> Affects Versions: 1.3.0
> Reporter: Soumitra Sulav
> Assignee: Ashish Kumar
> Priority: Critical
> Labels: pki, pull-request-available
> Fix For: 1.4.0
>
>
> *Issue :*
> While validating the config duration with multiple negative scenarios and below were the observations :
> Config duration accepts 0D as the duration.
> Config duration accepts negative days -1D as the duration.
> No check was added for hdds.x509.renew.grace.duration value
> The only check available currently is for hdds.x509.default.duration not greater than hdds.x509.max.duration.
> The logging message is wrong and the config order is reversed.
> Scenarios Tried :
> Unnatural sequence
> Max = 0 | Def = 2 | Grace = 1 Failed
> Max = 5 | Def = 0 | Grace = 1 Restarted
> Max = 5 | Def = 2 | Grace = 0 Restarted
> Max = 5 | Def = 6 | Grace = 1 Failed
> Max = 5 | Def = 2 | Grace = 3 Restarted
> Max = 5 | Def = 2 | Grace = 6 Restarted
> Negative values
> Max = -5 | Def = 2 | Grace = 1 Failed
> Max = 5 | Def = -2 | Grace = 1 Restarted
> Max = 5 | Def = 2 | Grace = -1 Restarted
> Fractional values
> Max = 5.25 | Def = 2 | Grace = 1 Failed
> Max = 5 | Def = 2.5 | Grace = 1 Failed
> Max = 5 | Def = 2 | Grace = 1.75 Failed
> The scenarios where the restart could go through should have actually failed to start.
> +Error with Logging Message.+
> Scenario 1 where Max Duration is 0D and Default Duration is 2D.
> *Stacktrace :*
> [root@quasar-gvwabo-2 ~]# vim /var/log/hadoop-ozone/ozone-scm.log
> 2022-12-22 08:57:25,296 ERROR org.apache.hadoop.hdds.security.x509.SecurityConfig: Certificate duration PT0S should not be greater than Maximum Certificate duration PT48H
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org