You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Xiaoyu Yao (Jira)" <ji...@apache.org> on 2020/06/11 21:57:00 UTC

[jira] [Commented] (HDDS-1976) Ozone manager init fails when certificate is missing in a kerberized cluster

    [ https://issues.apache.org/jira/browse/HDDS-1976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17133727#comment-17133727 ] 

Xiaoyu Yao commented on HDDS-1976:
----------------------------------

This is a intentional design to handler recovery of OM more seriously than certificate client for DN.  In the case of DN, if you have a matching pair of keys, recovery will lead to get new certificate with existing keys. In the case of OM, admin has to clean up the keys along with the certificate if any to reinitialize security for OM. 

> Ozone manager init fails when certificate is missing in a kerberized cluster
> ----------------------------------------------------------------------------
>
>                 Key: HDDS-1976
>                 URL: https://issues.apache.org/jira/browse/HDDS-1976
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>          Components: Security
>            Reporter: Vivek Ratnavel Subramanian
>            Assignee: Anu Engineer
>            Priority: Major
>              Labels: TriagePending
>
> When Ozone Manager gets into a state where certificate is missing, it does not try to recover by creating a certificate.
> {code:java}
> 3:30:48.620 PM INFO OzoneManager Initializing secure OzoneManager. 
> 3:30:49.788 PM INFO OMCertificateClient Loading certificate from location:/var/lib/hadoop-ozone/om/data/certs. 
> 3:30:49.896 PM INFO OMCertificateClient Added certificate from file:/var/lib/hadoop-ozone/om/data/certs/8136899895890.crt. 
> 3:30:49.904 PM INFO OMCertificateClient Added certificate from file:/var/lib/hadoop-ozone/om/data/certs/CA-1.crt. 
> 3:30:49.930 PM ERROR OMCertificateClient Default certificate serial id is not set. Can't locate the default certificate for this client. 
> 3:30:49.930 PM INFO OMCertificateClient Certificate client init case: 6 3:30:49.932 PM INFO OMCertificateClient Found private and public key but certificate is missing. 
> 3:30:50.194 PM INFO OzoneManager Init response: RECOVER 
> 3:30:50.230 PM ERROR OzoneManager OM security initialization failed. OM certificate is missing.
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org