You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2022/09/14 04:00:07 UTC
[GitHub] [ozone] ChenSammi opened a new pull request, #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
ChenSammi opened a new pull request, #3752:
URL: https://github.com/apache/ozone/pull/3752
https://issues.apache.org/jira/browse/HDDS-7220
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] adoroszlai commented on a diff in pull request #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
Posted by GitBox <gi...@apache.org>.
adoroszlai commented on code in PR #3752:
URL: https://github.com/apache/ozone/pull/3752#discussion_r972788263
##########
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java:
##########
@@ -788,45 +788,45 @@ private void initializeCAnSecurityProtocol(OzoneConfiguration conf,
final CertificateServer scmCertificateServer;
final CertificateServer rootCertificateServer;
+
+ // Start specific instance SCM CA server.
+ String subject = SCM_SUB_CA_PREFIX +
+ InetAddress.getLocalHost().getHostName();
+ if (configurator.getCertificateServer() != null) {
+ scmCertificateServer = configurator.getCertificateServer();
+ } else {
+ scmCertificateServer = new DefaultCAServer(subject,
+ scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
+ certificateStore, new DefaultProfile(),
+ scmCertificateClient.getComponentName());
+ // INTERMEDIARY_CA which issues certs to DN and OM.
+ scmCertificateServer.init(new SecurityConfig(configuration),
+ CertificateServer.CAType.INTERMEDIARY_CA);
+ }
+
// If primary SCM node Id is set it means this is a cluster which has
// performed init with SCM HA version code.
if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
- // Start specific instance SCM CA server.
- String subject = SCM_SUB_CA_PREFIX +
- InetAddress.getLocalHost().getHostName();
- if (configurator.getCertificateServer() != null) {
- scmCertificateServer = configurator.getCertificateServer();
- } else {
- scmCertificateServer = new DefaultCAServer(subject,
- scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
- certificateStore, new DefaultProfile(),
- scmCertificateClient.getComponentName());
- // INTERMEDIARY_CA which issues certs to DN and OM.
- scmCertificateServer.init(new SecurityConfig(configuration),
- CertificateServer.CAType.INTERMEDIARY_CA);
- }
-
if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
if (configurator.getCertificateServer() != null) {
rootCertificateServer = configurator.getCertificateServer();
} else {
rootCertificateServer =
- HASecurityUtils.initializeRootCertificateServer(
- conf, certificateStore, scmStorageConfig, new DefaultCAProfile());
+ HASecurityUtils.initializeRootCertificateServer(conf,
+ certificateStore, scmStorageConfig, new DefaultCAProfile());
}
persistPrimarySCMCerts();
} else {
rootCertificateServer = null;
}
} else {
- // On a upgraded cluster primary scm nodeId will not be set as init will
- // not be run again after upgrade. So for a upgraded cluster where init
- // has not happened again we will have setup like before where it has
+ // On an upgraded cluster primary scm nodeId will not be set as init will
+ // not be run again after upgrade. So for an upgraded cluster where init
+ // has not happened again we will have to set up like before where it has
// one CA server which is issuing certificates to DN and OM.
Review Comment:
This comment no longer seems to be true, as now will have two servers, root-CA and sub-CA.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] ChenSammi commented on a diff in pull request #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
Posted by GitBox <gi...@apache.org>.
ChenSammi commented on code in PR #3752:
URL: https://github.com/apache/ozone/pull/3752#discussion_r999086427
##########
hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config:
##########
@@ -35,6 +35,7 @@ OZONE-SITE.XML_hdds.grpc.tls.enabled=true
OZONE-SITE.XML_ozone.replication=3
OZONE-SITE.XML_ozone.datanode.pipeline.limit=1
OZONE-SITE.XML_hdds.scmclient.max.retry.timeout=30s
+OZONE-SITE.XML_ozone.scm.ratis.enable=false
Review Comment:
Right, this ozonesecure directory is supposed for the non-HA case. There is another ozonesecure-ha directory for the HA case.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] fapifta commented on a diff in pull request #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
Posted by GitBox <gi...@apache.org>.
fapifta commented on code in PR #3752:
URL: https://github.com/apache/ozone/pull/3752#discussion_r998057933
##########
hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config:
##########
@@ -35,6 +35,7 @@ OZONE-SITE.XML_hdds.grpc.tls.enabled=true
OZONE-SITE.XML_ozone.replication=3
OZONE-SITE.XML_ozone.datanode.pipeline.limit=1
OZONE-SITE.XML_hdds.scmclient.max.retry.timeout=30s
+OZONE-SITE.XML_ozone.scm.ratis.enable=false
Review Comment:
Unsure if we really need these here, what is the reason to disable ratis for this docker env and for the non-HA one?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] ChenSammi merged pull request #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
Posted by GitBox <gi...@apache.org>.
ChenSammi merged PR #3752:
URL: https://github.com/apache/ozone/pull/3752
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] ChenSammi commented on pull request #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
Posted by GitBox <gi...@apache.org>.
ChenSammi commented on PR #3752:
URL: https://github.com/apache/ozone/pull/3752#issuecomment-1293209785
Thanks @fapifta for the code review. I will merge it since CI is green now.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] ChenSammi commented on a diff in pull request #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
Posted by GitBox <gi...@apache.org>.
ChenSammi commented on code in PR #3752:
URL: https://github.com/apache/ozone/pull/3752#discussion_r984219250
##########
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java:
##########
@@ -788,45 +788,45 @@ private void initializeCAnSecurityProtocol(OzoneConfiguration conf,
final CertificateServer scmCertificateServer;
final CertificateServer rootCertificateServer;
+
+ // Start specific instance SCM CA server.
+ String subject = SCM_SUB_CA_PREFIX +
+ InetAddress.getLocalHost().getHostName();
+ if (configurator.getCertificateServer() != null) {
+ scmCertificateServer = configurator.getCertificateServer();
+ } else {
+ scmCertificateServer = new DefaultCAServer(subject,
+ scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
+ certificateStore, new DefaultProfile(),
+ scmCertificateClient.getComponentName());
+ // INTERMEDIARY_CA which issues certs to DN and OM.
+ scmCertificateServer.init(new SecurityConfig(configuration),
+ CertificateServer.CAType.INTERMEDIARY_CA);
+ }
+
// If primary SCM node Id is set it means this is a cluster which has
// performed init with SCM HA version code.
if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
- // Start specific instance SCM CA server.
- String subject = SCM_SUB_CA_PREFIX +
- InetAddress.getLocalHost().getHostName();
- if (configurator.getCertificateServer() != null) {
- scmCertificateServer = configurator.getCertificateServer();
- } else {
- scmCertificateServer = new DefaultCAServer(subject,
- scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
- certificateStore, new DefaultProfile(),
- scmCertificateClient.getComponentName());
- // INTERMEDIARY_CA which issues certs to DN and OM.
- scmCertificateServer.init(new SecurityConfig(configuration),
- CertificateServer.CAType.INTERMEDIARY_CA);
- }
-
if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
if (configurator.getCertificateServer() != null) {
rootCertificateServer = configurator.getCertificateServer();
} else {
rootCertificateServer =
- HASecurityUtils.initializeRootCertificateServer(
- conf, certificateStore, scmStorageConfig, new DefaultCAProfile());
+ HASecurityUtils.initializeRootCertificateServer(conf,
+ certificateStore, scmStorageConfig, new DefaultCAProfile());
}
persistPrimarySCMCerts();
} else {
rootCertificateServer = null;
}
} else {
- // On a upgraded cluster primary scm nodeId will not be set as init will
- // not be run again after upgrade. So for a upgraded cluster where init
- // has not happened again we will have setup like before where it has
+ // On an upgraded cluster primary scm nodeId will not be set as init will
+ // not be run again after upgrade. So for an upgraded cluster where init
+ // has not happened again we will have to set up like before where it has
// one CA server which is issuing certificates to DN and OM.
Review Comment:
Test the non-HA upgrade locally with single node cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] ChenSammi commented on a diff in pull request #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
Posted by GitBox <gi...@apache.org>.
ChenSammi commented on code in PR #3752:
URL: https://github.com/apache/ozone/pull/3752#discussion_r978269760
##########
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java:
##########
@@ -788,45 +788,45 @@ private void initializeCAnSecurityProtocol(OzoneConfiguration conf,
final CertificateServer scmCertificateServer;
final CertificateServer rootCertificateServer;
+
+ // Start specific instance SCM CA server.
+ String subject = SCM_SUB_CA_PREFIX +
+ InetAddress.getLocalHost().getHostName();
+ if (configurator.getCertificateServer() != null) {
+ scmCertificateServer = configurator.getCertificateServer();
+ } else {
+ scmCertificateServer = new DefaultCAServer(subject,
+ scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
+ certificateStore, new DefaultProfile(),
+ scmCertificateClient.getComponentName());
+ // INTERMEDIARY_CA which issues certs to DN and OM.
+ scmCertificateServer.init(new SecurityConfig(configuration),
+ CertificateServer.CAType.INTERMEDIARY_CA);
+ }
+
// If primary SCM node Id is set it means this is a cluster which has
// performed init with SCM HA version code.
if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
- // Start specific instance SCM CA server.
- String subject = SCM_SUB_CA_PREFIX +
- InetAddress.getLocalHost().getHostName();
- if (configurator.getCertificateServer() != null) {
- scmCertificateServer = configurator.getCertificateServer();
- } else {
- scmCertificateServer = new DefaultCAServer(subject,
- scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
- certificateStore, new DefaultProfile(),
- scmCertificateClient.getComponentName());
- // INTERMEDIARY_CA which issues certs to DN and OM.
- scmCertificateServer.init(new SecurityConfig(configuration),
- CertificateServer.CAType.INTERMEDIARY_CA);
- }
-
if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
if (configurator.getCertificateServer() != null) {
rootCertificateServer = configurator.getCertificateServer();
} else {
rootCertificateServer =
- HASecurityUtils.initializeRootCertificateServer(
- conf, certificateStore, scmStorageConfig, new DefaultCAProfile());
+ HASecurityUtils.initializeRootCertificateServer(conf,
+ certificateStore, scmStorageConfig, new DefaultCAProfile());
}
persistPrimarySCMCerts();
} else {
rootCertificateServer = null;
}
} else {
- // On a upgraded cluster primary scm nodeId will not be set as init will
- // not be run again after upgrade. So for a upgraded cluster where init
- // has not happened again we will have setup like before where it has
+ // On an upgraded cluster primary scm nodeId will not be set as init will
+ // not be run again after upgrade. So for an upgraded cluster where init
+ // has not happened again we will have to set up like before where it has
// one CA server which is issuing certificates to DN and OM.
Review Comment:
Thanks @adoroszlai , let me see if we can add a acceptance test for upgrade in secure cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org