You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2022/09/16 08:56:35 UTC
[GitHub] [ozone] adoroszlai commented on a diff in pull request #3752: HDDS-7220. SCM should use sub-ca certificate for token signature without HA enabled
adoroszlai commented on code in PR #3752:
URL: https://github.com/apache/ozone/pull/3752#discussion_r972788263
##########
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java:
##########
@@ -788,45 +788,45 @@ private void initializeCAnSecurityProtocol(OzoneConfiguration conf,
final CertificateServer scmCertificateServer;
final CertificateServer rootCertificateServer;
+
+ // Start specific instance SCM CA server.
+ String subject = SCM_SUB_CA_PREFIX +
+ InetAddress.getLocalHost().getHostName();
+ if (configurator.getCertificateServer() != null) {
+ scmCertificateServer = configurator.getCertificateServer();
+ } else {
+ scmCertificateServer = new DefaultCAServer(subject,
+ scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
+ certificateStore, new DefaultProfile(),
+ scmCertificateClient.getComponentName());
+ // INTERMEDIARY_CA which issues certs to DN and OM.
+ scmCertificateServer.init(new SecurityConfig(configuration),
+ CertificateServer.CAType.INTERMEDIARY_CA);
+ }
+
// If primary SCM node Id is set it means this is a cluster which has
// performed init with SCM HA version code.
if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
- // Start specific instance SCM CA server.
- String subject = SCM_SUB_CA_PREFIX +
- InetAddress.getLocalHost().getHostName();
- if (configurator.getCertificateServer() != null) {
- scmCertificateServer = configurator.getCertificateServer();
- } else {
- scmCertificateServer = new DefaultCAServer(subject,
- scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
- certificateStore, new DefaultProfile(),
- scmCertificateClient.getComponentName());
- // INTERMEDIARY_CA which issues certs to DN and OM.
- scmCertificateServer.init(new SecurityConfig(configuration),
- CertificateServer.CAType.INTERMEDIARY_CA);
- }
-
if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
if (configurator.getCertificateServer() != null) {
rootCertificateServer = configurator.getCertificateServer();
} else {
rootCertificateServer =
- HASecurityUtils.initializeRootCertificateServer(
- conf, certificateStore, scmStorageConfig, new DefaultCAProfile());
+ HASecurityUtils.initializeRootCertificateServer(conf,
+ certificateStore, scmStorageConfig, new DefaultCAProfile());
}
persistPrimarySCMCerts();
} else {
rootCertificateServer = null;
}
} else {
- // On a upgraded cluster primary scm nodeId will not be set as init will
- // not be run again after upgrade. So for a upgraded cluster where init
- // has not happened again we will have setup like before where it has
+ // On an upgraded cluster primary scm nodeId will not be set as init will
+ // not be run again after upgrade. So for an upgraded cluster where init
+ // has not happened again we will have to set up like before where it has
// one CA server which is issuing certificates to DN and OM.
Review Comment:
This comment no longer seems to be true, as now will have two servers, root-CA and sub-CA.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org