You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by GitBox <gi...@apache.org> on 2019/03/05 22:08:45 UTC
[GitHub] [hadoop] xiaoyuyao commented on a change in pull request #547:
HDDS-594. SCM CA: DN sends CSR and uses certificate issued by SCM.
xiaoyuyao commented on a change in pull request #547: HDDS-594. SCM CA: DN sends CSR and uses certificate issued by SCM.
URL: https://github.com/apache/hadoop/pull/547#discussion_r262575697
##########
File path: hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
##########
@@ -192,6 +218,92 @@ public void start(Object service) {
}
}
+ /**
+ * Initializes secure Datanode.
+ * */
+ @VisibleForTesting
+ public void initializeCertificateClient(OzoneConfiguration config)
+ throws IOException {
+ LOG.info("Initializing secure Datanode.");
+
+ CertificateClient.InitResponse response = dnCertClient.init();
+ LOG.info("Init response: {}", response);
+ switch (response) {
+ case SUCCESS:
+ LOG.info("Initialization successful.");
+ break;
+ case GETCERT:
+ getSCMSignedCert(dnCertClient, config);
+ LOG.info("Successfully stored SCM signed certificate.");
+ break;
+ case FAILURE:
+ LOG.error("DN security initialization failed.");
+ throw new RuntimeException("DN security initialization failed.");
+ case RECOVER:
+ LOG.error("DN security initialization failed. OM certificate is " +
+ "missing.");
+ throw new RuntimeException("DN security initialization failed.");
+ default:
+ LOG.error("DN security initialization failed. Init response: {}",
+ response);
+ throw new RuntimeException("DN security initialization failed.");
+ }
+ }
+
+ /**
+ * Get SCM signed certificate and store it using certificate client.
+ * */
+ private void getSCMSignedCert(CertificateClient client,
+ OzoneConfiguration config) throws IOException {
+
+ for (EndpointStateMachine ep : datanodeStateMachine.getConnectionManager()
+ .getValues()) {
+ PKCS10CertificationRequest csr = getCSR(client, config, ep.getVersion());
+ SCMSecurityProtocol secureScmClient =
+ HddsUtils.getScmSecurityClient(config, ep.getAddress());
+
+ String pemEncodedCert = secureScmClient.getDataNodeCertificate(
+ datanodeDetails.getProtoBufMessage(), getEncodedString(csr));
+
+ try {
+ X509Certificate x509Certificate =
+ CertificateCodec.getX509Certificate(pemEncodedCert);
+ client.storeCertificate(x509Certificate);
+ } catch (IOException | CertificateException e) {
+ LOG.error("Error while storing SCM signed certificate.", e);
+ throw new RuntimeException(e);
+ }
+ }
+
+
+ }
+
+ /**
+ * Creates CSR for DN.
+ * */
+ @VisibleForTesting
+ public PKCS10CertificationRequest getCSR(CertificateClient client,
Review comment:
You already have setCertificateClient method for testing.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org