You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Ethan Rose (Jira)" <ji...@apache.org> on 2021/10/20 20:38:09 UTC

[jira] [Updated] (HDDS-2731) Certificate Revocation Support for Ozone CA

     [ https://issues.apache.org/jira/browse/HDDS-2731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ethan Rose updated HDDS-2731:
-----------------------------
    Target Version/s: 1.3.0  (was: 1.2.0)

I am managing the 1.2.0 release and we currently have more than 600 issues targeted for 1.2.0. I am moving the target field to 1.3.0.

If you are actively working on this jira and believe this should be targeted for the 1.2.0 release, Please reach out to me via Apache email or Slack.

> Certificate Revocation Support for Ozone CA
> -------------------------------------------
>
>                 Key: HDDS-2731
>                 URL: https://issues.apache.org/jira/browse/HDDS-2731
>             Project: Apache Ozone
>          Issue Type: Improvement
>            Reporter: Marton Elek
>            Assignee: Xiaoyu Yao
>            Priority: Major
>         Attachments: Certificate Revocation Support for Ozone CA.rtf, Ozone SCM CA Key_Certificate Rotation - HDDS-2731.pdf, Ozone SCM CA Key_Certificate Rotation V2.pdf
>
>
> Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes takes place over TLS protocol, which is, through issued security artifacts i.e. [X509 certificates|https://en.wikipedia.org/wiki/X.509]. These certificates reside at SCM storage. The “known and trusted” data nodes are provisioned with corresponding certificates and for smooth communication in the system, these certificates are also stored on client certificate cache.   
> Problem is, once these certificates are invalidated on SCM, whether its Admin or Expired Certs or Cert Rotation Process (future), these certs are not removed or invalidated on Data Node’s Local Cache. This means that tokens issues by Ozone Manager (OM), can still be used to access blocks from Data Nodes since the client certificate case still holds the invalidated certificate. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org