You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by ck...@apache.org on 2022/10/25 07:53:10 UTC
[ozone] branch ozone-1.3 updated (95514764de -> cc2fbb4a11)
This is an automated email from the ASF dual-hosted git repository.
ckj pushed a change to branch ozone-1.3
in repository https://gitbox.apache.org/repos/asf/ozone.git
from 95514764de HDDS-7354. SchemaV3 blockData not deleted in table (#3860)
new ba31c9056c HDDS-6930. SCM,OM,RECON should not print ERROR and exit with code 1 on successful shutdown (#3848)
new 58403fc2b8 HDDS-7356. Update SCM-HA.zh.md to match the English version (#3861)
new 671b7147fc HDDS-7355. non-primordial scm fail to get signed cert from primordial SCM when converting an unsecure cluster to secure (#3859)
new 83284d0e69 HDDS-7369. Fix wrong order of command arguments in Nonrolling-Upgrade.md (#3866)
new 5da51dbb50 HDDS-7403. README Security Improvement (#3879)
new cc2fbb4a11 HDDS-7368. [Multi-Tenant] Add Volume Existence check in preExecute for OMTenantCreateRequest (#3869)
The 6 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
README.md | 2 +-
.../docs/content/feature/Nonrolling-Upgrade.md | 6 +-
hadoop-hdds/docs/content/feature/SCM-HA.zh.md | 73 ++++++++++++++++++++--
.../hdds/scm/server/StorageContainerManager.java | 17 ++---
.../org/apache/hadoop/ozone/om/OzoneManager.java | 2 +-
.../request/s3/tenant/OMTenantCreateRequest.java | 11 ++++
.../scm/ReconStorageContainerManagerFacade.java | 2 +-
7 files changed, 95 insertions(+), 18 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org
[ozone] 03/06: HDDS-7355. non-primordial scm fail to get signed cert from primordial SCM when converting an unsecure cluster to secure (#3859)
Posted by ck...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ckj pushed a commit to branch ozone-1.3
in repository https://gitbox.apache.org/repos/asf/ozone.git
commit 671b7147fc4c1cf837befdc403266ba3d88d7ac9
Author: Jie Yao <ja...@tencent.com>
AuthorDate: Thu Oct 20 14:33:00 2022 +0800
HDDS-7355. non-primordial scm fail to get signed cert from primordial SCM when converting an unsecure cluster to secure (#3859)
---
.../hadoop/hdds/scm/server/StorageContainerManager.java | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
index 1f57b4ffea..09844681ab 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
@@ -1072,7 +1072,8 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
scmStorageConfig.getScmId());
// Initialize security if security is enabled later.
- initializeSecurityIfNeeded(conf, scmhaNodeDetails, scmStorageConfig);
+ initializeSecurityIfNeeded(
+ conf, scmhaNodeDetails, scmStorageConfig, false);
return true;
}
@@ -1097,7 +1098,8 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
}
// Initialize security if security is enabled later.
- initializeSecurityIfNeeded(conf, scmhaNodeDetails, scmStorageConfig);
+ initializeSecurityIfNeeded(
+ conf, scmhaNodeDetails, scmStorageConfig, false);
} else {
try {
@@ -1136,14 +1138,15 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
* @param scmStorageConfig
* @throws IOException
*/
- private static void initializeSecurityIfNeeded(OzoneConfiguration conf,
- SCMHANodeDetails scmhaNodeDetails, SCMStorageConfig scmStorageConfig)
+ private static void initializeSecurityIfNeeded(
+ OzoneConfiguration conf, SCMHANodeDetails scmhaNodeDetails,
+ SCMStorageConfig scmStorageConfig, boolean isPrimordial)
throws IOException {
// Initialize security if security is enabled later.
if (OzoneSecurityUtil.isSecurityEnabled(conf)
&& scmStorageConfig.getScmCertSerialId() == null) {
HASecurityUtils.initializeSecurity(scmStorageConfig, conf,
- getScmAddress(scmhaNodeDetails, conf), true);
+ getScmAddress(scmhaNodeDetails, conf), isPrimordial);
scmStorageConfig.forceInitialize();
LOG.info("SCM unsecure cluster is converted to secure cluster. " +
"Persisted SCM Certificate SerialID {}",
@@ -1233,7 +1236,7 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
final boolean isSCMHAEnabled = scmStorageConfig.isSCMHAEnabled();
// Initialize security if security is enabled later.
- initializeSecurityIfNeeded(conf, haDetails, scmStorageConfig);
+ initializeSecurityIfNeeded(conf, haDetails, scmStorageConfig, true);
if (SCMHAUtils.isSCMHAEnabled(conf) && !isSCMHAEnabled) {
SCMRatisServerImpl.initialize(scmStorageConfig.getClusterID(),
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org
[ozone] 06/06: HDDS-7368. [Multi-Tenant] Add Volume Existence check in preExecute for OMTenantCreateRequest (#3869)
Posted by ck...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ckj pushed a commit to branch ozone-1.3
in repository https://gitbox.apache.org/repos/asf/ozone.git
commit cc2fbb4a1135f76c747af54b0b5234f0e863e920
Author: Aswin Shakil Balasubramanian <as...@gmail.com>
AuthorDate: Mon Oct 24 11:07:45 2022 -0700
HDDS-7368. [Multi-Tenant] Add Volume Existence check in preExecute for OMTenantCreateRequest (#3869)
---
.../ozone/om/request/s3/tenant/OMTenantCreateRequest.java | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
index d678b8f1d1..885f45beb3 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantCreateRequest.java
@@ -152,6 +152,17 @@ public class OMTenantCreateRequest extends OMVolumeRequest {
final String volumeName = request.getVolumeName();
// Validate volume name
OmUtils.validateVolumeName(volumeName);
+
+ final String dbVolumeKey = ozoneManager.getMetadataManager()
+ .getVolumeKey(volumeName);
+
+ // Check volume existence
+ if (ozoneManager.getMetadataManager().getVolumeTable()
+ .isExist(dbVolumeKey)) {
+ LOG.debug("volume: '{}' already exists", volumeName);
+ throw new OMException("Volume already exists", VOLUME_ALREADY_EXISTS);
+ }
+
// TODO: Refactor this and OMVolumeCreateRequest to improve maintainability.
final VolumeInfo volumeInfo = VolumeInfo.newBuilder()
.setVolume(volumeName)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org
[ozone] 02/06: HDDS-7356. Update SCM-HA.zh.md to match the English version (#3861)
Posted by ck...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ckj pushed a commit to branch ozone-1.3
in repository https://gitbox.apache.org/repos/asf/ozone.git
commit 58403fc2b894c5bab53acc388b9cffef024a36c6
Author: Kaijie Chen <ck...@apache.org>
AuthorDate: Thu Oct 20 12:31:04 2022 +0800
HDDS-7356. Update SCM-HA.zh.md to match the English version (#3861)
---
hadoop-hdds/docs/content/feature/SCM-HA.zh.md | 73 +++++++++++++++++++++++++--
1 file changed, 68 insertions(+), 5 deletions(-)
diff --git a/hadoop-hdds/docs/content/feature/SCM-HA.zh.md b/hadoop-hdds/docs/content/feature/SCM-HA.zh.md
index 4f4ce3b499..9875337e64 100644
--- a/hadoop-hdds/docs/content/feature/SCM-HA.zh.md
+++ b/hadoop-hdds/docs/content/feature/SCM-HA.zh.md
@@ -25,10 +25,6 @@ summary: Storage Container Manager 的 HA 设置可以避免任何单点故障
Ozone包含两个元数据管理节点(用于键管理的 *Ozone Manager* 和用于块空间管理的 *Storage Container management* )和多个存储节点(数据节点)。通过 RAFT 共识算法实现数据在数据节点之间的复制。
-<div class="alert alert-warning" role="alert">
-请注意,SCM-HA 尚未准备好在安全环境中部署。 安全工作正在进行中,将很快完成。
-</div>
-
为了避免任何单点故障,元数据管理器节点还应该具有 HA 设置。
Ozone Manager 和 Storage Container Manager 都支持 HA。在这种模式下,内部状态通过 RAFT (使用 Apache Ratis )复制。
@@ -37,6 +33,12 @@ Ozone Manager 和 Storage Container Manager 都支持 HA。在这种模式下,
## 配置
+> ⚠️ **注意** ⚠️
+>
+> SCM HA 目前仅支持新初始化的集群。
+> SCM HA 必须在 Ozone 服务首次启动前开启。
+> 当某个 SCM 以非 HA 的模式启动后,不支持将其改为 HA 模式。
+
Storage Container Manager 的 HA 模式可以在 `ozone-site.xml` 中进行以下设置:
```XML
@@ -94,7 +96,7 @@ Storage Container Manager 的 HA 模式可以在 `ozone-site.xml` 中进行以
bin/ozone scm --init
```
-第二个和第三个节点应该被 *bootstrapped*,而不是 init。这些集群将加入到配置的 RAFT 仲裁。当前服务器的 id 通过 DNS 名称标识,也可以通过 `ozone.scm.node.id` 明确设置。大多数时候你不需要设置它,因为基于 DNS 的 id 检测可以很好地工作。
+第二个和第三个节点应该被 *bootstrap*,而不是 init。这些集群将加入到配置的 RAFT 仲裁。当前服务器的 id 通过 DNS 名称标识,也可以通过 `ozone.scm.node.id` 明确设置。大多数时候你不需要设置它,因为基于 DNS 的 id 检测可以很好地工作。
```
bin/ozone scm --bootstrap
@@ -111,6 +113,67 @@ bin/ozone scm --bootstrap
根据 `ozone.scm.primordial.node.id`,初始化进程将在第二个/第三个节点上被忽略,引导进程将在除原始节点外的所有节点上被忽略。
+## SCM HA 安全
+
+
+
+在一个安全 SCM HA 集群中,我们将执行初始化的 SCM 称为原始 SCM。
+原始 SCM 使用自签名证书启动根 CA,并用于颁发签名证书到它自己和其他
+引导的 SCM。 只有原始 SCM 可以为其他 SCM 颁发签名证书。
+因此,原始 SCM 在 SCM HA 集群中具有特殊的作用,因为它是唯一可以向 SCM 颁发证书的 SCM。
+
+原始 SCM 担任根 CA 角色,它使用子 CA 证书签署所有 SCM 实例。
+SCM 使用子 CA 证书来签署 OM/Datanodes 的证书。
+
+引导 SCM 时会从原始 SCM 获取签名证书并启动子 CA。
+
+SCM 上的子 CA 用于为集群中的 OM/DN 颁发签名证书。 只有 leader SCM 向 OM/DN 颁发证书。
+
+### 如何启用安全
+
+```XML
+<property>
+<config>ozone.security.enable</config>
+<value>true</value>
+</property>
+
+<property>
+<config>hdds.grpc.tls.enabled</config>
+<value>true</value>
+</property>
+```
+
+在正常的 SCM HA 配置的基础上,需要添加上述配置。
+
+### 原始 SCM
+
+原始 SCM 由配置 ozone.scm.primordial.node.id 确定。
+此值可以是 SCM 的节点 ID 或原始机名。
+如果配置是未定义的,则运行 init 的节点被视为原始 SCM。
+
+{{< highlight bash >}}
+bin/ozone scm --init
+{{< /highlight >}}
+
+这将为根 CA 设置公钥、私钥对和自签名证书
+并生成公钥、私钥对和 CSR 以从根 CA 获取子 CA 的签名证书。
+
+### 引导 SCM
+
+{{< highlight bash >}}
+bin/ozone scm --bootstrap
+{{< /highlight >}}
+
+这将为子 CA 设置公钥、私钥对并生成 CSR 以获取来自根 CA 的子 CA 签名证书。
+
+**注意**: 当原始 SCM 未定义时,请确保仅在一个 SCM 上运行 **--init**,
+在其他 SCM 节点上需使用 **--bootstrap** 进行引导。
+
+### 目前 SCM HA 安全的限制
+
+1. 当原始 SCM 失效时, 新的 SCM 不能被引导并添加到 HA 节点中。
+2. 尚未支持从非 HA 安全集群升级到 HA 安全集群。
+
## 实现细节
SCM HA 使用 Apache Ratis 在 SCM HA 仲裁的成员之间复制状态。每个节点在本地 RocksDB 中维护块管理元数据。
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org
[ozone] 01/06: HDDS-6930. SCM,OM,RECON should not print ERROR and exit with code 1 on successful shutdown (#3848)
Posted by ck...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ckj pushed a commit to branch ozone-1.3
in repository https://gitbox.apache.org/repos/asf/ozone.git
commit ba31c9056c328d4b598f558e8dfa69bcb1cc6e0d
Author: Navink <nv...@gmail.com>
AuthorDate: Thu Oct 20 09:29:29 2022 +0530
HDDS-6930. SCM,OM,RECON should not print ERROR and exit with code 1 on successful shutdown (#3848)
---
.../java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java | 2 +-
.../src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java | 2 +-
.../hadoop/ozone/recon/scm/ReconStorageContainerManagerFacade.java | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
index 73a5468c39..1f57b4ffea 100644
--- a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
+++ b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
@@ -1655,7 +1655,7 @@ public final class StorageContainerManager extends ServiceRuntimeInfoImpl
@Override
public void shutDown(String message) {
stop();
- ExitUtils.terminate(1, message, LOG);
+ ExitUtils.terminate(0, message, LOG);
}
/**
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index 70f8359fe8..b5be6c02d7 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -2089,7 +2089,7 @@ public final class OzoneManager extends ServiceRuntimeInfoImpl
public void shutDown(String message) {
stop();
- ExitUtils.terminate(1, message, LOG);
+ ExitUtils.terminate(0, message, LOG);
}
/**
diff --git a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/scm/ReconStorageContainerManagerFacade.java b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/scm/ReconStorageContainerManagerFacade.java
index 27c474a1bd..11dca8628b 100644
--- a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/scm/ReconStorageContainerManagerFacade.java
+++ b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/scm/ReconStorageContainerManagerFacade.java
@@ -352,7 +352,7 @@ public class ReconStorageContainerManagerFacade
@Override
public void shutDown(String message) {
stop();
- ExitUtils.terminate(1, message, LOG);
+ ExitUtils.terminate(0, message, LOG);
}
public ReconDatanodeProtocolServer getDatanodeProtocolServer() {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org
[ozone] 05/06: HDDS-7403. README Security Improvement (#3879)
Posted by ck...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ckj pushed a commit to branch ozone-1.3
in repository https://gitbox.apache.org/repos/asf/ozone.git
commit 5da51dbb50905e585ff1c9d4d670ff640caed9fa
Author: SaketaChalamchala <sa...@gmail.com>
AuthorDate: Mon Oct 24 09:22:08 2022 -0700
HDDS-7403. README Security Improvement (#3879)
Co-authored-by: SaketaChalamchala <sc...@cloudera.com>
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 88b0bc122a..6a7226fc36 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Ozone is a scalable, redundant, and distributed object store for Hadoop and Clou
* SCALABLE: Ozone is designed to scale to tens of billions of files and blocks and, in the future, even more.
* CONSISTENT: Ozone is a strongly consistent object store. This consistency is achieved by using protocols like RAFT.
* CLOUD-NATIVE: Ozone is designed to work well in containerized environments like YARN and Kubernetes.
- * SECURE: Ozone integrates with Kerberos infrastructure for access control and supports TDE and on-wire encryption.
+ * SECURE: Ozone integrates with Kerberos infrastructure for authentication, supports native ACLs and integrates with Ranger for access control and supports TDE and on-wire encryption.
* HIGHLY AVAILABLE: Ozone is a fully replicated system that is designed to survive multiple failures.
## Documentation
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org
[ozone] 04/06: HDDS-7369. Fix wrong order of command arguments in Nonrolling-Upgrade.md (#3866)
Posted by ck...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ckj pushed a commit to branch ozone-1.3
in repository https://gitbox.apache.org/repos/asf/ozone.git
commit 83284d0e690731b2088c9d2e203f1ecc3b12305b
Author: zhtttylz <54...@users.noreply.github.com>
AuthorDate: Fri Oct 21 03:53:35 2022 +0800
HDDS-7369. Fix wrong order of command arguments in Nonrolling-Upgrade.md (#3866)
---
hadoop-hdds/docs/content/feature/Nonrolling-Upgrade.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hadoop-hdds/docs/content/feature/Nonrolling-Upgrade.md b/hadoop-hdds/docs/content/feature/Nonrolling-Upgrade.md
index 0328e6834b..b18f585aeb 100644
--- a/hadoop-hdds/docs/content/feature/Nonrolling-Upgrade.md
+++ b/hadoop-hdds/docs/content/feature/Nonrolling-Upgrade.md
@@ -62,15 +62,15 @@ Starting with your current version of Ozone, complete the following steps to upg
4. Start the components
1. Start the SCM and datanodes as usual:
```
- ozone --daemon scm start
+ ozone --daemon start scm
```
```
- ozone --daemon datanode start
+ ozone --daemon start datanode
```
2. Start the Ozone Manager using the `--upgrade` flag to take it out of prepare mode.
```
- ozone --daemon om start --upgrade
+ ozone --daemon start om --upgrade
```
- There also exists a `--downgrade` flag which is an alias of `--upgrade`. The name used does not matter.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@ozone.apache.org
For additional commands, e-mail: commits-help@ozone.apache.org