You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/09/28 22:40:25 UTC
[GitHub] [ozone] bharatviswa504 opened a new pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
bharatviswa504 opened a new pull request #2691:
URL: https://github.com/apache/ozone/pull/2691
## What changes were proposed in this pull request?
On a upgraded cluster with SCM HA version code, SCM fails to start when hdds.container.token.enabled is set to true.
In a upgraded cluster and SCM non-HA SCMCertificateClient is not initialized and sub-CA is not started. Initialize SCMCertificateClient with RootCA Cert and initialize ContainerTokenManager.
## What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-5789
## How was this patch tested?
Manually Verified this on a cluster.
**Before fix:**
```
2021-09-28 22:28:01,554 ERROR org.apache.hadoop.hdds.scm.server.StorageContainerManagerStarter: SCM start failed with exception
java.lang.NullPointerException
at org.apache.hadoop.hdds.scm.server.StorageContainerManager.createContainerTokenSecretManager(StorageContainerManager.java:726)
at org.apache.hadoop.hdds.scm.server.StorageContainerManager.initializeCAnSecurityProtocol(StorageContainerManager.java:674)
at org.apache.hadoop.hdds.scm.server.StorageContainerManager.<init>(StorageContainerManager.java:337)
at org.apache.hadoop.hdds.scm.server.StorageContainerManager.createSCM(StorageContainerManager.java:460)
at org.apache.hadoop.hdds.scm.server.StorageContainerManager.createSCM(StorageContainerManager.java:472)
at org.apache.hadoop.hdds.scm.server.StorageContainerManagerStarter$SCMStarterHelper.start(StorageContainerManagerStarter.java:165)
at org.apache.hadoop.hdds.scm.server.StorageContainerManagerStarter.startScm(StorageContainerManagerStarter.java:139)
at org.apache.hadoop.hdds.scm.server.StorageContainerManagerStarter.call(StorageContainerManagerStarter.java:68)
at org.apache.hadoop.hdds.scm.server.StorageContainerManagerStarter.call(StorageContainerManagerStarter.java:44)
at picocli.CommandLine.executeUserObject(CommandLine.java:1933)
at picocli.CommandLine.access$1100(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2332)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2326)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2291)
at picocli.CommandLine$AbstractParseResultHandler.handleParseResult(CommandLine.java:2152)
at picocli.CommandLine.parseWithHandlers(CommandLine.java:2530)
at picocli.CommandLine.parseWithHandler(CommandLine.java:2465)
at org.apache.hadoop.hdds.cli.GenericCli.execute(GenericCli.java:96)
at org.apache.hadoop.hdds.cli.GenericCli.run(GenericCli.java:87)
at org.apache.hadoop.hdds.scm.server.StorageContainerManagerStarter.main(StorageContainerManagerStarter.java:57)
2021-09-28 22:28:01,604 INFO org.apache.hadoop.hdds.scm.server.StorageContainerManagerStarter: SHUTDOWN_MSG:
```
**After fix:**
```
2021-09-28 22:29:41,598 INFO SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for dn/quasar-afcevv-4.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS)
2021-09-28 22:29:41,599 INFO SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for recon/quasar-afcevv-4.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS)
2021-09-28 22:29:41,600 INFO SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for dn/quasar-afcevv-1.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS)
2021-09-28 22:29:41,600 INFO SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for om/quasar-afcevv-4.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS)
2021-09-28 22:29:41,626 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for om/quasar-afcevv-5.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hdds.scm.protocol.ScmBlockLocationProtocol
2021-09-28 22:29:41,626 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for dn/quasar-afcevv-4.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.ozone.protocol.StorageContainerDatanodeProtocol
2021-09-28 22:29:41,631 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for dn/quasar-afcevv-1.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.ozone.protocol.StorageContainerDatanodeProtocol
2021-09-28 22:29:41,631 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for om/quasar-afcevv-4.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hdds.scm.protocol.ScmBlockLocationProtocol
2021-09-28 22:29:41,638 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for recon/quasar-afcevv-4.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hdds.scm.protocol.StorageContainerLocationProtocol
2021-09-28 22:29:41,664 INFO SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for dn/quasar-afcevv-5.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS)
2021-09-28 22:29:41,676 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for dn/quasar-afcevv-5.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.ozone.protocol.StorageContainerDatanodeProtocol
2021-09-28 22:29:41,757 INFO SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for dn/quasar-afcevv-2.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS)
2021-09-28 22:29:41,766 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for dn/quasar-afcevv-2.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.ozone.protocol.StorageContainerDatanodeProtocol
2021-09-28 22:29:41,926 INFO org.apache.hadoop.util.JvmPauseMonitor: Starting JVM pause monitor
2021-09-28 22:29:41,941 WARN org.apache.hadoop.hdds.server.http.BaseHttpServer: SSL config ssl.server.truststore.location is missing. If ozone.https.server.keystore.resource is specified, make sure it is a relative path
2021-09-28 22:29:42,358 INFO org.apache.hadoop.hdds.scm.net.NetworkTopologyImpl: Added a new node: /default/1d2fa315-f276-4ab5-9c38-7875ac0eaf95
2021-09-28 22:29:42,359 INFO org.apache.hadoop.hdds.scm.node.SCMNodeManager: Registered Data node : 1d2fa315-f276-4ab5-9c38-7875ac0eaf95{ip: 172.27.27.129, host: quasar-afcevv-5.quasar-afcevv.root.hwx.site, ports: [REPLICATION=9886, RATIS=9858, RATIS_ADMIN=9858, RATIS_SERVER=9858, STANDALONE=9859], networkLocation: /default, certSerialId: 13326388815505992, persistedOpState: IN_SERVICE, persistedOpStateExpiryEpochSec: 0}
2021-09-28 22:29:42,361 INFO org.apache.hadoop.hdds.scm.pipeline.BackgroundPipelineCreator: trigger a one-shot run on RatisPipelineUtilsThread.
2021-09-28 22:29:42,365 INFO org.apache.hadoop.hdds.scm.safemode.SCMSafeModeManager: ContainerSafeModeRule rule is successfully validated
2021-09-28 22:29:42,365 INFO org.apache.hadoop.hdds.scm.safemode.SCMSafeModeManager: SCM in safe mode. 1 DataNodes registered, 1 required.
2021-09-28 22:29:42,366 INFO org.apache.hadoop.hdds.scm.safemode.SCMSafeModeManager: DataNodeSafeModeRule rule is successfully validated
2021-09-28 22:29:42,367 INFO org.apache.hadoop.hdds.scm.safemode.SCMSafeModeManager: All SCM safe mode pre check rules have passed
2021-09-28 22:29:42,367 WARN org.apache.hadoop.hdds.server.events.EventQueue: No event handler registered for event TypedEvent{payloadType=SafeModeStatus, name='Safe mode status'}
2021-09-28 22:29:42,368 INFO org.apache.hadoop.hdds.scm.ha.SCMContext: Update SafeModeStatus from SafeModeStatus{safeModeStatus=true, preCheckPassed=false} to SafeModeStatus{safeModeStatus=true, preCheckPassed=true}.
2021-09-28 22:29:42,369 INFO org.apache.hadoop.hdds.scm.pipeline.BackgroundPipelineCreator: trigger a one-shot run on RatisPipelineUtilsThread.
2021-09-28 22:29:42,371 INFO org.apache.hadoop.hdds.scm.safemode.SCMSafeModeManager: SCM in safe mode. Pipelines with at least one datanode reported count is 2, required at least one datanode reported per pipeline count is 2
2021-09-28 22:29:42,372 INFO org.apache.hadoop.hdds.scm.safemode.SCMSafeModeManager: AtleastOneDatanodeReportedRule rule is successfully validated
2021-09-28 22:29:42,373 INFO org.apache.hadoop.hdds.scm.safemode.SCMSafeModeManager: SCM in safe mode. Healthy pipelines reported count is 0, required healthy pipeline reported count is 1
2021-09-28 22:29:42,395 INFO SecurityLogger.org.apache.hadoop.ipc.Server: Auth successful for om/quasar-afcevv-2.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS)
2021-09-28 22:29:42,405 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for om/quasar-afcevv-2.quasar-afcevv.root.hwx.site@QE-AD-1.CLOUDERA.COM (auth:KERBEROS) for protocol=interface org.apache.hadoop.hdds.scm.protocol.ScmBlockLocationProtocol
2021-09-28 22:29:42,551 INFO org.apache.hadoop.hdds.server.http.BaseHttpServer: Starting Web-server for scm at: https://0.0.0.0:9877
```
**Tested basic write/get**
```
root@quasar-afcevv-4:/var/run/cloudera-scm-agent/process/1546338751-ozone-OZONE_MANAGER# ozone sh volume create /vol1
root@quasar-afcevv-4:/var/run/cloudera-scm-agent/process/1546338751-ozone-OZONE_MANAGER# ozone sh bucket create /vol1/buck1
root@quasar-afcevv-4:/var/run/cloudera-scm-agent/process/1546338751-ozone-OZONE_MANAGER# ozone sh key put /vol1/buck1/key1 /etc/hadoop/conf/ozone-site.xml
root@quasar-afcevv-4:/var/run/cloudera-scm-agent/process/1546338751-ozone-OZONE_MANAGER# ozone sh key get /vol1/buck1/key1 /tmp/dkey1
root@quasar-afcevv-4:/var/run/cloudera-scm-agent/process/1546338751-ozone-OZONE_MANAGER# cat /tmp/dkey1
<?xml version="1.0" encoding="UTF-8"?>
```
<!--Autogenerated by Cloudera Manager-->
<configuration>
<property>
<name>ozone.scm.names</name>
<value>xxx</value>
</property>
<property>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] bharatviswa504 commented on pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
bharatviswa504 commented on pull request #2691:
URL: https://github.com/apache/ozone/pull/2691#issuecomment-930547945
Thank You @vivekratnavel @adoroszlai and @swagle for the reviews.
Proceeded with commit, as test failures looks unrelated and in each run some new test showing up as failed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] adoroszlai commented on a change in pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
adoroszlai commented on a change in pull request #2691:
URL: https://github.com/apache/ozone/pull/2691#discussion_r718681179
##########
File path: hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
##########
@@ -751,12 +752,32 @@ public SCMCertificateClient getScmCertificateClient() {
}
private ContainerTokenSecretManager createContainerTokenSecretManager(
- OzoneConfiguration conf) {
+ OzoneConfiguration conf) throws IOException {
long expiryTime = conf.getTimeDuration(
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
TimeUnit.MILLISECONDS);
+
+ // Means this is an upgraded cluster and it has no sub-ca,
+ // so SCM Certificate client is not initialized. To make Tokens
+ // work let's use root CA cert and create SCM Certificate client with
+ // root CA cert.
+ if (scmCertificateClient == null) {
+ Preconditions.checkState(
+ !scmStorageConfig.checkPrimarySCMIdInitialized());
+
+ String certSerialNumber;
+ try {
+ certSerialNumber = getScmCertificateServer().getCACertificate()
+ .getSerialNumber().toString();
+ } catch (IOException | CertificateException ex) {
+ LOG.error("Get CA Certificate failed", ex);
+ throw new IOException(ex);
Review comment:
Nit: can we avoid wrapping `IOException` in another `IOException`? Either by not catching it, or adding a separate `catch` clause.
##########
File path: hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
##########
@@ -751,12 +752,32 @@ public SCMCertificateClient getScmCertificateClient() {
}
private ContainerTokenSecretManager createContainerTokenSecretManager(
- OzoneConfiguration conf) {
+ OzoneConfiguration conf) throws IOException {
long expiryTime = conf.getTimeDuration(
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
TimeUnit.MILLISECONDS);
+
+ // Means this is an upgraded cluster and it has no sub-ca,
+ // so SCM Certificate client is not initialized. To make Tokens
+ // work let's use root CA cert and create SCM Certificate client with
+ // root CA cert.
+ if (scmCertificateClient == null) {
+ Preconditions.checkState(
+ !scmStorageConfig.checkPrimarySCMIdInitialized());
+
+ String certSerialNumber;
+ try {
+ certSerialNumber = getScmCertificateServer().getCACertificate()
+ .getSerialNumber().toString();
+ } catch (IOException | CertificateException ex) {
+ LOG.error("Get CA Certificate failed", ex);
+ throw new IOException(ex);
Review comment:
Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] adoroszlai commented on a change in pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
adoroszlai commented on a change in pull request #2691:
URL: https://github.com/apache/ozone/pull/2691#discussion_r718681179
##########
File path: hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
##########
@@ -751,12 +752,32 @@ public SCMCertificateClient getScmCertificateClient() {
}
private ContainerTokenSecretManager createContainerTokenSecretManager(
- OzoneConfiguration conf) {
+ OzoneConfiguration conf) throws IOException {
long expiryTime = conf.getTimeDuration(
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
TimeUnit.MILLISECONDS);
+
+ // Means this is an upgraded cluster and it has no sub-ca,
+ // so SCM Certificate client is not initialized. To make Tokens
+ // work let's use root CA cert and create SCM Certificate client with
+ // root CA cert.
+ if (scmCertificateClient == null) {
+ Preconditions.checkState(
+ !scmStorageConfig.checkPrimarySCMIdInitialized());
+
+ String certSerialNumber;
+ try {
+ certSerialNumber = getScmCertificateServer().getCACertificate()
+ .getSerialNumber().toString();
+ } catch (IOException | CertificateException ex) {
+ LOG.error("Get CA Certificate failed", ex);
+ throw new IOException(ex);
Review comment:
Nit: can we avoid wrapping `IOException` in another `IOException`? Either by not catching it, or adding a separate `catch` clause.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] adoroszlai commented on a change in pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
adoroszlai commented on a change in pull request #2691:
URL: https://github.com/apache/ozone/pull/2691#discussion_r718741935
##########
File path: hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
##########
@@ -751,12 +752,32 @@ public SCMCertificateClient getScmCertificateClient() {
}
private ContainerTokenSecretManager createContainerTokenSecretManager(
- OzoneConfiguration conf) {
+ OzoneConfiguration conf) throws IOException {
long expiryTime = conf.getTimeDuration(
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
TimeUnit.MILLISECONDS);
+
+ // Means this is an upgraded cluster and it has no sub-ca,
+ // so SCM Certificate client is not initialized. To make Tokens
+ // work let's use root CA cert and create SCM Certificate client with
+ // root CA cert.
+ if (scmCertificateClient == null) {
+ Preconditions.checkState(
+ !scmStorageConfig.checkPrimarySCMIdInitialized());
+
+ String certSerialNumber;
+ try {
+ certSerialNumber = getScmCertificateServer().getCACertificate()
+ .getSerialNumber().toString();
+ } catch (IOException | CertificateException ex) {
+ LOG.error("Get CA Certificate failed", ex);
+ throw new IOException(ex);
Review comment:
Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] bharatviswa504 commented on a change in pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
bharatviswa504 commented on a change in pull request #2691:
URL: https://github.com/apache/ozone/pull/2691#discussion_r718719495
##########
File path: hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
##########
@@ -751,12 +752,32 @@ public SCMCertificateClient getScmCertificateClient() {
}
private ContainerTokenSecretManager createContainerTokenSecretManager(
- OzoneConfiguration conf) {
+ OzoneConfiguration conf) throws IOException {
long expiryTime = conf.getTimeDuration(
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
TimeUnit.MILLISECONDS);
+
+ // Means this is an upgraded cluster and it has no sub-ca,
+ // so SCM Certificate client is not initialized. To make Tokens
+ // work let's use root CA cert and create SCM Certificate client with
+ // root CA cert.
+ if (scmCertificateClient == null) {
+ Preconditions.checkState(
+ !scmStorageConfig.checkPrimarySCMIdInitialized());
+
+ String certSerialNumber;
+ try {
+ certSerialNumber = getScmCertificateServer().getCACertificate()
+ .getSerialNumber().toString();
+ } catch (IOException | CertificateException ex) {
+ LOG.error("Get CA Certificate failed", ex);
+ throw new IOException(ex);
Review comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] bharatviswa504 merged pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
bharatviswa504 merged pull request #2691:
URL: https://github.com/apache/ozone/pull/2691
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] bharatviswa504 merged pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
bharatviswa504 merged pull request #2691:
URL: https://github.com/apache/ozone/pull/2691
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] bharatviswa504 commented on pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
bharatviswa504 commented on pull request #2691:
URL: https://github.com/apache/ozone/pull/2691#issuecomment-930547945
Thank You @vivekratnavel @adoroszlai and @swagle for the reviews.
Proceeded with commit, as test failures looks unrelated and in each run some new test showing up as failed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org
[GitHub] [ozone] bharatviswa504 commented on a change in pull request #2691: HDDS-5789. Enabling container tokens on a upgraded cluster fails SCM to start up.
Posted by GitBox <gi...@apache.org>.
bharatviswa504 commented on a change in pull request #2691:
URL: https://github.com/apache/ozone/pull/2691#discussion_r718719495
##########
File path: hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
##########
@@ -751,12 +752,32 @@ public SCMCertificateClient getScmCertificateClient() {
}
private ContainerTokenSecretManager createContainerTokenSecretManager(
- OzoneConfiguration conf) {
+ OzoneConfiguration conf) throws IOException {
long expiryTime = conf.getTimeDuration(
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME,
HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT,
TimeUnit.MILLISECONDS);
+
+ // Means this is an upgraded cluster and it has no sub-ca,
+ // so SCM Certificate client is not initialized. To make Tokens
+ // work let's use root CA cert and create SCM Certificate client with
+ // root CA cert.
+ if (scmCertificateClient == null) {
+ Preconditions.checkState(
+ !scmStorageConfig.checkPrimarySCMIdInitialized());
+
+ String certSerialNumber;
+ try {
+ certSerialNumber = getScmCertificateServer().getCACertificate()
+ .getSerialNumber().toString();
+ } catch (IOException | CertificateException ex) {
+ LOG.error("Get CA Certificate failed", ex);
+ throw new IOException(ex);
Review comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org