You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/05/03 07:31:59 UTC

[GitHub] [ozone] bharatviswa504 opened a new pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

bharatviswa504 opened a new pull request #2205:
URL: https://github.com/apache/ozone/pull/2205


   ## What changes were proposed in this pull request?
   
   Add SCM HA security documentation.
   
   ## What is the link to the Apache JIRA
   
   https://issues.apache.org/jira/browse/HDDS-5158
   
   ## How was this patch tested?
   
   Deployed docs locally and verified content.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] xiaoyuyao commented on a change in pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

Posted by GitBox <gi...@apache.org>.

xiaoyuyao commented on a change in pull request #2205:
URL: https://github.com/apache/ozone/pull/2205#discussion_r630403883



##########
File path: hadoop-hdds/docs/content/feature/SCM-HA.md
##########
@@ -111,6 +107,62 @@ This can be changed with using `ozone.scm.primordial.node.id`. You can define th
 
 Based on the `ozone.scm.primordial.node.id`, the init process will be ignored on the second/third nodes and bootstrap process will be ignored on all nodes except the primordial one.
 
+## SCM HA Security
+
+![Overview](scm-secure-ha.png)
+
+In a secure SCM HA cluster on the SCM where we perform init, we call this SCM as a primordial SCM. 
+Primordial SCM starts root-CA with self signed certificates and is used to issue a signed certificate 

Review comment:
       NIT: self signed  => self-signed




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] xiaoyuyao commented on a change in pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

Posted by GitBox <gi...@apache.org>.

xiaoyuyao commented on a change in pull request #2205:
URL: https://github.com/apache/ozone/pull/2205#discussion_r631978433



##########
File path: hadoop-hdds/docs/content/feature/SCM-HA.md
##########
@@ -111,6 +107,66 @@ This can be changed with using `ozone.scm.primordial.node.id`. You can define th
 
 Based on the `ozone.scm.primordial.node.id`, the init process will be ignored on the second/third nodes and bootstrap process will be ignored on all nodes except the primordial one.
 
+## SCM HA Security
+
+![Overview](scm-secure-ha.png)
+
+In a secure SCM HA cluster on the SCM where we perform init, we call this SCM as a primordial SCM. 
+Primordial SCM starts root-CA with self-signed certificates and is used to issue a signed certificate 
+to itself and other bootstrapped SCM’s. Only primordial SCM can issue signed certificates for other SCM’s.
+So, primordial SCM has a special role in the SCM HA cluster, as it is the only one that can issue certificates to SCM’s.
+
+The primordial SCM takes a root-CA role, which signs all SCM instances with a sub-CA certificate. 
+The sub-CA certificates are used by SCM to sign certificates for OM/Datanodes.
+
+When bootstrapping a SCM, it gets a signed certificate from the primary SCM and starts sub-CA.
+
+Sub-CA on the SCM’s are used to issue signed certificates for OM/DN in the cluster. Only the leader SCM issues a certificate to OM/DN.
+
+### How to enable security:
+
+```XML
+<property>
+<config>ozone.security.enable</config>
+<value>true</value>
+</property>
+
+<property>
+<config>hdds.grpc.tls.enabled</config>
+<value>true</value>
+</property>
+```
+
+Above configs are needed in addition to normal SCM HA configuration.
+
+### Primordial SCM:
+
+Primordial SCM is determined from the config ozone.scm.primordial.node.id. 

Review comment:
       Can we add some description about how it is determined when ozone.scm.primordial.node.id is not defined?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] xiaoyuyao commented on pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

Posted by GitBox <gi...@apache.org>.

xiaoyuyao commented on pull request #2205:
URL: https://github.com/apache/ozone/pull/2205#issuecomment-848862454


   /retest


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] xiaoyuyao commented on a change in pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

Posted by GitBox <gi...@apache.org>.

xiaoyuyao commented on a change in pull request #2205:
URL: https://github.com/apache/ozone/pull/2205#discussion_r630406074



##########
File path: hadoop-hdds/docs/content/feature/SCM-HA.md
##########
@@ -111,6 +107,62 @@ This can be changed with using `ozone.scm.primordial.node.id`. You can define th
 
 Based on the `ozone.scm.primordial.node.id`, the init process will be ignored on the second/third nodes and bootstrap process will be ignored on all nodes except the primordial one.
 
+## SCM HA Security
+
+![Overview](scm-secure-ha.png)
+
+In a secure SCM HA cluster on the SCM where we perform init, we call this SCM as a primordial SCM. 
+Primordial SCM starts root-CA with self signed certificates and is used to issue a signed certificate 
+to itself and other bootstrapped SCM’s. Only primordial SCM can issue signed certificates for other SCM’s.
+So, primordial SCM has a special role in the SCM HA cluster, as it is the only one that can issue certificates to SCM’s.
+
+In addition to root-CA primordial SCM also has a sub-CA which has a signed certificate from root CA which is used to sign certificates for OM/Datanodes.

Review comment:
       Suggestion reword:
   In addition to root-CA primordial SCM also has a sub-CA which has a signed certificate from root CA which is used to sign certificates for OM/Datanodes.
   
   The primordial SCM takes a root-CA role, which signs all SCM instances with a sub-CA certificate.  The sub-CA certificates are used by SCM to sign certificates for OM/Datanodes.

##########
File path: hadoop-hdds/docs/content/feature/SCM-HA.md
##########
@@ -111,6 +107,62 @@ This can be changed with using `ozone.scm.primordial.node.id`. You can define th
 
 Based on the `ozone.scm.primordial.node.id`, the init process will be ignored on the second/third nodes and bootstrap process will be ignored on all nodes except the primordial one.
 
+## SCM HA Security
+
+![Overview](scm-secure-ha.png)
+
+In a secure SCM HA cluster on the SCM where we perform init, we call this SCM as a primordial SCM. 
+Primordial SCM starts root-CA with self signed certificates and is used to issue a signed certificate 
+to itself and other bootstrapped SCM’s. Only primordial SCM can issue signed certificates for other SCM’s.
+So, primordial SCM has a special role in the SCM HA cluster, as it is the only one that can issue certificates to SCM’s.
+
+In addition to root-CA primordial SCM also has a sub-CA which has a signed certificate from root CA which is used to sign certificates for OM/Datanodes.
+
+When bootstrapping a SCM, it gets a signed certificate from the primary SCM and starts sub-CA.
+
+Sub-CA on the SCM’s are used to issue signed certificates for OM/DN in the cluster. Only the leader SCM issues a certificate to OM/DN.
+
+### How to enable security:
+
+```XML
+<property>
+<config>ozone.security.enable</config>
+<value>true</value>
+</property>
+
+<property>
+<config>hdds.grpc.tls.enabled</config>
+<value>true</value>
+</property>
+```
+
+Above configs are needed in addition to normal SCM HA configuration.

Review comment:
       Can we add some details about how primordial SCM is determined by SCM? Like, the first node in the SCM node list or a specific configuration key?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] xiaoyuyao merged pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

Posted by GitBox <gi...@apache.org>.

xiaoyuyao merged pull request #2205:
URL: https://github.com/apache/ozone/pull/2205


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 commented on a change in pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

Posted by GitBox <gi...@apache.org>.

bharatviswa504 commented on a change in pull request #2205:
URL: https://github.com/apache/ozone/pull/2205#discussion_r634180193



##########
File path: hadoop-hdds/docs/content/feature/SCM-HA.md
##########
@@ -111,6 +107,66 @@ This can be changed with using `ozone.scm.primordial.node.id`. You can define th
 
 Based on the `ozone.scm.primordial.node.id`, the init process will be ignored on the second/third nodes and bootstrap process will be ignored on all nodes except the primordial one.
 
+## SCM HA Security
+
+![Overview](scm-secure-ha.png)
+
+In a secure SCM HA cluster on the SCM where we perform init, we call this SCM as a primordial SCM. 
+Primordial SCM starts root-CA with self-signed certificates and is used to issue a signed certificate 
+to itself and other bootstrapped SCM’s. Only primordial SCM can issue signed certificates for other SCM’s.
+So, primordial SCM has a special role in the SCM HA cluster, as it is the only one that can issue certificates to SCM’s.
+
+The primordial SCM takes a root-CA role, which signs all SCM instances with a sub-CA certificate. 
+The sub-CA certificates are used by SCM to sign certificates for OM/Datanodes.
+
+When bootstrapping a SCM, it gets a signed certificate from the primary SCM and starts sub-CA.
+
+Sub-CA on the SCM’s are used to issue signed certificates for OM/DN in the cluster. Only the leader SCM issues a certificate to OM/DN.
+
+### How to enable security:
+
+```XML
+<property>
+<config>ozone.security.enable</config>
+<value>true</value>
+</property>
+
+<property>
+<config>hdds.grpc.tls.enabled</config>
+<value>true</value>
+</property>
+```
+
+Above configs are needed in addition to normal SCM HA configuration.
+
+### Primordial SCM:
+
+Primordial SCM is determined from the config ozone.scm.primordial.node.id. 

Review comment:
       Updated it




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] github-actions[bot] commented on pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on pull request #2205:
URL: https://github.com/apache/ozone/pull/2205#issuecomment-848890341


   @bharatviswa504 please trigger new CI check by following these steps:
   ```
   git commit --allow-empty -m 'trigger new CI check'
   git push
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bharatviswa504 commented on a change in pull request #2205: HDDS-5158. Add documentation for SCM HA Security.

Posted by GitBox <gi...@apache.org>.

bharatviswa504 commented on a change in pull request #2205:
URL: https://github.com/apache/ozone/pull/2205#discussion_r631700247



##########
File path: hadoop-hdds/docs/content/feature/SCM-HA.md
##########
@@ -111,6 +107,62 @@ This can be changed with using `ozone.scm.primordial.node.id`. You can define th
 
 Based on the `ozone.scm.primordial.node.id`, the init process will be ignored on the second/third nodes and bootstrap process will be ignored on all nodes except the primordial one.
 
+## SCM HA Security
+
+![Overview](scm-secure-ha.png)
+
+In a secure SCM HA cluster on the SCM where we perform init, we call this SCM as a primordial SCM. 
+Primordial SCM starts root-CA with self signed certificates and is used to issue a signed certificate 
+to itself and other bootstrapped SCM’s. Only primordial SCM can issue signed certificates for other SCM’s.
+So, primordial SCM has a special role in the SCM HA cluster, as it is the only one that can issue certificates to SCM’s.
+
+In addition to root-CA primordial SCM also has a sub-CA which has a signed certificate from root CA which is used to sign certificates for OM/Datanodes.
+
+When bootstrapping a SCM, it gets a signed certificate from the primary SCM and starts sub-CA.
+
+Sub-CA on the SCM’s are used to issue signed certificates for OM/DN in the cluster. Only the leader SCM issues a certificate to OM/DN.
+
+### How to enable security:
+
+```XML
+<property>
+<config>ozone.security.enable</config>
+<value>true</value>
+</property>
+
+<property>
+<config>hdds.grpc.tls.enabled</config>
+<value>true</value>
+</property>
+```
+
+Above configs are needed in addition to normal SCM HA configuration.

Review comment:
       Done




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org