You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Marton Elek (Jira)" <ji...@apache.org> on 2019/12/13 18:52:00 UTC
[jira] [Updated] (HDDS-2731) Certification Revocation Support for
Ozone CA
[ https://issues.apache.org/jira/browse/HDDS-2731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marton Elek updated HDDS-2731:
------------------------------
Attachment: Certificate Revocation Support for Ozone CA.rtf
> Certification Revocation Support for Ozone CA
> ---------------------------------------------
>
> Key: HDDS-2731
> URL: https://issues.apache.org/jira/browse/HDDS-2731
> Project: Hadoop Distributed Data Store
> Issue Type: Improvement
> Reporter: Marton Elek
> Priority: Major
> Attachments: Certificate Revocation Support for Ozone CA.rtf
>
>
> Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes takes place over TLS protocol, which is, through issued security artifacts i.e. [X509 certificates|https://en.wikipedia.org/wiki/X.509]. These certificates reside at SCM storage. The “known and trusted” data nodes are provisioned with corresponding certificates and for smooth communication in the system, these certificates are also stored on client certificate cache.
> Problem is, once these certificates are invalidated on SCM, whether its Admin or Expired Certs or Cert Rotation Process (future), these certs are not removed or invalidated on Data Node’s Local Cache. This means that tokens issues by Ozone Manager (OM), can still be used to access blocks from Data Nodes since the client certificate case still holds the invalidated certificate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org