You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Krishna Kumar Asawa (Jira)" <ji...@apache.org> on 2023/10/25 08:17:00 UTC
[jira] [Assigned] (HDDS-9507) [MasterNode decommissioning] Recommissioned SCM certs still signed by RootCA
[ https://issues.apache.org/jira/browse/HDDS-9507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Krishna Kumar Asawa reassigned HDDS-9507:
-----------------------------------------
Assignee: Nandakumar
> [MasterNode decommissioning] Recommissioned SCM certs still signed by RootCA
> ----------------------------------------------------------------------------
>
> Key: HDDS-9507
> URL: https://issues.apache.org/jira/browse/HDDS-9507
> Project: Apache Ozone
> Issue Type: Bug
> Components: SCM
> Reporter: Pratyush Bhatt
> Assignee: Nandakumar
> Priority: Major
>
> *Scenario:*
> Decommission a SCM node, and certs are tuned to be rotated after the new SCM recommission is done.
> *Steps:*
> 1. Cert rotation interval set as 30 minutes.
> 2. Decommission a SCM Node (ozn-decom56-5.ozn-decom56.xyz)
> 3. Recommission a new SCM Node. (ozn-decom56-4.ozn-decom56.xyz)
> 4. Cert rotation interval hits now.
> _Configs used:_
> {code:java}
> "hdds.x509.default.duration": "PT1H",
> "hdds.x509.renew.grace.duration": "PT30M",
> "hdds.x509.ca.rotation.check.interval": "PT10M",
> "ozone.manager.delegation.token.renew-interval": "10m",
> "hdds.block.token.expiry.time": "10m",
> "ozone.manager.delegation.token.max-lifetime": "30m"{code}
> *Observed behavior:*
> These are certs info for the SCMs and rootCA now:
> {code:java}
> SerialNumber Valid From Expiry Subject Issuer
> 1 Thu Oct 19 11:33:32 UTC 2023 Sun Nov 26 11:33:32 UTC 2028 CN=scm-1@ozn-decom56-3.ozn-decom56.xyz,OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00 CN=scm-1@ozn-decom56-3.ozn-decom56.xyz,OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
> 138022366133952767 Thu Oct 19 11:33:32 UTC 2023 Sun Nov 26 11:33:32 UTC 2028 CN=scm-sub-138022366074119474@ozn-decom56-3.ozn-decom56.xyz,OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00 CN=scm-1@ozn-decom56-3.ozn-decom56.xyz,OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
> 138022392400080904 Thu Oct 19 11:33:58 UTC 2023 Sun Nov 26 11:33:58 UTC 2028 CN=scm-sub-99017552032237584@ozn-decom56-2.ozn-decom56.xyz,OU=c1bec48f-4c89-4edf-92a9-b63e842a1ceb,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00 CN=scm-1@ozn-decom56-3.ozn-decom56.xyz,OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
> 138022394309457306 Thu Oct 19 11:34:00 UTC 2023 Sun Nov 26 11:34:00 UTC 2028 CN=scm-sub-32303299053619965@ozn-decom56-5.ozn-decom56.xyz,OU=da59dc71-12d2-4a77-a0bd-213491613bc2,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00 CN=scm-1@ozn-decom56-3.ozn-decom56.xyz,OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
> 138022935946339912 Thu Oct 19 11:43:02 UTC 2023 Sun Nov 26 11:43:02 UTC 2028 CN=scm-sub-30844965145353479@ozn-decom56-4.ozn-decom56.xyz,OU=8c24b790-06a8-4670-97a8-94656d9a13c9,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00 CN=scm-1@ozn-decom56-3.ozn-decom56.xyz,OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00{code}
> _ozn-decom56-4.ozn-decom56.xyz_ was newly decommissioned and got its cert at Thu Oct 19 11:43:02 UTC 2023.
> In the issuer section, can still see that its signed by scm-1, whereas it should have been issued by scm-sub.
> {noformat}
> CN=scm-1@ozn-decom56-3.ozn-decom56.xyz,OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org