You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by GitBox <gi...@apache.org> on 2021/02/08 14:47:27 UTC

[GitHub] [ozone] adoroszlai opened a new pull request #1912: HDDS-4788. Enable mTLS for Ratis in OM HA

adoroszlai opened a new pull request #1912:
URL: https://github.com/apache/ozone/pull/1912


   ## What changes were proposed in this pull request?
   
   Let OM HA enable TLS for its internal Ratis if `SecurityConfig#isGrpcTlsEnabled` is true (ie. if `hdds.grpc.tls.enabled=true`)
   
   To make this work in docker-compose cluster, we need a small tweak in the OM certificate request.  Normally hostname is included in the alternative names list, and subject name can be anything (in our case it's in the form of `user@host`, eg. `root@om1`).  However, if reverse lookup for OM host's IP does not work, then subject name will be the only information available for certificate verification to match DNS.  In this case we should omit the username part, because it will cause DNS match to fail.
   
   https://issues.apache.org/jira/browse/HDDS-4788
   
   ## How was this patch tested?
   
   Enabled `hdds.grpc.tls.enabled=true` in `ozonesecure-om-ha` cluster.
   
   https://github.com/adoroszlai/hadoop-ozone/actions/runs/547953101


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] amaliujia commented on pull request #1912: HDDS-4788. Enable mTLS for Ratis in OM HA

Posted by GitBox <gi...@apache.org>.
amaliujia commented on pull request #1912:
URL: https://github.com/apache/ozone/pull/1912#issuecomment-776505804


   @bshashikant @xiaoyuyao 
   
   Do we need the same change on SCM Ratis?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] adoroszlai commented on pull request #1912: HDDS-4788. Enable mTLS for Ratis in OM HA

Posted by GitBox <gi...@apache.org>.
adoroszlai commented on pull request #1912:
URL: https://github.com/apache/ozone/pull/1912#issuecomment-776544969


   Thanks @xiaoyuyao for the review.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] adoroszlai merged pull request #1912: HDDS-4788. Enable mTLS for Ratis in OM HA

Posted by GitBox <gi...@apache.org>.
adoroszlai merged pull request #1912:
URL: https://github.com/apache/ozone/pull/1912


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org

[GitHub] [ozone] bshashikant commented on pull request #1912: HDDS-4788. Enable mTLS for Ratis in OM HA

Posted by GitBox <gi...@apache.org>.
bshashikant commented on pull request #1912:
URL: https://github.com/apache/ozone/pull/1912#issuecomment-776516164


   > @bshashikant @xiaoyuyao
   > 
   > Do we need the same change on SCM Ratis?
   
   yes , we need and we will enable it when we implement security in SCM HA.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org