You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Sammi Chen (Jira)" <ji...@apache.org> on 2022/10/27 09:00:00 UTC

[jira] [Resolved] (HDDS-7220) SCM should use sub-ca certificate for token signature without HA enabled.

     [ https://issues.apache.org/jira/browse/HDDS-7220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sammi Chen resolved HDDS-7220.
------------------------------
    Resolution: Fixed

> SCM should use sub-ca certificate for token signature without HA enabled. 
> --------------------------------------------------------------------------
>
>                 Key: HDDS-7220
>                 URL: https://issues.apache.org/jira/browse/HDDS-7220
>             Project: Apache Ozone
>          Issue Type: Bug
>            Reporter: Sammi Chen
>            Assignee: Sammi Chen
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 1.3.0, 1.4.0
>
>
> Currently,  SCM is using root CA certificate to sign the container token signature. Root CA certificate usage is for CRL sign and certificate sign, not including signature.  The token signed by root CA certificate cannot be verified by DN. Here is an example exception,
>  
> 2022-09-05 15:38:09,369 INFO org.apache.hadoop.ozone.container.common.impl.HddsDispatcher: Operation: DeleteContainer , Trace ID:  , Message: Block token verification failed. Error while signing the stream , Result: BLOCK_TOKEN_VERIFICATION_FAILED , StorageContainerException Occurred.
> org.apache.hadoop.hdds.scm.container.common.helpers.StorageContainerException: Block token verification failed. Error while signing the stream
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatchRequest(HddsDispatcher.java:212)
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.lambda$dispatch$0(HddsDispatcher.java:169)
>         at org.apache.hadoop.hdds.server.OzoneProtocolMessageDispatcher.processRequest(OzoneProtocolMessageDispatcher.java:87)
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatch(HddsDispatcher.java:168)
>         at org.apache.hadoop.ozone.container.common.transport.server.GrpcXceiverService$1.onNext(GrpcXceiverService.java:57)
>         at org.apache.hadoop.ozone.container.common.transport.server.GrpcXceiverService$1.onNext(GrpcXceiverService.java:50)
>         at org.apache.ratis.thirdparty.io.grpc.stub.ServerCalls$StreamingServerCallHandler$StreamingServerCallListener.onMessage(ServerCalls.java:255)
>         at org.apache.ratis.thirdparty.io.grpc.ForwardingServerCallListener.onMessage(ForwardingServerCallListener.java:33)
>         at org.apache.hadoop.hdds.tracing.GrpcServerInterceptor$1.onMessage(GrpcServerInterceptor.java:49)
>         at org.apache.ratis.thirdparty.io.grpc.internal.ServerCallImpl$ServerStreamListenerImpl.messagesAvailableInternal(ServerCallImpl.java:309)
>         at org.apache.ratis.thirdparty.io.grpc.internal.ServerCallImpl$ServerStreamListenerImpl.messagesAvailable(ServerCallImpl.java:292)
>         at org.apache.ratis.thirdparty.io.grpc.internal.ServerImpl$JumpToApplicationThreadServerStreamListener$1MessagesAvailable.runInContext(ServerImpl.java:782)
>         at org.apache.ratis.thirdparty.io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
>         at org.apache.ratis.thirdparty.io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: org.apache.hadoop.hdds.security.x509.exceptions.CertificateException: Error while signing the stream
>         at org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient.verifySignature(DefaultCertificateClient.java:468)
>         at org.apache.hadoop.hdds.security.token.ShortLivedTokenVerifier.verify(ShortLivedTokenVerifier.java:111)
>         at org.apache.hadoop.hdds.security.token.CompositeTokenVerifier.verify(CompositeTokenVerifier.java:43)
>         at org.apache.hadoop.hdds.security.token.TokenVerifier.verify(TokenVerifier.java:71)
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.validateToken(HddsDispatcher.java:428)
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatchRequest(HddsDispatcher.java:209)
>         ... 16 more
> Caused by: java.security.InvalidKeyException: Wrong key usage
>         at java.security.Signature.initVerify(Signature.java:504)
>         at org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient.verifySignature(DefaultCertificateClient.java:462)
>         ... 21 more



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org