You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/09/14 04:01:00 UTC

[jira] [Updated] (HDDS-7220) SCM should use sub-ca certificate for token signature without HA enabled.

     [ https://issues.apache.org/jira/browse/HDDS-7220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

ASF GitHub Bot updated HDDS-7220:
---------------------------------
    Labels: pull-request-available  (was: )

> SCM should use sub-ca certificate for token signature without HA enabled. 
> --------------------------------------------------------------------------
>
>                 Key: HDDS-7220
>                 URL: https://issues.apache.org/jira/browse/HDDS-7220
>             Project: Apache Ozone
>          Issue Type: Bug
>            Reporter: Sammi Chen
>            Assignee: Sammi Chen
>            Priority: Major
>              Labels: pull-request-available
>
> Currently,  SCM is using root CA certificate to sign the container token signature. Root CA certificate usage is for CRL sign and certificate sign, not including signature.  The token signed by root CA certificate cannot be verified by DN. Here is an example exception,
>  
> 2022-09-05 15:38:09,369 INFO org.apache.hadoop.ozone.container.common.impl.HddsDispatcher: Operation: DeleteContainer , Trace ID:  , Message: Block token verification failed. Error while signing the stream , Result: BLOCK_TOKEN_VERIFICATION_FAILED , StorageContainerException Occurred.
> org.apache.hadoop.hdds.scm.container.common.helpers.StorageContainerException: Block token verification failed. Error while signing the stream
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatchRequest(HddsDispatcher.java:212)
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.lambda$dispatch$0(HddsDispatcher.java:169)
>         at org.apache.hadoop.hdds.server.OzoneProtocolMessageDispatcher.processRequest(OzoneProtocolMessageDispatcher.java:87)
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatch(HddsDispatcher.java:168)
>         at org.apache.hadoop.ozone.container.common.transport.server.GrpcXceiverService$1.onNext(GrpcXceiverService.java:57)
>         at org.apache.hadoop.ozone.container.common.transport.server.GrpcXceiverService$1.onNext(GrpcXceiverService.java:50)
>         at org.apache.ratis.thirdparty.io.grpc.stub.ServerCalls$StreamingServerCallHandler$StreamingServerCallListener.onMessage(ServerCalls.java:255)
>         at org.apache.ratis.thirdparty.io.grpc.ForwardingServerCallListener.onMessage(ForwardingServerCallListener.java:33)
>         at org.apache.hadoop.hdds.tracing.GrpcServerInterceptor$1.onMessage(GrpcServerInterceptor.java:49)
>         at org.apache.ratis.thirdparty.io.grpc.internal.ServerCallImpl$ServerStreamListenerImpl.messagesAvailableInternal(ServerCallImpl.java:309)
>         at org.apache.ratis.thirdparty.io.grpc.internal.ServerCallImpl$ServerStreamListenerImpl.messagesAvailable(ServerCallImpl.java:292)
>         at org.apache.ratis.thirdparty.io.grpc.internal.ServerImpl$JumpToApplicationThreadServerStreamListener$1MessagesAvailable.runInContext(ServerImpl.java:782)
>         at org.apache.ratis.thirdparty.io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
>         at org.apache.ratis.thirdparty.io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: org.apache.hadoop.hdds.security.x509.exceptions.CertificateException: Error while signing the stream
>         at org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient.verifySignature(DefaultCertificateClient.java:468)
>         at org.apache.hadoop.hdds.security.token.ShortLivedTokenVerifier.verify(ShortLivedTokenVerifier.java:111)
>         at org.apache.hadoop.hdds.security.token.CompositeTokenVerifier.verify(CompositeTokenVerifier.java:43)
>         at org.apache.hadoop.hdds.security.token.TokenVerifier.verify(TokenVerifier.java:71)
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.validateToken(HddsDispatcher.java:428)
>         at org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatchRequest(HddsDispatcher.java:209)
>         ... 16 more
> Caused by: java.security.InvalidKeyException: Wrong key usage
>         at java.security.Signature.initVerify(Signature.java:504)
>         at org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient.verifySignature(DefaultCertificateClient.java:462)
>         ... 21 more



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org