You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "István Fajth (Jira)" <ji...@apache.org> on 2023/08/04 22:37:00 UTC
[jira] [Resolved] (HDDS-9015) Block CSR request in SCM for "hdds.x509.rootca.certificate.polling.interval" time period
[ https://issues.apache.org/jira/browse/HDDS-9015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
István Fajth resolved HDDS-9015.
--------------------------------
Fix Version/s: 1.4.0
Resolution: Fixed
> Block CSR request in SCM for "hdds.x509.rootca.certificate.polling.interval" time period
> -----------------------------------------------------------------------------------------
>
> Key: HDDS-9015
> URL: https://issues.apache.org/jira/browse/HDDS-9015
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Sammi Chen
> Assignee: Sammi Chen
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.4.0
>
>
> Once the root CA rotation and sub CA rotation finished, leader SCM will start to serve CSR request from other services, like existing OM, DN, Recon, or newly added OM, DN and SCM.
> But the problem is every service's certificate is signed without coordination, so that there will be some services whose certificates are already signed by new Root CA, and some services whose certificates are still old certificates and the cert renew not happened yet, then these services cannot talk to each other because some already got the new certificate and new root CA certificate, but some are not.
> Blocking the CSR for a "hdds.x509.rootca.certificate.polling.interval" period of time will guarantee that all services get the root CA certificate during this duration, so the above cannot talk to each case can be avoided.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org