This is an automated email from the ASF dual-hosted git repository.
sammichen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new ecc2f189e4 HDDS-7708. No check for certificate duration config
scenarios. (#4149)
ecc2f189e4 is described below
commit ecc2f189e409c1dc72f813f0c5813450a19d6da5
Author: ashishkumar50 <[email protected]>
AuthorDate: Fri Jan 6 18:36:54 2023 +0530
HDDS-7708. No check for certificate duration config scenarios. (#4149)
---
.../hadoop/hdds/security/x509/SecurityConfig.java | 45 +++++++++++++++++++---
.../ozoneimpl/TestOzoneContainerWithTLS.java | 3 ++
2 files changed, 42 insertions(+), 6 deletions(-)
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
index ecc92debdf..1fe22a45c9 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
@@ -186,12 +186,7 @@ public class SecurityConfig {
HDDS_X509_RENEW_GRACE_DURATION_DEFAULT);
renewalGracePeriod = Duration.parse(renewalGraceDurationString);
- if (maxCertDuration.compareTo(defaultCertDuration) < 0) {
- LOG.error("Certificate duration {} should not be greater than Maximum " +
- "Certificate duration {}", maxCertDuration, defaultCertDuration);
- throw new IllegalArgumentException("Certificate duration should not be "
+
- "greater than maximum Certificate duration");
- }
+ validateCertificateValidityConfig();
this.externalRootCaCert = this.configuration.get(
HDDS_X509_ROOTCA_CERTIFICATE_FILE,
@@ -228,6 +223,44 @@ public class SecurityConfig {
TimeUnit.MILLISECONDS);
}
+ /**
+ * Check for certificate validity configuration.
+ */
+ private void validateCertificateValidityConfig() {
+ if (maxCertDuration.isNegative() || maxCertDuration.isZero()) {
+ String msg = "Property " + HDDS_X509_MAX_DURATION +
+ " should not be zero or negative";
+ LOG.error(msg);
+ throw new IllegalArgumentException(msg);
+ }
+ if (defaultCertDuration.isNegative() || defaultCertDuration.isZero()) {
+ String msg = "Property " + HDDS_X509_DEFAULT_DURATION +
+ " should not be zero or negative";
+ LOG.error(msg);
+ throw new IllegalArgumentException(msg);
+ }
+ if (renewalGracePeriod.isNegative() || renewalGracePeriod.isZero()) {
+ String msg = "Property " + HDDS_X509_RENEW_GRACE_DURATION +
+ " should not be zero or negative";
+ LOG.error(msg);
+ throw new IllegalArgumentException(msg);
+ }
+
+ if (maxCertDuration.compareTo(defaultCertDuration) < 0) {
+ String msg = "Property " + HDDS_X509_DEFAULT_DURATION +
+ " should not be greater than Property " + HDDS_X509_MAX_DURATION;
+ LOG.error(msg);
+ throw new IllegalArgumentException(msg);
+ }
+ if (defaultCertDuration.compareTo(renewalGracePeriod) < 0) {
+ String msg = "Property " + HDDS_X509_RENEW_GRACE_DURATION +
+ " should not be greater than Property "
+ + HDDS_X509_DEFAULT_DURATION;
+ LOG.error(msg);
+ throw new IllegalArgumentException(msg);
+ }
+ }
+
/**
* Returns the CRL Name.
*
diff --git
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
index ebb8e97ba4..861f7ca8c4 100644
---
a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
+++
b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java
@@ -74,6 +74,7 @@ import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_KEY_LEN;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SECURITY_SSL_KEYSTORE_RELOAD_INTERVAL;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SECURITY_SSL_TRUSTSTORE_RELOAD_INTERVAL;
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_DEFAULT_DURATION;
+import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION;
import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS;
import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_DATANODE_DIR_KEY;
import static
org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
@@ -131,9 +132,11 @@ public class TestOzoneContainerWithTLS {
conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, true);
conf.setInt(HDDS_KEY_LEN, 1024);
+
// certificate lives for 10s
conf.set(HDDS_X509_DEFAULT_DURATION,
Duration.ofMillis(certLifetime).toString());
+ conf.set(HDDS_X509_RENEW_GRACE_DURATION, "PT2S");
conf.set(HDDS_SECURITY_SSL_KEYSTORE_RELOAD_INTERVAL, "1s");
conf.set(HDDS_SECURITY_SSL_TRUSTSTORE_RELOAD_INTERVAL, "1s");
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
