This is an automated email from the ASF dual-hosted git repository.
pifta pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 71d42acbd6 HDDS-8959. Add the ability to turn off automated CA
rotation (#5041)
71d42acbd6 is described below
commit 71d42acbd6fead3aa700af5ac7c348c6200ef80d
Author: Sammi Chen <[email protected]>
AuthorDate: Thu Jul 13 19:19:19 2023 +0800
HDDS-8959. Add the ability to turn off automated CA rotation (#5041)
---
.../java/org/apache/hadoop/hdds/HddsConfigKeys.java | 3 +++
.../apache/hadoop/hdds/security/SecurityConfig.java | 9 +++++++++
.../common/src/main/resources/ozone-default.xml | 7 +++++++
.../certificate/client/DefaultCertificateClient.java | 4 +++-
.../hdds/scm/server/SCMSecurityProtocolServer.java | 20 ++++++++++++--------
.../hdds/scm/server/StorageContainerManager.java | 4 +++-
.../compose/ozonesecure-ha/root-ca-rotation.yaml | 1 +
.../main/compose/ozonesecure/root-ca-rotation.yaml | 1 +
8 files changed, 39 insertions(+), 10 deletions(-)
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
index e1edd94553..6194688101 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java
@@ -226,6 +226,9 @@ public final class HddsConfigKeys {
"hdds.x509.rootca.certificate.polling.interval";
public static final String
HDDS_X509_ROOTCA_CERTIFICATE_POLLING_INTERVAL_DEFAULT = "PT2h";
+ public static final String HDDS_X509_CA_ROTATION_ENABLED =
+ "hdds.x509.ca.rotation.enabled";
+ public static final boolean HDDS_X509_CA_ROTATION_ENABLED_DEFAULT = false;
public static final String HDDS_CONTAINER_REPLICATION_COMPRESSION =
"hdds.container.replication.compression";
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
index d2bd588d09..94fc692157 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/SecurityConfig.java
@@ -48,6 +48,8 @@ import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_ACK_TI
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_ACK_TIMEOUT_DEFAULT;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_CHECK_INTERNAL;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_CHECK_INTERNAL_DEFAULT;
+import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_ENABLED;
+import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_ENABLED_DEFAULT;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_TIME_OF_DAY;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_CA_ROTATION_TIME_OF_DAY_DEFAULT;
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_ROOTCA_CERTIFICATE_FILE;
@@ -134,6 +136,7 @@ public class SecurityConfig {
private final Duration caAckTimeout;
private final SslProvider grpcSSLProvider;
private final Duration rootCaCertificatePollingInterval;
+ private final boolean autoCARotationEnabled;
/**
* Constructs a SecurityConfig.
@@ -228,6 +231,8 @@ public class SecurityConfig {
HDDS_X509_CA_ROTATION_ACK_TIMEOUT,
HDDS_X509_CA_ROTATION_ACK_TIMEOUT_DEFAULT);
caAckTimeout = Duration.parse(ackTimeString);
+ autoCARotationEnabled = configuration.getBoolean(
+ HDDS_X509_CA_ROTATION_ENABLED, HDDS_X509_CA_ROTATION_ENABLED_DEFAULT);
validateCertificateValidityConfig();
@@ -566,6 +571,10 @@ public class SecurityConfig {
return rootCaCertificatePollingInterval;
}
+ public boolean isAutoCARotationEnabled() {
+ return autoCARotationEnabled;
+ }
+
/**
* Return true if using test certificates with authority as localhost. This
* should be used only for unit test where certificates are generated by
diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml
b/hadoop-hdds/common/src/main/resources/ozone-default.xml
index 3e9279dda8..d392fe97f6 100644
--- a/hadoop-hdds/common/src/main/resources/ozone-default.xml
+++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml
@@ -2276,6 +2276,13 @@
is failed. Default is 15 minutes.
</description>
</property>
+ <property>
+ <name>hdds.x509.ca.rotation.enabled</name>
+ <value>false</value>
+ <tag>OZONE, HDDS, SECURITY</tag>
+ <description>Whether auto root CA and sub CA certificate rotation is
enabled or not. Default is disabled.
+ </description>
+ </property>
<property>
<name>hdds.x509.rootca.certificate.polling.interval</name>
<value>PT2h</value>
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
index c63f57c1e2..6dff86fd52 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -172,7 +172,9 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
}
if (shouldStartCertificateRenewerService()) {
- startRootCaRotationPoller();
+ if (securityConfig.isAutoCARotationEnabled()) {
+ startRootCaRotationPoller();
+ }
if (certPath != null && executorService == null) {
startCertificateRenewerService();
} else {
diff --git
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java
index 588177a0d7..a273d49495 100644
---
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java
+++
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java
@@ -190,8 +190,9 @@ public class SCMSecurityProtocolServer implements
SCMSecurityProtocol,
LOGGER.info("Processing CSR for dn {}, UUID: {}", dnDetails.getHostName(),
dnDetails.getUuid());
Objects.requireNonNull(dnDetails);
- if (storageContainerManager.getRootCARotationManager()
- .isRotationInProgress()) {
+ if (storageContainerManager.getRootCARotationManager() != null &&
+ storageContainerManager.getRootCARotationManager()
+ .isRotationInProgress()) {
throw new SCMException(("Root CA and Sub CA rotation is in-progress." +
" Please try the operation later again."),
SCMException.ResultCodes.CA_ROTATION_IN_PROGRESS);
@@ -207,8 +208,9 @@ public class SCMSecurityProtocolServer implements
SCMSecurityProtocol,
nodeDetails.getNodeType(), nodeDetails.getHostName(),
nodeDetails.getUuid());
Objects.requireNonNull(nodeDetails);
- if (storageContainerManager.getRootCARotationManager()
- .isRotationInProgress()) {
+ if (storageContainerManager.getRootCARotationManager() != null &&
+ storageContainerManager.getRootCARotationManager()
+ .isRotationInProgress()) {
throw new SCMException(("Root CA and Sub CA rotation is in-progress." +
" Please try the operation later again."),
SCMException.ResultCodes.CA_ROTATION_IN_PROGRESS);
@@ -287,8 +289,9 @@ public class SCMSecurityProtocolServer implements
SCMSecurityProtocol,
LOGGER.info("Processing CSR for om {}, UUID: {}", omDetails.getHostName(),
omDetails.getUuid());
Objects.requireNonNull(omDetails);
- if (storageContainerManager.getRootCARotationManager()
- .isRotationInProgress()) {
+ if (storageContainerManager.getRootCARotationManager() != null &&
+ storageContainerManager.getRootCARotationManager()
+ .isRotationInProgress()) {
throw new SCMException(("Root CA and Sub CA rotation is in-progress." +
" Please try the operation later again."),
SCMException.ResultCodes.CA_ROTATION_IN_PROGRESS);
@@ -329,8 +332,9 @@ public class SCMSecurityProtocolServer implements
SCMSecurityProtocol,
+ storageContainerManager.getClusterId());
}
- if (storageContainerManager.getRootCARotationManager()
- .isRotationInProgress() && !isRenew) {
+ if (storageContainerManager.getRootCARotationManager() != null &&
+ storageContainerManager.getRootCARotationManager()
+ .isRotationInProgress() && !isRenew) {
throw new SCMException(("Root CA and Sub CA rotation is in-progress." +
" Please try the operation later again."),
SCMException.ResultCodes.CA_ROTATION_IN_PROGRESS);
diff --git
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
index cbf4f96181..9a0ab7e936 100644
---
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
+++
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
@@ -910,7 +910,9 @@ public final class StorageContainerManager extends
ServiceRuntimeInfoImpl
if (securityConfig.isContainerTokenEnabled()) {
containerTokenMgr = createContainerTokenSecretManager();
}
- rootCARotationManager = new RootCARotationManager(this);
+ if (securityConfig.isAutoCARotationEnabled()) {
+ rootCARotationManager = new RootCARotationManager(this);
+ }
}
/**
diff --git
a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/root-ca-rotation.yaml
b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/root-ca-rotation.yaml
index bedf6de3c3..b857854355 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/root-ca-rotation.yaml
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/root-ca-rotation.yaml
@@ -34,6 +34,7 @@ x-root-cert-rotation-config:
- OZONE-SITE.XML_ozone.scm.info.wait.duration=60s
- OZONE-SITE.XML_ozone.scm.ha.ratis.request.timeout=2s
-
OZONE-SITE.XML_ozone.http.filter.initializers=org.apache.hadoop.security.HttpCrossOriginFilterInitializer
+ - OZONE-SITE.XML_hdds.x509.ca.rotation.enabled=true
services:
datanode1:
<<: *root-cert-rotation-config
diff --git
a/hadoop-ozone/dist/src/main/compose/ozonesecure/root-ca-rotation.yaml
b/hadoop-ozone/dist/src/main/compose/ozonesecure/root-ca-rotation.yaml
index 9dccb44945..bb51f80261 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/root-ca-rotation.yaml
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/root-ca-rotation.yaml
@@ -35,6 +35,7 @@ x-root-cert-rotation-config:
- OZONE-SITE.XML_ozone.scm.info.wait.duration=60s
- OZONE-SITE.XML_ozone.scm.ha.ratis.request.timeout=2s
-
OZONE-SITE.XML_ozone.http.filter.initializers=org.apache.hadoop.security.HttpCrossOriginFilterInitializer
+ - OZONE-SITE.XML_hdds.x509.ca.rotation.enabled=true
services:
datanode:
<<: *root-cert-rotation-config
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
