This is an automated email from the ASF dual-hosted git repository.
ritesh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new e6554d7118 HDDS-9066. Remove the renew logic added by HDDS-7453.
(#5107)
e6554d7118 is described below
commit e6554d7118b355621762aee004f154ff9c4ec02b
Author: Istvan Fajth <[email protected]>
AuthorDate: Tue Jul 25 20:27:41 2023 +0200
HDDS-9066. Remove the renew logic added by HDDS-7453. (#5107)
---
.../x509/certificate/client/CertificateClient.java | 3 +-
.../apache/hadoop/ozone/HddsDatanodeService.java | 8 ---
.../client/CommonCertificateClient.java | 6 --
.../client/DefaultCertificateClient.java | 51 +---------------
.../certificate/client/SCMCertificateClient.java | 3 -
.../client/TestDefaultCertificateClient.java | 69 ----------------------
.../org/apache/hadoop/ozone/om/OzoneManager.java | 11 ----
.../org/apache/hadoop/ozone/recon/ReconServer.java | 9 ---
8 files changed, 2 insertions(+), 158 deletions(-)
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
index d969439c3a..656f2acab5 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
@@ -263,7 +263,6 @@ public interface CertificateClient extends Closeable {
SUCCESS,
FAILURE,
GETCERT,
- RECOVER,
- REINIT
+ RECOVER
}
}
diff --git
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
index 06a296047d..417cc83bd5 100644
---
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
+++
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
@@ -384,14 +384,6 @@ public class HddsDatanodeService extends GenericCli
implements ServicePlugin {
certClient = dnCertClient;
}
CertificateClient.InitResponse response = certClient.init();
- if (response.equals(CertificateClient.InitResponse.REINIT)) {
- certClient.close();
- LOG.info("Re-initialize certificate client.");
- certClient = new DNCertificateClient(secConf,
- createScmSecurityClient(),
- datanodeDetails, null, this::saveNewCertId, this::terminateDatanode);
- response = certClient.init();
- }
LOG.info("Init response: {}", response);
switch (response) {
case SUCCESS:
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CommonCertificateClient.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CommonCertificateClient.java
index 8ab3c13719..a09eb05dc6 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CommonCertificateClient.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CommonCertificateClient.java
@@ -28,7 +28,6 @@ import java.util.function.Consumer;
import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.FAILURE;
import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.GETCERT;
import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.RECOVER;
-import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.REINIT;
import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.SUCCESS;
/**
@@ -114,11 +113,6 @@ public abstract class CommonCertificateClient extends
DefaultCertificateClient {
} else {
return FAILURE;
}
- case EXPIRED_CERT:
- getLogger().info("Component certificate is about to expire. Initiating" +
- "renewal.");
- removeMaterial();
- return REINIT;
default:
log.error("Unexpected case: {} (private/public/cert)",
Integer.toBinaryString(init.ordinal()));
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
index 6077895817..4b71a751d8 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -40,7 +40,6 @@ import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.time.Duration;
-import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.util.ArrayList;
@@ -85,7 +84,6 @@ import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_BACKUP_KEY_CERT_DIR_NAM
import static
org.apache.hadoop.hdds.HddsConfigKeys.HDDS_NEW_KEY_CERT_DIR_NAME_SUFFIX;
import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.FAILURE;
import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.GETCERT;
-import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.REINIT;
import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.SUCCESS;
import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.BOOTSTRAP_ERROR;
import static
org.apache.hadoop.hdds.security.x509.exception.CertificateException.ErrorCode.CERTIFICATE_ERROR;
@@ -637,10 +635,6 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
* successfully from configured location but
* Certificate.
* 7. ALL Keypair as well as certificate is present.
- * 8. EXPIRED_CERT The certificate is present, but either it has
- * already expired, or is about to be expired within
- * the grace period provided in the configuration.
- *
* */
protected enum InitCase {
NONE,
@@ -650,8 +644,7 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
PRIVATE_KEY,
PRIVATEKEY_CERT,
PUBLICKEY_PRIVATEKEY,
- ALL,
- EXPIRED_CERT
+ ALL
}
/**
@@ -661,9 +654,6 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
* 2. Generates and stores a keypair.
* 3. Try to recover public key if private key and certificate is present
* but public key is missing.
- * 4. Checks if the certificate is about to be expired or have already been
- * expired, and if yes removes the key material and the certificate and
- * asks for re-initialization in the result.
*
* Truth table:
* +--------------+-----------------+--------------+----------------+
@@ -694,14 +684,6 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
* will be generated and stored at configured location.
* 2. When keypair (public/private key) is available but certificate is
* missing.
- *
- * Returns REINIT in following case:
- * If it would return SUCCESS, but the certificate expiration date is
- * within the configured grace period or if the certificate is already
- * expired.
- * The grace period is configured by the hdds.x509.renew.grace.duration
- * configuration property.
- *
*/
@Override
public synchronized InitResponse init() throws CertificateException {
@@ -719,18 +701,6 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
initCase = initCase | 1;
}
- boolean successCase =
- initCase == InitCase.ALL.ordinal() ||
- initCase == InitCase.PRIVATEKEY_CERT.ordinal();
- boolean shouldRenew =
- certificate != null &&
- Instant.now().plus(securityConfig.getRenewalGracePeriod())
- .isAfter(certificate.getNotAfter().toInstant());
-
- if (successCase && shouldRenew) {
- initCase = InitCase.EXPIRED_CERT.ordinal();
- }
-
getLogger().info("Certificate client init case: {}", initCase);
Preconditions.checkArgument(initCase < InitCase.values().length, "Not a " +
"valid case.");
@@ -796,11 +766,6 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
} else {
return FAILURE;
}
- case EXPIRED_CERT:
- getLogger().info("Component certificate is about to expire. Initiating" +
- "renewal.");
- removeMaterial();
- return REINIT;
default:
getLogger().error("Unexpected case: {} (private/public/cert)",
Integer.toBinaryString(init.ordinal()));
@@ -809,20 +774,6 @@ public abstract class DefaultCertificateClient implements
CertificateClient {
}
}
- protected void removeMaterial() throws CertificateException {
- try {
- FileUtils.deleteDirectory(
- securityConfig.getKeyLocation(component).toFile());
- getLogger().info("Certificate renewal: key material is removed.");
- FileUtils.deleteDirectory(
- securityConfig.getCertificateLocation(component).toFile());
- getLogger().info("Certificate renewal: certificates are removed.");
- } catch (IOException e) {
- throw new CertificateException("Certificate renewal failed: remove key" +
- " material failed.", e);
- }
- }
-
/**
* Validate keypair and certificate.
* */
diff --git
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java
index 262bb4b570..15e6614cd0 100644
---
a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java
+++
b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java
@@ -136,9 +136,6 @@ public class SCMCertificateClient extends
DefaultCertificateClient {
} else {
return FAILURE;
}
- case EXPIRED_CERT:
- LOG.warn("SCM CA certificate is about to be expire!");
- return SUCCESS;
default:
LOG.error("Unexpected case: {} (private/public/cert)",
Integer.toBinaryString(init.ordinal()));
diff --git
a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
index 3bd352713a..5686f0df9e 100644
---
a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
+++
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java
@@ -23,7 +23,6 @@ import org.apache.hadoop.hdds.protocol.MockDatanodeDetails;
import
org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto;
import
org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
-import
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
@@ -45,8 +44,6 @@ import java.security.Signature;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Arrays;
-import java.util.Calendar;
-import java.util.Date;
import java.util.UUID;
import java.util.function.Predicate;
@@ -68,7 +65,6 @@ import static
org.apache.hadoop.fs.CommonConfigurationKeysPublic.IPC_CLIENT_CONN
import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_METADATA_DIR_NAME;
import static org.apache.hadoop.hdds.scm.ScmConfigKeys.OZONE_SCM_NAMES;
import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.FAILURE;
-import static
org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse.REINIT;
import static
org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec.getPEMEncodedString;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.MatcherAssert.assertThat;
@@ -80,9 +76,7 @@ import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
/**
@@ -446,69 +440,6 @@ public class TestDefaultCertificateClient {
assertTrue(dnClientLog.getOutput().contains("Can't recover public key"));
}
- @Test
- public void testCertificateExpirationHandlingInInit() throws Exception {
- String certId = "1L";
- String compName = "TEST";
-
- Logger mockLogger = mock(Logger.class);
-
- SecurityConfig config = mock(SecurityConfig.class);
- Path nonexistent = Paths.get("nonexistent");
- when(config.getCertificateLocation(anyString())).thenReturn(nonexistent);
- when(config.getKeyLocation(anyString())).thenReturn(nonexistent);
- when(config.getRenewalGracePeriod()).thenReturn(Duration.ofDays(28));
-
- Calendar cal = Calendar.getInstance();
- cal.add(Calendar.DAY_OF_YEAR, 2);
- Date expiration = cal.getTime();
- X509Certificate mockCert = mock(X509Certificate.class);
- when(mockCert.getNotAfter()).thenReturn(expiration);
-
- try (DefaultCertificateClient client =
- new DefaultCertificateClient(config, null, mockLogger, certId,
compName,
- null, null) {
- @Override
- public PrivateKey getPrivateKey() {
- return mock(PrivateKey.class);
- }
-
- @Override
- public PublicKey getPublicKey() {
- return mock(PublicKey.class);
- }
-
- @Override
- public X509Certificate getCertificate() {
- return mockCert;
- }
-
- @Override
- public String signAndStoreCertificate(
- PKCS10CertificationRequest request, Path certificatePath) {
- return null;
- }
-
- @Override
- protected SCMGetCertResponseProto getCertificateSignResponse(
- PKCS10CertificationRequest request) {
- return null;
- }
-
- @Override
- public String signAndStoreCertificate(
- PKCS10CertificationRequest request, Path certificatePath,
- boolean renew) {
- return null;
- }
- }) {
-
- InitResponse resp = client.init();
- verify(mockLogger, atLeastOnce()).info(anyString());
- assertEquals(resp, REINIT);
- }
- }
-
@Test
public void testTimeBeforeExpiryGracePeriod() throws Exception {
KeyPair keyPair = keyGenerator.generateKey();
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
index b53f930899..40b954aef5 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
@@ -80,7 +80,6 @@ import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.hadoop.hdds.scm.ScmInfo;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
import org.apache.hadoop.hdds.server.OzoneAdmins;
-import org.apache.hadoop.hdds.utils.IOUtils;
import org.apache.hadoop.hdds.utils.db.Table;
import org.apache.hadoop.hdds.utils.db.Table.KeyValue;
import org.apache.hadoop.hdds.utils.db.TableIterator;
@@ -1393,16 +1392,6 @@ public final class OzoneManager extends
ServiceRuntimeInfoImpl
new SecurityConfig(conf), scmSecurityClient, omStore, omInfo,
"", scmId, null, null);
CertificateClient.InitResponse response = certClient.init();
- if (response.equals(CertificateClient.InitResponse.REINIT)) {
- LOG.info("Re-initialize certificate client.");
- omStore.unsetOmCertSerialId();
- omStore.persistCurrentState();
- IOUtils.close(LOG, certClient);
- certClient = new OMCertificateClient(
- new SecurityConfig(conf), scmSecurityClient, omStore, omInfo,
- "", scmId, null, null);
- response = certClient.init();
- }
LOG.info("Init response: {}", response);
switch (response) {
case SUCCESS:
diff --git
a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java
b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java
index 9c6e81acc9..7b63595f55 100644
---
a/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java
+++
b/hadoop-ozone/recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java
@@ -185,15 +185,6 @@ public class ReconServer extends GenericCli {
reconStorage, this::saveNewCertId, this::terminateRecon);
CertificateClient.InitResponse response = certClient.init();
- if (response.equals(CertificateClient.InitResponse.REINIT)) {
- LOG.info("Re-initialize certificate client.");
- certClient.close();
- reconStorage.unsetReconCertSerialId();
- reconStorage.persistCurrentState();
- certClient = new ReconCertificateClient(secConf, scmSecurityClient,
- reconStorage, this::saveNewCertId, this::terminateRecon);
- response = certClient.init();
- }
LOG.info("Init response: {}", response);
switch (response) {
case SUCCESS:
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
