This is an automated email from the ASF dual-hosted git repository.
sammichen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new 368c636f67 HDDS-9156. cert-rotation acceptance test is failing
randomly (#5202)
368c636f67 is described below
commit 368c636f676791f3a8a7df7199ffcc2092279a20
Author: Sammi Chen <[email protected]>
AuthorDate: Thu Sep 7 21:40:56 2023 +0800
HDDS-9156. cert-rotation acceptance test is failing randomly (#5202)
---
.../scm/security/RootCARotationHandlerImpl.java | 26 +++++++++++++++++++++-
.../hdds/scm/security/RootCARotationManager.java | 4 ++++
.../compose/ozonesecure-ha/root-ca-rotation.yaml | 2 +-
.../main/compose/ozonesecure/root-ca-rotation.yaml | 2 +-
4 files changed, 31 insertions(+), 3 deletions(-)
diff --git
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationHandlerImpl.java
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationHandlerImpl.java
index cdaf2d34c2..aed03da70b 100644
---
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationHandlerImpl.java
+++
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationHandlerImpl.java
@@ -115,6 +115,31 @@ public class RootCARotationHandlerImpl implements
RootCARotationHandler {
return;
}
+ // Wait for the rotation preparation of this SCM to finish. The rotation
+ // preparation is running parallel in rotationManager's executor thread.
+ // If rotation preparation is not finished yet, then the later move
+ // new -> current operation will fail as the new directory may not exist
+ // yet.
+ long st = System.nanoTime();
+ long waitForNanos =
+ rotationManager.getSecurityConfig().getCaAckTimeout().toNanos();
+ String certId = newSubCACertId.get();
+ while (certId == null && (System.nanoTime() - st < waitForNanos)) {
+ try {
+ Thread.sleep(100);
+ } catch (InterruptedException e) {
+ Thread.currentThread().interrupt();
+ throw new IOException("Thread is interrupted");
+ }
+ certId = newSubCACertId.get();
+ }
+ if (certId == null) {
+ String message = "Failed to finish the rotation preparation in " +
+ rotationManager.getSecurityConfig().getCaAckTimeout();
+ LOG.error(message);
+ scm.shutDown(message);
+ }
+
// switch sub CA key and certs directory on disk
File currentSubCaDir = new File(secConfig.getLocation(
scmCertClient.getComponentName()).toString());
@@ -148,7 +173,6 @@ public class RootCARotationHandlerImpl implements
RootCARotationHandler {
}
try {
- String certId = newSubCACertId.get();
LOG.info("Persistent new scm certificate {}", certId);
scm.getScmStorageConfig().setScmCertSerialId(certId);
scm.getScmStorageConfig().persistCurrentState();
diff --git
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationManager.java
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationManager.java
index faa7889489..bb6ca796b1 100644
---
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationManager.java
+++
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/security/RootCARotationManager.java
@@ -227,6 +227,10 @@ public class RootCARotationManager extends StatefulService
{
return RootCARotationManager.class.getSimpleName();
}
+ public SecurityConfig getSecurityConfig() {
+ return secConf;
+ }
+
/**
* Schedule monitor task.
*/
diff --git
a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/root-ca-rotation.yaml
b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/root-ca-rotation.yaml
index 71d0ee95b7..be36cde6dd 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/root-ca-rotation.yaml
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/root-ca-rotation.yaml
@@ -25,7 +25,7 @@ x-root-cert-rotation-config:
- OZONE-SITE.XML_hdds.x509.renew.grace.duration=PT45S
- OZONE-SITE.XML_hdds.x509.ca.rotation.check.interval=PT1S
- OZONE-SITE.XML_hdds.x509.ca.rotation.ack.timeout=PT20S
- - OZONE-SITE.XML_hdds.x509.rootca.certificate.polling.interval=PT10s
+ - OZONE-SITE.XML_hdds.x509.rootca.certificate.polling.interval=PT2s
- OZONE-SITE.XML_hdds.block.token.expiry.time=15s
- OZONE-SITE.XML_ozone.manager.delegation.token.max-lifetime=15s
- OZONE-SITE.XML_ozone.manager.delegation.token.renew-interval=15s
diff --git
a/hadoop-ozone/dist/src/main/compose/ozonesecure/root-ca-rotation.yaml
b/hadoop-ozone/dist/src/main/compose/ozonesecure/root-ca-rotation.yaml
index b27d5f7a35..13a3df5668 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/root-ca-rotation.yaml
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/root-ca-rotation.yaml
@@ -25,7 +25,7 @@ x-root-cert-rotation-config:
- OZONE-SITE.XML_hdds.x509.renew.grace.duration=PT45S
- OZONE-SITE.XML_hdds.x509.ca.rotation.check.interval=PT1S
- OZONE-SITE.XML_hdds.x509.ca.rotation.ack.timeout=PT20S
- - OZONE-SITE.XML_hdds.x509.rootca.certificate.polling.interval=PT10s
+ - OZONE-SITE.XML_hdds.x509.rootca.certificate.polling.interval=PT2s
- OZONE-SITE.XML_hdds.block.token.expiry.time=15s
- OZONE-SITE.XML_ozone.manager.delegation.token.max-lifetime=15s
- OZONE-SITE.XML_ozone.manager.delegation.token.renew-interval=15s
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
