This is an automated email from the ASF dual-hosted git repository.
adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git
The following commit(s) were added to refs/heads/master by this push:
new debc8abf484 HDDS-15176. Ozone SCM fails to start when gRPC cipher
policy list includes unsupported cipher (#10192)
debc8abf484 is described below
commit debc8abf484fbeae0331b0df9668ab997d8c8e8f
Author: Zita Dombi <[email protected]>
AuthorDate: Thu May 7 15:34:36 2026 +0200
HDDS-15176. Ozone SCM fails to start when gRPC cipher policy list includes
unsupported cipher (#10192)
---
.../common/transport/server/XceiverServerGrpc.java | 5 ++++-
.../container/replication/ReplicationServer.java | 5 ++++-
.../hdds/security/ssl/TestGrpcTlsConfig.java | 25 +++++++++++++++++++++-
.../hdds/scm/ha/InterSCMGrpcProtocolService.java | 5 ++++-
.../hadoop/ozone/om/GrpcOzoneManagerServer.java | 5 ++++-
5 files changed, 40 insertions(+), 5 deletions(-)
diff --git
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
index 7521b460467..31dd1cb19e4 100644
---
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
+++
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java
@@ -58,6 +58,7 @@
import org.apache.ratis.thirdparty.io.netty.channel.nio.NioEventLoopGroup;
import
org.apache.ratis.thirdparty.io.netty.channel.socket.nio.NioServerSocketChannel;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder;
+import
org.apache.ratis.thirdparty.io.netty.handler.ssl.SupportedCipherSuiteFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -146,7 +147,9 @@ public XceiverServerGrpc(DatanodeDetails datanodeDetails,
SslContextBuilder sslContextBuilder = GrpcSslContexts.configure(
sslClientContextBuilder, secConf.getGrpcSslProvider());
sslContextBuilder.protocols(secConf.getGrpcTlsProtocols());
- sslContextBuilder.ciphers(secConf.getGrpcTlsCiphers());
+ sslContextBuilder.ciphers(
+ secConf.getGrpcTlsCiphers(),
+ SupportedCipherSuiteFilter.INSTANCE);
nettyServerBuilder.sslContext(sslContextBuilder.build());
} catch (Exception ex) {
LOG.error("Unable to setup TLS for secure datanode GRPC endpoint.",
ex);
diff --git
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java
index 3c1c6a54efb..f2d06c2f6b1 100644
---
a/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java
+++
b/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/replication/ReplicationServer.java
@@ -44,6 +44,7 @@
import org.apache.ratis.thirdparty.io.grpc.netty.NettyServerBuilder;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.ClientAuth;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder;
+import
org.apache.ratis.thirdparty.io.netty.handler.ssl.SupportedCipherSuiteFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -121,7 +122,9 @@ public void init() {
sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
sslContextBuilder.trustManager(caClient.getTrustManager());
sslContextBuilder.protocols(secConf.getGrpcTlsProtocols());
- sslContextBuilder.ciphers(secConf.getGrpcTlsCiphers());
+ sslContextBuilder.ciphers(
+ secConf.getGrpcTlsCiphers(),
+ SupportedCipherSuiteFilter.INSTANCE);
nettyServerBuilder.sslContext(sslContextBuilder.build());
} catch (IOException ex) {
diff --git
a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestGrpcTlsConfig.java
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestGrpcTlsConfig.java
index 482a86b79de..443312282fd 100644
---
a/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestGrpcTlsConfig.java
+++
b/hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/ssl/TestGrpcTlsConfig.java
@@ -51,6 +51,7 @@
import org.apache.ratis.thirdparty.io.netty.handler.ssl.ClientAuth;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslProvider;
+import
org.apache.ratis.thirdparty.io.netty.handler.ssl.SupportedCipherSuiteFilter;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
@@ -146,6 +147,26 @@ public void testDefaultConfigAcceptsConnection() throws
Exception {
}
}
+ @Test
+ public void testServerIgnoresUnsupportedConfiguredCiphers() throws Exception
{
+ Server server = null;
+ ManagedChannel channel = null;
+ try {
+ String[] configuredCiphers = {
+ "TLS_FAKE_CIPHER_SUITE",
+ "TLS_AES_256_GCM_SHA384"
+ };
+ server = setupServer(new String[]{"TLSv1.3"}, configuredCiphers);
+ server.start();
+ channel = setupClient(server.getPort(), new String[]{"TLSv1.3"}, new
String[]{"TLS_AES_256_GCM_SHA384"});
+ XceiverClientProtocolServiceStub asyncStub =
XceiverClientProtocolServiceGrpc.newStub(channel);
+ ContainerCommandResponseProto response = sendRequest(asyncStub);
+ assertEquals(SUCCESS, response.getResult());
+ } finally {
+ shutdown(channel, server);
+ }
+ }
+
private Server setupServer(String[] protocols, String[] ciphers)
throws Exception {
NettyServerBuilder nettyServerBuilder =
NettyServerBuilder.forPort(0).addService(new GrpcService());
@@ -157,7 +178,9 @@ private Server setupServer(String[] protocols, String[]
ciphers)
sslContextBuilder.protocols(protocols);
}
if (ciphers != null) {
- sslContextBuilder.ciphers(Arrays.asList(ciphers));
+ sslContextBuilder.ciphers(
+ Arrays.asList(ciphers),
+ SupportedCipherSuiteFilter.INSTANCE);
}
nettyServerBuilder.sslContext(sslContextBuilder.build());
return nettyServerBuilder.build();
diff --git
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java
index 1aa1fa7bfc9..8b4086a69d9 100644
---
a/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java
+++
b/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/InterSCMGrpcProtocolService.java
@@ -35,6 +35,7 @@
import org.apache.ratis.thirdparty.io.grpc.netty.NettyServerBuilder;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.ClientAuth;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslContextBuilder;
+import
org.apache.ratis.thirdparty.io.netty.handler.ssl.SupportedCipherSuiteFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -75,7 +76,9 @@ public class InterSCMGrpcProtocolService {
sslServerContextBuilder, securityConfig.getGrpcSslProvider());
sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
sslContextBuilder.protocols(securityConfig.getGrpcTlsProtocols());
- sslContextBuilder.ciphers(securityConfig.getGrpcTlsCiphers());
+ sslContextBuilder.ciphers(
+ securityConfig.getGrpcTlsCiphers(),
+ SupportedCipherSuiteFilter.INSTANCE);
nettyServerBuilder.sslContext(sslContextBuilder.build());
} catch (Exception ex) {
LOG.error("Unable to setup TLS for secure " +
diff --git
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java
index 520a434a69b..a05dc47c9b0 100644
---
a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java
+++
b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java
@@ -38,6 +38,7 @@
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
+import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import java.io.IOException;
import java.util.OptionalInt;
import java.util.concurrent.LinkedBlockingQueue;
@@ -165,7 +166,9 @@ public void init(OzoneManagerProtocolServerSideTranslatorPB
omTranslator,
SslProvider.valueOf(omServerConfig.get(HDDS_GRPC_TLS_PROVIDER,
HDDS_GRPC_TLS_PROVIDER_DEFAULT)));
sslContextBuilder.protocols(secConf.getGrpcTlsProtocols());
- sslContextBuilder.ciphers(secConf.getGrpcTlsCiphers());
+ sslContextBuilder.ciphers(
+ secConf.getGrpcTlsCiphers(),
+ SupportedCipherSuiteFilter.INSTANCE);
nettyServerBuilder.sslContext(sslContextBuilder.build());
} catch (Exception ex) {
LOG.error("Unable to setup TLS for secure Om S3g GRPC channel.", ex);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
