[
https://issues.apache.org/jira/browse/HDDS-778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16670843#comment-16670843
]
Anu Engineer commented on HDDS-778:
-----------------------------------
bq. Having component in function parameters gives an impression that one
component can override/write private keys for other one which we would like to
avoid.
It is the same process, so we have the same security boundary. We need this
since we will want to store the certificates from different components that we
have talked to or fetched the certs from SCM.
For components like SCM, there will be CA certs and non-CA certs. so overall,
this helps.
bq. Do we need api to get certificate for given component/client or check for
it?
Yes, that will be handler for the QueryCertificate call in the server side. So
we do need it.
> Add an interface for CA and Clients for Certificate operations
> --------------------------------------------------------------
>
> Key: HDDS-778
> URL: https://issues.apache.org/jira/browse/HDDS-778
> Project: Hadoop Distributed Data Store
> Issue Type: Sub-task
> Components: SCM, SCM Client
> Reporter: Anu Engineer
> Assignee: Anu Engineer
> Priority: Major
> Attachments: HDDS-778-HDDS-4.001.patch
>
>
> This JIRA proposes to add an interface specification that can be programmed
> against by Datanodes and Ozone Manager and other clients that want to use the
> certificate-based security features of HDDS.
> We will also add a Certificate Server interface, this interface can be used
> to use non-SCM based CA or if we need to use HSM based secret storage
> services.
> At this point, it is simply an interface and nothing more. Thanks to [~xyao]
> for suggesting this idea.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
