[
https://issues.apache.org/jira/browse/HDDS-778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16677182#comment-16677182
]
Anu Engineer commented on HDDS-778:
-----------------------------------
bq. May be i have misunderstood your comment but you mentioned we do need api
to query certificates in SCM CA
Yes, we need to solve that issue. The below comment is the one that covers that
issue.
{quote}
78/**
79* TODO : CRL, OCSP etc. Later. This is the start of a CertificateServer
80* framework.
81*/
{quote}
Perhaps it would be better if I explained this comment better.
There are several things that are going to determine how we are going to do
this part of the Certificate Framework.
# It is possible that we will always send the certificate in the Block and
Delegation Token -- That is a Token will always be Token:= { payload, hash,
certificate}. If this is the model of a token, then the certificate is
accessible without a query.
# It might be that we will decide that we don't want to put the whole
certificate and instead put a certificate ID. if we do that, we will need
something way to find that certificate. This will be dependent on the
Certificate ID that we choose to put inside the token.
# We will also need the ability to make sure that a certain certificate is
valid; we might have to fetch CRLs on-demand since the whole system is
connected via heartbeat. if we do that we know that in one or two heartbeats a
CRL will be propagated across the system.
So the bottom line as we develop the consumer of the 'certificate framework' we
will have a better sense of how/what needs to be done. This is first outlines
of how the certificate system will look like and far from complete. Whatever I
write now will certainly change as we work through the details.
> Add an interface for CA and Clients for Certificate operations
> --------------------------------------------------------------
>
> Key: HDDS-778
> URL: https://issues.apache.org/jira/browse/HDDS-778
> Project: Hadoop Distributed Data Store
> Issue Type: Sub-task
> Components: SCM, SCM Client
> Reporter: Anu Engineer
> Assignee: Anu Engineer
> Priority: Major
> Attachments: HDDS-778-HDDS-4.001.patch, HDDS-778-HDDS-4.002.patch
>
>
> This JIRA proposes to add an interface specification that can be programmed
> against by Datanodes and Ozone Manager and other clients that want to use the
> certificate-based security features of HDDS.
> We will also add a Certificate Server interface, this interface can be used
> to use non-SCM based CA or if we need to use HSM based secret storage
> services.
> At this point, it is simply an interface and nothing more. Thanks to [~xyao]
> for suggesting this idea.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
