xiaoyuyao commented on a change in pull request #2000:
URL: https://github.com/apache/ozone/pull/2000#discussion_r604430441
##########
File path:
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HAUtils.java
##########
@@ -326,4 +351,139 @@ public static void
checkSecurityAndSCMHAEnabled(OzoneConfiguration conf) {
}
}
}
+
+ /**
+ * Build CA list which need to be passed to client.
+ *
+ * If certificate client is null, obtain the list of CA using SCM security
+ * client, else it uses certificate client.
+ * @param certClient
+ * @param configuration
+ * @return list of CA
+ * @throws IOException
+ */
+ public static List<String> buildCAList(CertificateClient certClient,
+ ConfigurationSource configuration) throws IOException {
+ //TODO: make it configurable.
+ long waitTime = 5 * 60 * 1000L;
+ long retryTime = 10 * 1000L;
+ long currentTime = Time.monotonicNow();
+ List<String> caCertPemList = null;
+ if (certClient != null) {
+ caCertPemList = new ArrayList<>();
+ if (!SCMHAUtils.isSCMHAEnabled(configuration)) {
+ if (certClient.getRootCACertificate() != null) {
+ caCertPemList.add(CertificateCodec.getPEMEncodedString(
+ certClient.getRootCACertificate()));
+ }
+ caCertPemList.add(CertificateCodec.getPEMEncodedString(
+ certClient.getCACertificate()));
+ } else {
+ // TODO: If SCMs are bootstrapped later, then listCA need to be
+ // refetched if listCA size is less than scm ha config node list size.
+ // For now when Client of SCM's are started we compare their node list
+ // size and ca list size if it is as expected, we return the ca list.
+ boolean caListUpToDate;
+ Collection<String> scmNodes = SCMHAUtils.getSCMNodeIds(configuration);
+ // TODO: make them configurable.
+ if (scmNodes.size() > 1) {
+ do {
+ caCertPemList = certClient.updateCAList();
+ caListUpToDate =
+ caCertPemList.size() == scmNodes.size() + 1 ? true : false;
+ if (!caListUpToDate) {
+ try {
+ Thread.sleep(retryTime);
+ } catch (InterruptedException ex) {
+ Thread.currentThread().interrupt();
+ }
+ }
+ } while (!caListUpToDate &&
+ Time.monotonicNow() - currentTime < waitTime);
+ checkCertCount(caCertPemList.size(), scmNodes.size() + 1);
+ } else {
+ caCertPemList = certClient.updateCAList();
+ }
+ }
+ } else {
+ if (!SCMHAUtils.isSCMHAEnabled(configuration)) {
+ caCertPemList = new ArrayList<>();
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityProtocolClient =
Review comment:
Can we move the scmsecurityprotocol client creation up and dedup the
same logic between them?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
