[
https://issues.apache.org/jira/browse/HDDS-10509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910556#comment-17910556
]
István Fajth commented on HDDS-10509:
-------------------------------------
If I am not mistaken, in oder to connect to the Ratis server endpoint in a TLS
enabled environment, most if not all of these commands needs to be sent to an
endpoint that requires mTLS authentication.
This is a bit hard, as currently in Ozone we have our internal PKI system, that
issues certificates to the services to set up mTLS connections between the
peers, so if the Ratis server endpoints require mTLS, we need to solve somehow
to get a valid internal CA signed certificate to these CLI client calls. SCM
currently allows the service principals to connect to the PKI related API
(SecurityProtocolServer).
[~szetszwo], what is the general suggestion to set up the environment to run
Ratis shell commands with mTLS authentication being used? I tried to look after
some doc, but did not find any in 5 minutes so I gave up.
In general I would assume the ratis shell does not contain logic to get the
certificate from somewhere, but just is able to read it from an arbitrary
location at best, or there may not even be command line options to specify
these locations and they need to be set programmatically anyways.
If this assumption is true, then I would propose the following to solve the
secure environment problem:
1. create a new tool that can generate a keypair, file a certificate sign
request to the running SCM, and persist the certificate signed by the SCM.
(This tool can only be run with a service principal, we may add admin
principals to the ACL protecting the server, but I am not sure if that is
really required.
2. modify the ozone ratis command to set up the RatisShell with a proper TLS
configuration if the location of the RSA keypair and the certificate is
provided to the client via command line arguments.
What do you think?
> Allow running ratis shell commands in secure Ozone cluster.
> -----------------------------------------------------------
>
> Key: HDDS-10509
> URL: https://issues.apache.org/jira/browse/HDDS-10509
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: Tools
> Reporter: Tsz-wo Sze
> Assignee: Rishabh Patel
> Priority: Major
>
> When Ozone is in secure mode, running ratis shell directly cannot access
> Ozone since ratis shell does not have Ozone UserGroupInformation. We should
> add a new Ozone command to run ratis shell. The new Ozone command can get
> the UserGroupInformation and then run the ratis commands.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
