bharatviswa504 commented on a change in pull request #2000:
URL: https://github.com/apache/ozone/pull/2000#discussion_r604648529
##########
File path:
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/utils/HAUtils.java
##########
@@ -326,4 +351,139 @@ public static void
checkSecurityAndSCMHAEnabled(OzoneConfiguration conf) {
}
}
}
+
+ /**
+ * Build CA list which need to be passed to client.
+ *
+ * If certificate client is null, obtain the list of CA using SCM security
+ * client, else it uses certificate client.
+ * @param certClient
+ * @param configuration
+ * @return list of CA
+ * @throws IOException
+ */
+ public static List<String> buildCAList(CertificateClient certClient,
+ ConfigurationSource configuration) throws IOException {
+ //TODO: make it configurable.
+ long waitTime = 5 * 60 * 1000L;
+ long retryTime = 10 * 1000L;
+ long currentTime = Time.monotonicNow();
+ List<String> caCertPemList = null;
+ if (certClient != null) {
+ caCertPemList = new ArrayList<>();
+ if (!SCMHAUtils.isSCMHAEnabled(configuration)) {
+ if (certClient.getRootCACertificate() != null) {
+ caCertPemList.add(CertificateCodec.getPEMEncodedString(
+ certClient.getRootCACertificate()));
+ }
+ caCertPemList.add(CertificateCodec.getPEMEncodedString(
+ certClient.getCACertificate()));
+ } else {
+ // TODO: If SCMs are bootstrapped later, then listCA need to be
+ // refetched if listCA size is less than scm ha config node list size.
+ // For now when Client of SCM's are started we compare their node list
+ // size and ca list size if it is as expected, we return the ca list.
+ boolean caListUpToDate;
+ Collection<String> scmNodes = SCMHAUtils.getSCMNodeIds(configuration);
+ // TODO: make them configurable.
+ if (scmNodes.size() > 1) {
+ do {
+ caCertPemList = certClient.updateCAList();
+ caListUpToDate =
+ caCertPemList.size() == scmNodes.size() + 1 ? true : false;
+ if (!caListUpToDate) {
+ try {
+ Thread.sleep(retryTime);
+ } catch (InterruptedException ex) {
+ Thread.currentThread().interrupt();
+ }
+ }
+ } while (!caListUpToDate &&
+ Time.monotonicNow() - currentTime < waitTime);
+ checkCertCount(caCertPemList.size(), scmNodes.size() + 1);
+ } else {
+ caCertPemList = certClient.updateCAList();
+ }
+ }
+ } else {
+ if (!SCMHAUtils.isSCMHAEnabled(configuration)) {
+ caCertPemList = new ArrayList<>();
+ SCMSecurityProtocolClientSideTranslatorPB scmSecurityProtocolClient =
Review comment:
Done.
##########
File path:
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java
##########
@@ -288,22 +306,18 @@ public String getCACertificate() throws IOException {
public List<String> listCACertificate() throws IOException {
List<String> caCerts =
listCertificate(NodeType.SCM, 0, 10, false);
- caCerts.add(getRootCACertificate());
return caCerts;
}
@Override
public String getRootCACertificate() throws IOException {
LOGGER.debug("Getting Root CA certificate.");
- //TODO: This code will be modified after HDDS-4897 is merged and
- // integrated. For now getting RootCA cert from certificateServer.
- try {
+ if (storageContainerManager.getScmStorageConfig()
Review comment:
Done
##########
File path:
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
##########
@@ -558,44 +577,99 @@ private void initializeSystemManagers(OzoneConfiguration
conf,
*/
private void initializeCAnSecurityProtocol(OzoneConfiguration conf,
SCMConfigurator configurator) throws IOException {
- if(configurator.getCertificateServer() != null) {
- this.certificateServer = configurator.getCertificateServer();
+
+ // TODO: Support Certificate Server loading via Class Name loader.
+ // So it is easy to use different Certificate Servers if needed.
+ if(this.scmMetadataStore == null) {
+ LOG.error("Cannot initialize Certificate Server without a valid meta " +
+ "data layer.");
+ throw new SCMException("Cannot initialize CA without a valid metadata " +
+ "store", ResultCodes.SCM_NOT_INITIALIZED);
+ }
+
+ certificateStore =
+ new SCMCertStore.Builder().setMetadaStore(scmMetadataStore)
+ .setRatisServer(scmHAManager.getRatisServer())
+ .setCRLSequenceId(getLastSequenceIdForCRL()).build();
+
+
+ // If primary SCM node Id is set it means this is a cluster which has
+ // performed init with SCM HA version code.
+ if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
+ // Start specific instance SCM CA server.
+ String subject = SCM_SUB_CA_PREFIX +
+ InetAddress.getLocalHost().getHostName();
+ if (configurator.getCertificateServer() != null) {
+ this.scmCertificateServer = configurator.getCertificateServer();
+ } else {
+ scmCertificateServer = new DefaultCAServer(subject,
+ scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
+ certificateStore, new DefaultProfile(),
+ scmCertificateClient.getComponentName());
+ // INTERMEDIARY_CA which issues certs to DN and OM.
+ scmCertificateServer.init(new SecurityConfig(configuration),
+ CertificateServer.CAType.INTERMEDIARY_CA);
+ }
+
+ if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
+ if (configurator.getCertificateServer() != null) {
+ this.rootCertificateServer = configurator.getCertificateServer();
+ } else {
+ rootCertificateServer =
+ HASecurityUtils.initializeRootCertificateServer(
+ conf, certificateStore, scmStorageConfig);
+ }
+
+ BigInteger certSerial =
Review comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
