bharatviswa504 commented on a change in pull request #2000:
URL: https://github.com/apache/ozone/pull/2000#discussion_r604648797
##########
File path:
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/StorageContainerManager.java
##########
@@ -558,44 +577,99 @@ private void initializeSystemManagers(OzoneConfiguration
conf,
*/
private void initializeCAnSecurityProtocol(OzoneConfiguration conf,
SCMConfigurator configurator) throws IOException {
- if(configurator.getCertificateServer() != null) {
- this.certificateServer = configurator.getCertificateServer();
+
+ // TODO: Support Certificate Server loading via Class Name loader.
+ // So it is easy to use different Certificate Servers if needed.
+ if(this.scmMetadataStore == null) {
+ LOG.error("Cannot initialize Certificate Server without a valid meta " +
+ "data layer.");
+ throw new SCMException("Cannot initialize CA without a valid metadata " +
+ "store", ResultCodes.SCM_NOT_INITIALIZED);
+ }
+
+ certificateStore =
+ new SCMCertStore.Builder().setMetadaStore(scmMetadataStore)
+ .setRatisServer(scmHAManager.getRatisServer())
+ .setCRLSequenceId(getLastSequenceIdForCRL()).build();
+
+
+ // If primary SCM node Id is set it means this is a cluster which has
+ // performed init with SCM HA version code.
+ if (scmStorageConfig.checkPrimarySCMIdInitialized()) {
+ // Start specific instance SCM CA server.
+ String subject = SCM_SUB_CA_PREFIX +
+ InetAddress.getLocalHost().getHostName();
+ if (configurator.getCertificateServer() != null) {
+ this.scmCertificateServer = configurator.getCertificateServer();
+ } else {
+ scmCertificateServer = new DefaultCAServer(subject,
+ scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(),
+ certificateStore, new DefaultProfile(),
+ scmCertificateClient.getComponentName());
+ // INTERMEDIARY_CA which issues certs to DN and OM.
+ scmCertificateServer.init(new SecurityConfig(configuration),
+ CertificateServer.CAType.INTERMEDIARY_CA);
+ }
+
+ if (primaryScmNodeId.equals(scmStorageConfig.getScmId())) {
+ if (configurator.getCertificateServer() != null) {
+ this.rootCertificateServer = configurator.getCertificateServer();
+ } else {
+ rootCertificateServer =
+ HASecurityUtils.initializeRootCertificateServer(
+ conf, certificateStore, scmStorageConfig);
+ }
+
+ BigInteger certSerial =
+ scmCertificateClient.getCertificate().getSerialNumber();
+ // Store the certificate in DB. On primary SCM when init happens, the
+ // certificate is not persisted to DB. As we don't have Metadatstore
+ // and ratis server initialized with statemachine. We need to do only
+ // for primary scm, for other bootstrapped scm's certificates will be
+ // persisted via ratis.
+ if (certificateStore.getCertificateByID(certSerial,
+ VALID_CERTS) == null) {
+ LOG.info("Storing certSerial {}", certSerial);
Review comment:
done, Let me know if that looks okay to you?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
