[
https://issues.apache.org/jira/browse/HDDS-10509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17913791#comment-17913791
]
István Fajth commented on HDDS-10509:
-------------------------------------
This code that creates a tls client config, is [creating the TLSConf without
mTLS|https://github.com/apache/ozone/blob/master/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/ratis/RatisHelper.java#L427].
The Ratis server side is created with a server configuration...
- for OM
[here|https://github.com/apache/ozone/blob/master/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ratis/utils/OzoneManagerRatisUtils.java#L512-L519]
- for SCM
[here|https://github.com/apache/ozone/blob/master/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/HASecurityUtils.java#L154-L161]
- for DataNode
[here|https://github.com/apache/ozone/blob/master/hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/ratis/XceiverServerRatis.java#L543-L556]
For all the cases mTLS is set, so no client client can connect to there without
a signed certificate, the only exception is Datanodes' RatisServer (and I am
not sure if it is just the client port of DN ratis servers, or the admin and
the server port also, but it may depend on the configuration). Am I missing
something [~szetszwo]? If my understanding is correct, to send requests to
these Ratis servers with mTLS between OM and SCM, we will require a certificate
to authenticate via mTLS, and that will require changes to the PKI system, as
mTLS is the only authentication between the nodes in this case.
On the other hand, opening up this API to administrators extends the attack
surface and may have security implications, but at least we will need to be
careful whom we are issuing certificates to within CLI tools, and how long
those certificates should be valid... I can imagine multiple different
solutions, but we need to take care of their security implications for sure.
> Allow running ratis shell commands in secure Ozone cluster.
> -----------------------------------------------------------
>
> Key: HDDS-10509
> URL: https://issues.apache.org/jira/browse/HDDS-10509
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: Tools
> Reporter: Tsz-wo Sze
> Assignee: Rishabh Patel
> Priority: Major
>
> When Ozone is in secure mode, running ratis shell directly cannot access
> Ozone since ratis shell does not have Ozone UserGroupInformation. We should
> add a new Ozone command to run ratis shell. The new Ozone command can get
> the UserGroupInformation and then run the ratis commands.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
