[
https://issues.apache.org/jira/browse/HDDS-10509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17923775#comment-17923775
]
István Fajth commented on HDDS-10509:
-------------------------------------
The Client to DataNode connection is the only place we do not have mTLS, and we
identify the client based on a block/container token, while the client side
gets the rootCA certificate and validates the identity of the DataNode based on
the DataNode's certificate and the root of trust (the rootCA).
I am not sure how you see it possible to pass the TLS conf to the RatisShell?
If this goes directly we end up with the original problem, that TLSConf has to
contain an RSA KeyPair, and a certificate that is signed by the cluster's
rootCA certificate, about which I have shared my concerns earlier.
> Allow running ratis shell commands in secure Ozone cluster.
> -----------------------------------------------------------
>
> Key: HDDS-10509
> URL: https://issues.apache.org/jira/browse/HDDS-10509
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: Tools
> Reporter: Tsz-wo Sze
> Assignee: Rishabh Patel
> Priority: Major
>
> When Ozone is in secure mode, running ratis shell directly cannot access
> Ozone since ratis shell does not have Ozone UserGroupInformation. We should
> add a new Ozone command to run ratis shell. The new Ozone command can get
> the UserGroupInformation and then run the ratis commands.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
