[jira] [Commented] (HDDS-5078) NPE during secure SCM initialization with HA code updated to an already existing cluster

Thu, 08 Apr 2021 15:44:03 -0700 


    [ 
https://issues.apache.org/jira/browse/HDDS-5078?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17317535#comment-17317535
 ] 

István Fajth commented on HDDS-5078:
------------------------------------

Note:
In my test env modifying the initializeCertificateClient method to be like this 
solves the problem, but I am not sure whether this is a proper fix which 
considers all the cases, and I have not don any extensive testing so far, just 
assumed that we can have the client up and running safely in a single SCM 
environment...

{code}
  private void initializeCertificateClient() {
    if (scmStorageConfig.checkPrimarySCMIdInitialized()
        || !SCMHAUtils.isSCMHAEnabled(configuration)) {
      scmCertificateClient = new SCMCertificateClient(
          new SecurityConfig(configuration),
          scmStorageConfig.getScmCertSerialId());
    }
  }
{code}

> NPE during secure SCM initialization with HA code updated to an already 
> existing cluster
> ----------------------------------------------------------------------------------------
>
>                 Key: HDDS-5078
>                 URL: https://issues.apache.org/jira/browse/HDDS-5078
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: SCM HA
>            Reporter: István Fajth
>            Priority: Blocker
>
> During SCM initialization, the following causes an NPE:
> StorageContainerManager#initializeCertificateClient initializes the 
> scmCertificateClient only if scmStorageConfig#checkPrimarySCMIdInitialized() 
> evaluates to true. This evaluates to true, if the VERSION file contains 
> primaryScmNodeId with a value.
> If you upgrade an existing cluster with a single SCM to this code, the 
> VERSION file does not contain a primaryScmNodeId, so the scmCertificateClient 
> remains null.
> Later the initialization code calls the 
> StorageContainerManager#initializeCAnSecurityProtocol method, which at the 
> end creates the securityProtocolServer, for the constructor call the 
> rootCACert is provided by calling the scmCertificateClient#getCACertificate 
> method, but this is a null dereference as scmCertificateClient is null.
> The scmCertificateClient being null, can cause problems later as well, as it 
> is used multiple times unconditionally.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to