[GitHub] [ozone] xiaoyuyao commented on a change in pull request #2145: HDDS-4842. Add timestamp to Revoked Certs table in SCM DB

Mon, 12 Apr 2021 16:46:43 -0700 


xiaoyuyao commented on a change in pull request #2145:
URL: https://github.com/apache/ozone/pull/2145#discussion_r612021635



##########
File path: 
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/metadata/SCMDBDefinition.java
##########
@@ -141,7 +155,7 @@ public String getLocationConfigKey() {
   @Override
   public DBColumnFamilyDefinition[] getColumnFamilies() {
     return new DBColumnFamilyDefinition[] {DELETED_BLOCKS, VALID_CERTS,
-        VALID_SCM_CERTS, REVOKED_CERTS, PIPELINES, CONTAINERS, TRANSACTIONINFO,
-        CRLS, CRL_SEQUENCE_ID, SEQUENCE_ID};
+        VALID_SCM_CERTS, REVOKED_CERTS_V2, PIPELINES, CONTAINERS,

Review comment:
       Should we keep the REVOKED_CERTS and add a separate take as V2 for 
compatibility? Otherwise, it might break on upgrade. 

##########
File path: 
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMCertStore.java
##########
@@ -174,8 +175,12 @@ public void checkValidCertID(BigInteger serialID) throws 
IOException {
           // only if the revocation time has passed.
           if (now.after(revocationTime) || now.equals(revocationTime)) {
             for (X509Certificate cert : certsToRevoke) {
+              CertInfo certInfo = new CertInfo.Builder()
+                  .setX509Certificate(cert)
+                  .setTimestamp(now.getTime())
+                  .build();
               scmMetadataStore.getRevokedCertsTable()
-                  .putWithBatch(batch, cert.getSerialNumber(), cert);
+                  .putWithBatch(batch, cert.getSerialNumber(), certInfo);

Review comment:
       here we might provide some migration from revokecert table to revokecert 
v2 table. 

##########
File path: 
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/metadata/SCMDBDefinition.java
##########
@@ -75,6 +80,15 @@
           X509Certificate.class,
           new X509CertificateCodec());
 
+  public static final DBColumnFamilyDefinition<BigInteger, CertInfo>
+      REVOKED_CERTS_V2 =

Review comment:
       @vivekratnavel  and I have an offline discussion on this. Both crl 
sequence id and revoked certs replication will be taken care by HDDS-5095 via 
Replicate annotation on the CertificateStore#revokeCertificats




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to