István Fajth created HDDS-15817:
-----------------------------------
Summary: Apply configured gRPC TLS provider, protocols, and cipher
suites to Ratis endpoints
Key: HDDS-15817
URL: https://issues.apache.org/jira/browse/HDDS-15817
Project: Apache Ozone
Issue Type: Improvement
Affects Versions: 2.3.0
Reporter: István Fajth
Assignee: István Fajth
Ozone exposes {{hdds.grpc.tls.provider}}, {{hdds.grpc.tls.protocols}}, and
{{hdds.grpc.tls.ciphers}}, and already applies them to its directly-managed
gRPC servers (the datanode data path, container replication, inter-SCM, and the
OM S3 gateway). The Ratis-fronted endpoints, however — the SCM, OM, and
datanode Raft servers and their clients — ignore these settings. As a result,
operators can harden the TLS protocol versions, cipher suites, and SSL provider
on most of Ozone's gRPC surface but not on the Raft ports, which stay on
provider defaults.
This task wires the existing {{hdds.grpc.tls.*}} settings into the TLS
configuration Ozone hands to Ratis, so that the Raft server, client, admin, and
data-stream endpoints enforce the same provider, protocol, and cipher policy as
the rest of the gRPC servers. No new configuration keys are added, and behavior
is unchanged when the settings are left unset.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]