[ 
https://issues.apache.org/jira/browse/HDDS-15817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

István Fajth updated HDDS-15817:
--------------------------------
    Attachment: HDDS-15817.patch

> Apply configured gRPC TLS provider, protocols, and cipher suites to Ratis 
> endpoints
> -----------------------------------------------------------------------------------
>
>                 Key: HDDS-15817
>                 URL: https://issues.apache.org/jira/browse/HDDS-15817
>             Project: Apache Ozone
>          Issue Type: Improvement
>    Affects Versions: 2.3.0
>            Reporter: István Fajth
>            Assignee: István Fajth
>            Priority: Major
>         Attachments: HDDS-15817.patch
>
>
> Ozone exposes {{hdds.grpc.tls.provider}}, {{hdds.grpc.tls.protocols}}, and 
> {{hdds.grpc.tls.ciphers}}, and already applies them to its directly-managed 
> gRPC servers (the datanode data path, container replication, inter-SCM, and 
> the OM S3 gateway). The Ratis-fronted endpoints, however — the SCM, OM, and 
> datanode Raft servers and their clients — ignore these settings. As a result, 
> operators can harden the TLS protocol versions, cipher suites, and SSL 
> provider on most of Ozone's gRPC surface but not on the Raft ports, which 
> stay on provider defaults.
> This task wires the existing {{hdds.grpc.tls.*}} settings into the TLS 
> configuration Ozone hands to Ratis, so that the Raft server, client, admin, 
> and data-stream endpoints enforce the same provider, protocol, and cipher 
> policy as the rest of the gRPC servers. No new configuration keys are added, 
> and behavior is unchanged when the settings are left unset.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to