[
https://issues.apache.org/jira/browse/HDDS-15817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
István Fajth updated HDDS-15817:
--------------------------------
Attachment: HDDS-15817.patch
> Apply configured gRPC TLS provider, protocols, and cipher suites to Ratis
> endpoints
> -----------------------------------------------------------------------------------
>
> Key: HDDS-15817
> URL: https://issues.apache.org/jira/browse/HDDS-15817
> Project: Apache Ozone
> Issue Type: Improvement
> Affects Versions: 2.3.0
> Reporter: István Fajth
> Assignee: István Fajth
> Priority: Major
> Attachments: HDDS-15817.patch
>
>
> Ozone exposes {{hdds.grpc.tls.provider}}, {{hdds.grpc.tls.protocols}}, and
> {{hdds.grpc.tls.ciphers}}, and already applies them to its directly-managed
> gRPC servers (the datanode data path, container replication, inter-SCM, and
> the OM S3 gateway). The Ratis-fronted endpoints, however — the SCM, OM, and
> datanode Raft servers and their clients — ignore these settings. As a result,
> operators can harden the TLS protocol versions, cipher suites, and SSL
> provider on most of Ozone's gRPC surface but not on the Raft ports, which
> stay on provider defaults.
> This task wires the existing {{hdds.grpc.tls.*}} settings into the TLS
> configuration Ozone hands to Ratis, so that the Raft server, client, admin,
> and data-stream endpoints enforce the same provider, protocol, and cipher
> policy as the rest of the gRPC servers. No new configuration keys are added,
> and behavior is unchanged when the settings are left unset.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]