[GitHub] [ozone] vivekratnavel commented on a change in pull request #2878: HDDS-6031. Add configs to support externalization of root CA

Wed, 01 Dec 2021 10:09:51 -0800 


vivekratnavel commented on a change in pull request #2878:
URL: https://github.com/apache/ozone/pull/2878#discussion_r760450936



##########
File path: 
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java
##########
@@ -175,6 +194,22 @@ public SecurityConfig(ConfigurationSource configuration) {
     this.crlName = this.configuration.get(HDDS_X509_CRL_NAME,
                                           HDDS_X509_CRL_NAME_DEFAULT);
 
+    this.keystoreFilePath =
+        this.configuration.get(HDDS_CUSTOM_KEYSTORE_FILE_PATH);
+    this.truststoreFilePath =
+        this.configuration.get(HDDS_CUSTOM_TRUSTSTORE_FILE_PATH);
+    try {
+      this.keystoreFilePassword =
+          this.configuration.getPassword(HDDS_CUSTOM_KEYSTORE_FILE_PASSWORD);
+      this.keystoreKeyPassword =
+          this.configuration.getPassword(HDDS_CUSTOM_KEYSTORE_KEY_PASSWORD);
+      this.truststorePassword =
+          this.configuration.getPassword(HDDS_CUSTOM_TRUSTSTORE_PASSWORD);
+    } catch (IOException ioException) {
+      LOG.error("Error while getting custom Keystore / Truststore password.",

Review comment:
       @swagle, thank you for the review. 
   
   A run time exception is not thrown here because we only initialize the 
configs here. It is thrown when we try to read a custom CA certificate or 
private key of any component - 
https://github.com/apache/ozone/pull/2878/files#diff-9bfcb7cd5c8cf13a6f3421c441ea6b70fd476418627c911269d6d43e58c7440bR149
   
   And 
[loadAllCertificates()](https://github.com/apache/ozone/blob/master/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java#L117)
 is part of security init of all the components when security is enabled. So, 
we will catch any misconfigurations in the security bootstrap flow.
   
   
    




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to