[jira] [Updated] (HDDS-7220) SCM should use sub-ca certificate for token signature without HA enabled.

Sammi Chen (Jira) Thu, 27 Oct 2022 02:00:35 -0700


     [ 
https://issues.apache.org/jira/browse/HDDS-7220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sammi Chen updated HDDS-7220:
-----------------------------
    Fix Version/s: 1.3.0, 1.4.0

> SCM should use sub-ca certificate for token signature without HA enabled. 
> --------------------------------------------------------------------------
>
>                 Key: HDDS-7220
>                 URL: https://issues.apache.org/jira/browse/HDDS-7220
>             Project: Apache Ozone
>          Issue Type: Bug
>            Reporter: Sammi Chen
>            Assignee: Sammi Chen
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 1.3.0, 1.4.0
>
>
> Currently,  SCM is using root CA certificate to sign the container token 
> signature. Root CA certificate usage is for CRL sign and certificate sign, 
> not including signature.  The token signed by root CA certificate cannot be 
> verified by DN. Here is an example exception,
>  
> 2022-09-05 15:38:09,369 INFO 
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher: Operation: 
> DeleteContainer , Trace ID:  , Message: Block token verification failed. 
> Error while signing the stream , Result: BLOCK_TOKEN_VERIFICATION_FAILED , 
> StorageContainerException Occurred.
> org.apache.hadoop.hdds.scm.container.common.helpers.StorageContainerException:
>  Block token verification failed. Error while signing the stream
>         at 
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatchRequest(HddsDispatcher.java:212)
>         at 
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.lambda$dispatch$0(HddsDispatcher.java:169)
>         at 
> org.apache.hadoop.hdds.server.OzoneProtocolMessageDispatcher.processRequest(OzoneProtocolMessageDispatcher.java:87)
>         at 
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatch(HddsDispatcher.java:168)
>         at 
> org.apache.hadoop.ozone.container.common.transport.server.GrpcXceiverService$1.onNext(GrpcXceiverService.java:57)
>         at 
> org.apache.hadoop.ozone.container.common.transport.server.GrpcXceiverService$1.onNext(GrpcXceiverService.java:50)
>         at 
> org.apache.ratis.thirdparty.io.grpc.stub.ServerCalls$StreamingServerCallHandler$StreamingServerCallListener.onMessage(ServerCalls.java:255)
>         at 
> org.apache.ratis.thirdparty.io.grpc.ForwardingServerCallListener.onMessage(ForwardingServerCallListener.java:33)
>         at 
> org.apache.hadoop.hdds.tracing.GrpcServerInterceptor$1.onMessage(GrpcServerInterceptor.java:49)
>         at 
> org.apache.ratis.thirdparty.io.grpc.internal.ServerCallImpl$ServerStreamListenerImpl.messagesAvailableInternal(ServerCallImpl.java:309)
>         at 
> org.apache.ratis.thirdparty.io.grpc.internal.ServerCallImpl$ServerStreamListenerImpl.messagesAvailable(ServerCallImpl.java:292)
>         at 
> org.apache.ratis.thirdparty.io.grpc.internal.ServerImpl$JumpToApplicationThreadServerStreamListener$1MessagesAvailable.runInContext(ServerImpl.java:782)
>         at 
> org.apache.ratis.thirdparty.io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
>         at 
> org.apache.ratis.thirdparty.io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: 
> org.apache.hadoop.hdds.security.x509.exceptions.CertificateException: Error 
> while signing the stream
>         at 
> org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient.verifySignature(DefaultCertificateClient.java:468)
>         at 
> org.apache.hadoop.hdds.security.token.ShortLivedTokenVerifier.verify(ShortLivedTokenVerifier.java:111)
>         at 
> org.apache.hadoop.hdds.security.token.CompositeTokenVerifier.verify(CompositeTokenVerifier.java:43)
>         at 
> org.apache.hadoop.hdds.security.token.TokenVerifier.verify(TokenVerifier.java:71)
>         at 
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.validateToken(HddsDispatcher.java:428)
>         at 
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatchRequest(HddsDispatcher.java:209)
>         ... 16 more
> Caused by: java.security.InvalidKeyException: Wrong key usage
>         at java.security.Signature.initVerify(Signature.java:504)
>         at 
> org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient.verifySignature(DefaultCertificateClient.java:462)
>         ... 21 more



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (HDDS-7220) SCM should use sub-ca certificate for token signature without HA enabled.

Reply via email to