[
https://issues.apache.org/jira/browse/HDDS-7220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sammi Chen updated HDDS-7220:
-----------------------------
Fix Version/s: 1.3.0, 1.4.0
> SCM should use sub-ca certificate for token signature without HA enabled.
> --------------------------------------------------------------------------
>
> Key: HDDS-7220
> URL: https://issues.apache.org/jira/browse/HDDS-7220
> Project: Apache Ozone
> Issue Type: Bug
> Reporter: Sammi Chen
> Assignee: Sammi Chen
> Priority: Critical
> Labels: pull-request-available
> Fix For: 1.3.0, 1.4.0
>
>
> Currently, SCM is using root CA certificate to sign the container token
> signature. Root CA certificate usage is for CRL sign and certificate sign,
> not including signature. The token signed by root CA certificate cannot be
> verified by DN. Here is an example exception,
>
> 2022-09-05 15:38:09,369 INFO
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher: Operation:
> DeleteContainer , Trace ID: , Message: Block token verification failed.
> Error while signing the stream , Result: BLOCK_TOKEN_VERIFICATION_FAILED ,
> StorageContainerException Occurred.
> org.apache.hadoop.hdds.scm.container.common.helpers.StorageContainerException:
> Block token verification failed. Error while signing the stream
> at
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatchRequest(HddsDispatcher.java:212)
> at
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.lambda$dispatch$0(HddsDispatcher.java:169)
> at
> org.apache.hadoop.hdds.server.OzoneProtocolMessageDispatcher.processRequest(OzoneProtocolMessageDispatcher.java:87)
> at
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatch(HddsDispatcher.java:168)
> at
> org.apache.hadoop.ozone.container.common.transport.server.GrpcXceiverService$1.onNext(GrpcXceiverService.java:57)
> at
> org.apache.hadoop.ozone.container.common.transport.server.GrpcXceiverService$1.onNext(GrpcXceiverService.java:50)
> at
> org.apache.ratis.thirdparty.io.grpc.stub.ServerCalls$StreamingServerCallHandler$StreamingServerCallListener.onMessage(ServerCalls.java:255)
> at
> org.apache.ratis.thirdparty.io.grpc.ForwardingServerCallListener.onMessage(ForwardingServerCallListener.java:33)
> at
> org.apache.hadoop.hdds.tracing.GrpcServerInterceptor$1.onMessage(GrpcServerInterceptor.java:49)
> at
> org.apache.ratis.thirdparty.io.grpc.internal.ServerCallImpl$ServerStreamListenerImpl.messagesAvailableInternal(ServerCallImpl.java:309)
> at
> org.apache.ratis.thirdparty.io.grpc.internal.ServerCallImpl$ServerStreamListenerImpl.messagesAvailable(ServerCallImpl.java:292)
> at
> org.apache.ratis.thirdparty.io.grpc.internal.ServerImpl$JumpToApplicationThreadServerStreamListener$1MessagesAvailable.runInContext(ServerImpl.java:782)
> at
> org.apache.ratis.thirdparty.io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
> at
> org.apache.ratis.thirdparty.io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:123)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by:
> org.apache.hadoop.hdds.security.x509.exceptions.CertificateException: Error
> while signing the stream
> at
> org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient.verifySignature(DefaultCertificateClient.java:468)
> at
> org.apache.hadoop.hdds.security.token.ShortLivedTokenVerifier.verify(ShortLivedTokenVerifier.java:111)
> at
> org.apache.hadoop.hdds.security.token.CompositeTokenVerifier.verify(CompositeTokenVerifier.java:43)
> at
> org.apache.hadoop.hdds.security.token.TokenVerifier.verify(TokenVerifier.java:71)
> at
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.validateToken(HddsDispatcher.java:428)
> at
> org.apache.hadoop.ozone.container.common.impl.HddsDispatcher.dispatchRequest(HddsDispatcher.java:209)
> ... 16 more
> Caused by: java.security.InvalidKeyException: Wrong key usage
> at java.security.Signature.initVerify(Signature.java:504)
> at
> org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient.verifySignature(DefaultCertificateClient.java:462)
> ... 21 more
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]