fapifta commented on code in PR #3930:
URL: https://github.com/apache/ozone/pull/3930#discussion_r1016109334
##########
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java:
##########
@@ -184,6 +184,16 @@ public final class HddsConfigKeys {
// Default Certificate duration to one year.
public static final String HDDS_X509_DEFAULT_DURATION_DEFAULT = "P365D";
+ /**
+ * Duration in days within which before the certificate expiration date the
Review Comment:
Done, the new documentation says:
/**
* Duration of the grace period within which a certificate should be
* renewed before the current one expires.
* Default is 28 days.
*/
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java:
##########
@@ -647,7 +650,8 @@ protected enum InitCase {
PRIVATE_KEY,
PRIVATEKEY_CERT,
PUBLICKEY_PRIVATEKEY,
- ALL
+ ALL,
+ EXPIRES
Review Comment:
Done.
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java:
##########
@@ -705,13 +708,28 @@ public synchronized InitResponse init() throws
CertificateException {
if (certificate != null) {
initCase = initCase | 1;
}
+
+ Calendar shouldRenewAfter = Calendar.getInstance();
+ shouldRenewAfter
+ .add(Calendar.DAY_OF_YEAR, securityConfig.getRenewalGraceDays());
+ if (initCase == InitCase.ALL.ordinal() &&
Review Comment:
Yes we should do this with a more reasonable and readable code, but I would
like to defer this to further refactoring, that should come as part of
HDDS-7376.
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java:
##########
@@ -774,6 +797,19 @@ protected InitResponse handleCase(InitCase init)
}
}
+ protected void removeMaterial() throws CertificateException {
+ try {
+ FileUtils.deleteDirectory(
+ securityConfig.getKeyLocation(component).toFile());
Review Comment:
For keys yes, for certs the dir contains also the root and intermediate CA
certificates and also in case of DNs the token issuer certificates, but all of
this is available via the SCM, and will be re-downloaded with normal operations
like when the first initialization of these are happening, so we don't need to
care.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
