fapifta commented on code in PR #3930:
URL: https://github.com/apache/ozone/pull/3930#discussion_r1016109393
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java:
##########
@@ -60,6 +60,11 @@ public SCMCertificateClient(SecurityConfig securityConfig,
super(securityConfig, LOG, certSerialId, component);
}
+ @Override
+ protected boolean handleExpiration() {
Review Comment:
done.
##########
hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java:
##########
@@ -474,4 +484,46 @@ public void testInitCertAndKeypairValidationFailures()
throws Exception {
omClientLog.clearOutput();
}
+ @SuppressWarnings("checkstyle:LeftCurly")
Review Comment:
nope, removed :)
##########
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/HddsConfigKeys.java:
##########
@@ -184,6 +184,16 @@ public final class HddsConfigKeys {
// Default Certificate duration to one year.
public static final String HDDS_X509_DEFAULT_DURATION_DEFAULT = "P365D";
+ /**
+ * Duration in days within which before the certificate expiration date the
+ * certificate is automatically renewed.
+ * Default is 28 days.
+ */
+ public static final String HDDS_X509_RENEW_GRACE_DURATION =
+ "hdds.x509.renew.grace.duration";
+
+ public static final String HDDS_X509_RENEW_GRACE_DURATION_DEFAULT = "28";
Review Comment:
done.
##########
hadoop-hdds/common/src/main/resources/ozone-default.xml:
##########
@@ -2077,6 +2077,14 @@
valid. The formats accepted are based on the ISO-8601 duration format
PnDTnHnMn.nS</description>
</property>
+ <property>
+ <name>hdds.x509.renew.grace.duration</name>
+ <value>28</value>
+ <tag>OZONE, HDDS, SECURITY</tag>
Review Comment:
done.
##########
hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java:
##########
@@ -339,6 +339,11 @@ public void initializeCertificateClient(OzoneConfiguration
config)
LOG.info("Initializing secure Datanode.");
CertificateClient.InitResponse response = dnCertClient.init();
+ if (response.equals(CertificateClient.InitResponse.REINIT)) {
Review Comment:
Not really...
As in this case we need to redo the initialization step in a new instance
that loads the certificate data from disk again and instantiates with a clean
internal state.
If I create the new instance within the switch and call init, I need to get
to the same switch case again, with the result of the new initialization, and I
can not imagine a way of doing so within the switch case.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
