fapifta commented on code in PR #3930:
URL: https://github.com/apache/ozone/pull/3930#discussion_r1016109509
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java:
##########
@@ -705,13 +708,28 @@ public synchronized InitResponse init() throws
CertificateException {
if (certificate != null) {
initCase = initCase | 1;
}
+
+ Calendar shouldRenewAfter = Calendar.getInstance();
+ shouldRenewAfter
+ .add(Calendar.DAY_OF_YEAR, securityConfig.getRenewalGraceDays());
+ if (initCase == InitCase.ALL.ordinal() &&
+ handleExpiration() && certificate != null &&
+ certificate.getNotAfter().before(shouldRenewAfter.getTime())) {
+ InitCase init = InitCase.EXPIRES;
+ return handleCase(init);
+ }
+
getLogger().info("Certificate client init case: {}", initCase);
Preconditions.checkArgument(initCase < 8, "Not a " +
"valid case.");
InitCase init = InitCase.values()[initCase];
return handleCase(init);
}
+ protected boolean handleExpiration() {
Review Comment:
yes, you are right this can be simplified, done.
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java:
##########
@@ -774,6 +797,19 @@ protected InitResponse handleCase(InitCase init)
}
}
+ protected void removeMaterial() throws CertificateException {
+ try {
+ FileUtils.deleteDirectory(
+ securityConfig.getKeyLocation(component).toFile());
+ getLogger().info("Certificate renewal: key material is removed.");
+ FileUtils.deleteDirectory(
+ securityConfig.getCertificateLocation(component).toFile());
+ getLogger().info("Certificate renewal: certificates are removed.");
+ } catch (IOException e) {
+ throw new CertificateException("Certificate renewal failed.", e);
Review Comment:
done.
##########
hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/ha/HASecurityUtils.java:
##########
@@ -93,6 +93,11 @@ public static void initializeSecurity(SCMStorageConfig
scmStorageConfig,
CertificateClient certClient =
new SCMCertificateClient(new SecurityConfig(conf));
InitResponse response = certClient.init();
+ if (response.equals(CertificateClient.InitResponse.REINIT)) {
Review Comment:
Yes you are right, I have removed this code, and this way SCM will still
fail if the certificate is expired, but that is still expected, and it is
expected by default just after 5 years.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
