[GitHub] [ozone] fapifta commented on a diff in pull request #4032: HDDS-7572. Use keyManager and trustManager provided by keyStoreFactory in datanode grpc services

Tue, 06 Dec 2022 19:33:27 -0800 


fapifta commented on code in PR #4032:
URL: https://github.com/apache/ozone/pull/4032#discussion_r1041719679


##########
hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java:
##########
@@ -198,7 +198,7 @@ protected NettyChannelBuilder createChannel(DatanodeDetails 
dn, int port)
         NettyChannelBuilder.forAddress(dn.getIpAddress(), port).usePlaintext()
             .maxInboundMessageSize(OzoneConsts.OZONE_SCM_CHUNK_MAX_SIZE)
             .intercept(new GrpcClientInterceptor());
-    if (secConfig.isGrpcTlsEnabled()) {
+    if (secConfig.isSecurityEnabled() && secConfig.isGrpcTlsEnabled()) {

Review Comment:
   Do we know why we have two config for this thing? If it is historical then I 
would not change the semantics here, but in a separate JIRA so that we might 
have extra opinions on this one.
   
   I remember that it caused problems when just security was enabled and the 
grpc tls flag was turned off, but I am curious why we did not fixed it here. 
@kerneltime @swagle do you have any memories on this?



##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java:
##########
@@ -323,4 +325,19 @@ default void assertValidKeysAndCertificate() throws 
OzoneSecurityException {
    */
   boolean processCrl(CRLInfo crl);
 
+  /**
+   * Return the store factory for with key manager and trust manager for 
server.
+   */
+  default KeyStoresFactory getServerKeyStoresFactory()

Review Comment:
   I don't think we need the default implementation for these two methods, the 
only place where we use it is in the CertificateClientTest class, other 
implementors are either implementing these methods, or inherit it from the 
DefaultCertificateClient, so I believe CertificateClientTest can have its own 
implementation that returns null, what do you think?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to