[GitHub] [ozone] neils-dev commented on a diff in pull request #4032: HDDS-7572. Use keyManager and trustManager provided by keyStoreFactory in datanode grpc services

Wed, 07 Dec 2022 18:02:36 -0800 


neils-dev commented on code in PR #4032:
URL: https://github.com/apache/ozone/pull/4032#discussion_r1042823526


##########
hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/container/common/transport/server/XceiverServerGrpc.java:
##########
@@ -140,10 +140,10 @@ public XceiverServerGrpc(DatanodeDetails datanodeDetails,
             new GrpcXceiverService(dispatcher), new GrpcServerInterceptor()));
 
     SecurityConfig secConf = new SecurityConfig(conf);
-    if (secConf.isGrpcTlsEnabled()) {
+    if (secConf.isSecurityEnabled() && secConf.isGrpcTlsEnabled()) {
       try {
         SslContextBuilder sslClientContextBuilder = 
SslContextBuilder.forServer(
-            caClient.getPrivateKey(), caClient.getCertificate());
+            caClient.getServerKeyStoresFactory().getKeyManagers()[0]);

Review Comment:
   Hi @ChenSammi, thanks for this PR and providing the certificate hotswap at 
renewal feature.
   For the `keyManagers` returned by the factory, I see in the implementation 
that it is an array of `KeyManager` fetched from the factory.  Will we always 
be using the first of the array, `getKeyManagers()[0]`?   



##########
hadoop-hdds/client/src/main/java/org/apache/hadoop/hdds/scm/XceiverClientGrpc.java:
##########
@@ -198,7 +198,7 @@ protected NettyChannelBuilder createChannel(DatanodeDetails 
dn, int port)
         NettyChannelBuilder.forAddress(dn.getIpAddress(), port).usePlaintext()
             .maxInboundMessageSize(OzoneConsts.OZONE_SCM_CHUNK_MAX_SIZE)
             .intercept(new GrpcClientInterceptor());
-    if (secConfig.isGrpcTlsEnabled()) {
+    if (secConfig.isSecurityEnabled() && secConfig.isGrpcTlsEnabled()) {

Review Comment:
   For the Om Grpc server and s3g client, we use enable TLS 
(`secConf.isGrpcTlsEnabled()`) only with security enabled, otherwise it logs 
the error a creates a Grpc "plaintext" channel.  Similar checking for TLS 
enabled and security as is here.
   
https://github.com/apache/ozone/blob/5db6fc50ba851d90871173b49d96991fe6f068dc/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java#L101
  



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to