[
https://issues.apache.org/jira/browse/HDDS-7723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sammi Chen updated HDDS-7723:
-----------------------------
Description:
There are three child class of OzoneSecretManager. The current behavior is,
# OzoneDelegationTokenSecretManager , use OM's private key to calculate the
delegation token signature, OM's certificate to verify the delegation token on
token renew request on OM.
# OzoneBlockTokenSecretManager, use OM's private key to calculate the block
token signature, OM's certificate to verify the block token on DN.
# ContainerTokenSecretManager, use SCM's private key to calculate the
container token signature, SCM's certificate to verify the container token on
DN.
OzoneBlockTokenSecretManager and ContainerTokenSecretManager are also leveraged
in EC Reconstruction coordinator on DN. This time, DN's private key and
certificates are used to do the signature calculation and verification.
This task aims to let the OzoneSecretManager to use the new key and certificate
to generate the token once certificate is renewed, in the meanwhile, making
sure tokens generated using the old key and certificate still work until they
expired.
was:
There are three child class of OzoneSecretManager. The current behavior is,
# OzoneDelegationTokenSecretManager , use OM's private key to calculate the
delegation token signature, OM's certificate to verify the delegation token on
token renew request on OM.
# OzoneBlockTokenSecretManager, use OM's private key to calculate the block
token signature, OM's certificate to verify the block token on DN.
# ContainerTokenSecretManager, use SCM's private key to calculate the
container token signature, SCM's certificate to verify the container token on
DN.
OzoneBlockTokenSecretManager and ContainerTokenSecretManager are also leveraged
in EC Reconstruction coordinator on DN. This time, DN's private key and
certificates are used to do the signature calculation and verification.
> Refresh Keys and Certificate used in OzoneSecretManager after certificate
> renewed
> ---------------------------------------------------------------------------------
>
> Key: HDDS-7723
> URL: https://issues.apache.org/jira/browse/HDDS-7723
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Sammi Chen
> Assignee: Sammi Chen
> Priority: Major
>
> There are three child class of OzoneSecretManager. The current behavior is,
> # OzoneDelegationTokenSecretManager , use OM's private key to calculate the
> delegation token signature, OM's certificate to verify the delegation token
> on token renew request on OM.
> # OzoneBlockTokenSecretManager, use OM's private key to calculate the block
> token signature, OM's certificate to verify the block token on DN.
> # ContainerTokenSecretManager, use SCM's private key to calculate the
> container token signature, SCM's certificate to verify the container token on
> DN.
> OzoneBlockTokenSecretManager and ContainerTokenSecretManager are also
> leveraged in EC Reconstruction coordinator on DN. This time, DN's private
> key and certificates are used to do the signature calculation and
> verification.
>
> This task aims to let the OzoneSecretManager to use the new key and
> certificate to generate the token once certificate is renewed, in the
> meanwhile, making sure tokens generated using the old key and certificate
> still work until they expired.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
