[GitHub] [ozone] duongkame commented on a diff in pull request #4194: HDDS-7734. Implement symmetric SecretKeys lifescycle management in SCM

via GitHub Tue, 21 Feb 2023 19:10:04 -0800


duongkame commented on code in PR #4194:
URL: https://github.com/apache/ozone/pull/4194#discussion_r1113781091



##########
hadoop-hdds/common/src/main/resources/ozone-default.xml:
##########
@@ -3602,4 +3602,50 @@
       history from compaction DAG. Uses millisecond by default when no time 
unit is specified.
     </description>
   </property>
+  <property>
+    <name>hdds.secret.key.file.name</name>
+    <value>secret_keys.json</value>
+    <tag>SCM, SECURITY</tag>
+    <description>
+      Name of file which stores symmetric secret keys for token signatures.
+    </description>
+  </property>
+  <property>
+    <name>hdds.secret.key.expiry.duration</name>
+    <value>7d</value>
+    <tag>SCM, SECURITY</tag>
+    <description>
+      The duration for which symmetric secret keys issued by SCM are valid.
+      This default value, in combination with 
hdds.secret.key.rotate.duration=1d, result in that 7 secret keys for the
+      last 7 days will are kept valid at any point of time.
+    </description>
+  </property>
+  <property>
+    <name>hdds.secret.key.rotate.duration</name>
+    <value>1d</value>
+    <tag>SCM, SECURITY</tag>
+    <description>
+      The duration that SCM periodically generate a new symmetric secret keys.
+    </description>
+  </property>
+  <property>
+    <name>hdds.secret.key.rotate.check.duration</name>
+    <value>10m</value>
+    <tag>SCM, SECURITY</tag>
+    <description>
+      The duration that SCM periodically checks if it's time to generate new 
symmetric secret keys.
+      This config has an impact on the practical correctness of secret key 
expiry and rotation period. For example,
+      if hdds.secret.key.rotate.duration=1d and 
hdds.secret.key.rotate.check.duration=10m, the actual key rotation
+      will happen each 1d +/- 10m.
+    </description>
+  </property>
+  <property>
+    <name>hdds.secret.key.algorithm</name>
+    <value>HmacSHA256</value>
+    <tag>SCM, SECURITY</tag>
+    <description>
+      The algorithm that SCM uses to generate symmetric secret keys.
+      The formats accepted are based on the ISO-8601 duration format 
PnDTnHnMn.nS

Review Comment:
   My bad. Updated the description. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[GitHub] [ozone] duongkame commented on a diff in pull request #4194: HDDS-7734. Implement symmetric SecretKeys lifescycle management in SCM

Reply via email to