István Fajth created HDDS-8135:
----------------------------------
Summary: Incorrect synchronization during certificate renewal in
DefaultCertificateClient
Key: HDDS-8135
URL: https://issues.apache.org/jira/browse/HDDS-8135
Project: Apache Ozone
Issue Type: Bug
Components: Security
Affects Versions: 1.4.0
Reporter: István Fajth
Assignee: István Fajth
HDDS-7874 has revealed that if there are multiple instances of the certificate
client, which is possible with the current code, the locking model used for
certificate renewal, and the scheduling is duplicated in memory, and can race
freely to modify the metadata stored on disk in parallel, as the locking is
ineffective.
When there are multiple certificate client instances, then there are multiple
single threaded scheduled executors, and multiple reentrant lock objects
created, and this way as all thread is scheduled to run at the same time based
on the current certificate's lifetime, and all threads run in a different
executor instance while they lock on a separate lock objects, there is no
mutually exclusive access guaranteed for persisted data and internal in-memory
data either.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
