neils-dev opened a new pull request, #4622: URL: https://github.com/apache/ozone/pull/4622
## What changes were proposed in this pull request? To fix problem starting (restarting) datanodes after recovering from an SCM disk failure. Problem is when scm disk is replaced, a new certificate is issued for SCM making to total count of scm certs greater than number of scm nodes configured. Patch resolves situation when number of certificates for subject CN (scm host) is greater than 1 by only counting unique scm subject CN certs when validating for Datanodes. ## What is the link to the Apache JIRA https://issues.apache.org/jira/browse/HDDS-7985 ## How was this patch tested? Manual testing. For SCM disk / node failure recovery. scm: i.) decommission SCM ii.) replace scm disk wiping metadata directories ii.) restart scm with bootstrapping Start new datanode. On datanode restart the datanode requests certificates from the SCM. The SCM validates the scm certs comparing the number of scm nodes configured in the ozone-site to the number of certs stored in the certstore. After scm recovery there will be a new certificate issued for recovered scm. The certstore will container the old scm cert and this new cert which causes scm certificate validation errors. This patch resolves having, ``` 99756580628920 Wed Apr 26 23:44:45 UTC 2023 Sat Jun 03 23:44:45 UTC 2028 [email protected],OU=4d9927f6-6f83-4d42-98bc-5dc4c9e16b3d,O=CID-8dd541d6-707e-40cd-8e6a-81e8274a37d1 [email protected],OU=e4aef89b-20f1-4268-a374-a6fa196e0515,O=CID-8dd541d6-707e-40cd-8e6a-81e8274a37d1 101965082032306 Thu Apr 27 00:21:33 UTC 2023 Sun Jun 04 00:21:33 UTC 2028 [email protected],OU=848ae84a-3fa4-4722-9b90-e33b300224d0,O=CID-8dd541d6-707e-40cd-8e6a-81e8274a37d1 [email protected],OU=e4aef89b-20f1-4268-a374-a6fa196e0515,O=CID-8dd541d6-707e-40cd-8e6a-81e8274a37d1 ``` more than one certificate issued for a given scm host, the certificate subject CN. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
