ChenSammi commented on code in PR #4943:
URL: https://github.com/apache/ozone/pull/4943#discussion_r1251522001
##########
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java:
##########
@@ -85,15 +89,65 @@ public ReloadingX509KeyManager(String type,
CertificateClient caClient)
@Override
public String chooseEngineClientAlias(String[] strings,
Principal[] principals, SSLEngine sslEngine) {
- return keyManagerRef.get()
+ String ret = keyManagerRef.get()
.chooseEngineClientAlias(strings, principals, sslEngine);
+
+ if (ret == null) {
+ /*
+ Workaround to address that netty tc-native cannot handle the dynamic
+ key and certificate refresh well. What happens is during the setup of
+ the grpc channel, an SSLContext is created, which is
+ ReferenceCountedOpenSslServerContext in the native tc-native case.
+ This class uses the TrustManager's getAcceptedIssuers() as the trusted
+ CA certificate list. The list is not updated after channel is built.
+ With the list being used to present the Principals during the mTLS
+ authentication via the Netty channel under Ratis implementation,
+ the counterpart(client) KeyManager's
+ chooseEngineClientAlias(String, Principal[], SSLEngine) method is
+ called with this old root certificate subject principal, which is now
+ not available in the new Key Manager after refreshed, so the method
+ will return null, which cause the mutual TLS connection establish
+ failure.
+
+ Example error message:
+ Engine client aliases for RSA, DH_RSA, EC, EC_RSA, EC_EC,
+ O=CID-f9f2b2cf-a784-49d7-8577-5d3b13bf0b46,
+ OU=9f52487c-f8f9-45ee-bb56-aca60b56327f,
+ [email protected],
+ org.apache.ratis.thirdparty.io.netty.handler.ssl.OpenSslEngine@5eec0d10
+ is null
+
+ Example success message:
+ Engine client aliases for RSA, DH_RSA, EC, EC_RSA, EC_EC,
+ O=CID-f9f2b2cf-a784-49d7-8577-5d3b13bf0b46,
+ OU=9f52487c-f8f9-45ee-bb56-aca60b56327f,
+ [email protected],
+ org.apache.ratis.thirdparty.io.netty.handler.ssl.OpenSslEngine@5eec0d10
+ is scm/sub-ca_key
+ */
+ ret = alias;
+ LOG.info("Engine client aliases for {}, {}, {} is returned as {}",
+ strings == null ? "" : Arrays.stream(strings).map(Object::toString)
+ .collect(Collectors.joining(", ")),
+ principals == null ? "" : Arrays.stream(principals)
+ .map(Object::toString).collect(Collectors.joining(", ")),
+ sslEngine == null ? "" : sslEngine.toString(), ret);
Review Comment:
Just a personal habit.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
