Galsza commented on code in PR #5009: URL: https://github.com/apache/ozone/pull/5009#discussion_r1253044581
########## hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/ServiceInfoProvider.java: ########## @@ -0,0 +1,102 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.hadoop.ozone.om; + +import org.apache.hadoop.hdds.conf.ConfigurationSource; +import org.apache.hadoop.hdds.conf.OzoneConfiguration; +import org.apache.hadoop.hdds.security.SecurityConfig; +import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient; +import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec; +import org.apache.hadoop.ozone.om.helpers.ServiceInfoEx; +import org.apache.hadoop.ozone.om.protocol.OzoneManagerProtocol; +import org.slf4j.Logger; + +import java.io.IOException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.LinkedList; +import java.util.List; +import java.util.concurrent.CompletableFuture; +import java.util.function.BiFunction; +import java.util.function.Function; + +import static org.slf4j.LoggerFactory.getLogger; + +/** + * A helper class to handle the construction of + * {@link org.apache.hadoop.ozone.om.helpers.ServiceInfoEx} objects, + * and refresh of the things that are necessary for constructing it. + */ +public final class ServiceInfoProvider { + + private static final Logger LOG = getLogger(ServiceInfoProvider.class); + + private final OzoneManagerProtocol om; + private final CertificateClient certificateClient; + + private String caCertPem; + private List<String> caCertPemList; + + public ServiceInfoProvider( + OzoneConfiguration config, + OzoneManagerProtocol om, + CertificateClient certificateClient, + BiFunction<CertificateClient, ConfigurationSource, List<String>> caList + ) throws IOException { + this.om = om; + if (new SecurityConfig(config).isSecurityEnabled()) { + this.certificateClient = certificateClient; + caCertPem = certificateClient.getSingleCACertificatePEM(); + caCertPemList = + caList == null ? null : caList.apply(certificateClient, config); + certificateClient.registerRootCARotationListener(onRootCAChange()); + } else { + this.certificateClient = null; + caCertPem = null; + caCertPemList = null; + } + } + + private Function<List<X509Certificate>, CompletableFuture<Void>> + onRootCAChange() { + return certs -> { + try { + caCertPem = certificateClient.getSingleCACertificatePEM(); Review Comment: I think there is a race condition here with the certificateClient saving its own new rootCaCertificate. On root ca rotation the client will schedule a task to send a CSR and only after receiving the signed certificate will it save and update the new RootCA/SubCA. However when the ServiceInfoProvider asks for it it still might not have reached that point and therefore would receive the old certificate data. (And this notification won't repeat because we already think that the handlers successfully rotated the root ca) I have a suggestion which could resolve this issue: instead of registering this to the rootCaRotationListeners we could register it to just the CertificateNotation receivers. They will get notified each cert rotation including the client renewing their known root ca. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
