[
https://issues.apache.org/jira/browse/HDDS-9045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17750665#comment-17750665
]
István Fajth commented on HDDS-9045:
------------------------------------
Currently the -t option knows two types, valid and revoked.
Expired certificates in this sense can be considered valid, as they were not
revoked, hence they are not moved from the validCerts table within SCM. (And
the table from which certificates are listed is the one that the -t option
defines in the underlying system.)
We have HDDS-7380 to remove the expired certificates from the system, and later
on these won't be a problem, as expired certificates will not be present for
long time.
Moreover as we progress with revocation support, the rotation logic should be
extended to revoke the old certificate of a service once the service
successfully renewed it own certificate, which means this problem will be
solved at that point in time.
For now I am closing this one as won't fix due to the reasons above, thank you
[~ssulav] for reporting this phenomenon, please feel free to reopen if you
disagree.
> [ozone-cert-rotation] Expired certificates are listed under valid type
> ----------------------------------------------------------------------
>
> Key: HDDS-9045
> URL: https://issues.apache.org/jira/browse/HDDS-9045
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: Ozone Manager
> Affects Versions: 1.4.0
> Reporter: Soumitra Sulav
> Priority: Major
>
> cert list command is listing expired certificates even under valid type.
> There should be expired type and these certificates should be filtered
> accroding to the flag.
> {code:java}
> root@st-ozone-0mrob1-k26w9:/hwqe/hadoopqe# date
> Wed Jul 19 19:07:44 UTC 2023
> root@st-ozone-0mrob1-k26w9:/hwqe/hadoopqe#
> /opt/cloudera/parcels/CDH/bin/ozone admin cert list -c 100 -t valid | grep
> recon
> 189305214433005 Wed Jul 19 18:04:19 UTC 2023 Wed Jul 19 19:04:19 UTC 2023
>
> [email protected],OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
>
> CN=scm-sub-189287080855...@quasar-ewnsjs-5.quasar-ewnsjs.root.hwx.site,OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
> 189904692112133 Wed Jul 19 18:14:19 UTC 2023 Wed Jul 19 19:14:19 UTC 2023
>
> [email protected],OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
>
> CN=scm-sub-189287080855...@quasar-ewnsjs-5.quasar-ewnsjs.root.hwx.site,OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
> 190904762028374 Wed Jul 19 18:30:59 UTC 2023 Wed Jul 19 19:30:59 UTC 2023
>
> [email protected],OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
>
> CN=scm-sub-189287080855...@quasar-ewnsjs-5.quasar-ewnsjs.root.hwx.site,OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
> 191506767013551 Wed Jul 19 18:41:01 UTC 2023 Wed Jul 19 19:41:01 UTC 2023
>
> [email protected],OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
>
> CN=scm-sub-189287080855...@quasar-ewnsjs-5.quasar-ewnsjs.root.hwx.site,OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
> 192504529554908 Wed Jul 19 18:57:39 UTC 2023 Wed Jul 19 19:57:39 UTC 2023
>
> [email protected],OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
>
> CN=scm-sub-189287080855...@quasar-ewnsjs-5.quasar-ewnsjs.root.hwx.site,OU=b1dac7e0-a3bc-43c9-a5d1-adde4e7213f7,O=CID-610640d2-0f8b-41fe-8fd2-1c90607ebdde
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
