ChenSammi commented on code in PR #5150:
URL: https://github.com/apache/ozone/pull/5150#discussion_r1288286327
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java:
##########
@@ -228,4 +235,69 @@ public String
signAndStoreCertificate(PKCS10CertificationRequest request,
throw new RuntimeException(e);
}
}
+
+ public void refreshCACertificates() throws IOException {
+ if (executorService == null) {
+ executorService = Executors.newSingleThreadExecutor(
+ new ThreadFactoryBuilder().setNameFormat(
+ getComponentName() + "-refreshCACertificates")
+ .setDaemon(true).build());
+ }
+ executorService.execute(new RefreshCACertificates(getScmSecureClient()));
+ }
+
+ /**
+ * Task to refresh root CA certificates for SCM.
+ */
+ public class RefreshCACertificates implements Runnable {
+ private final SCMSecurityProtocolClientSideTranslatorPB scmSecureClient;
+
+ public RefreshCACertificates(
+ SCMSecurityProtocolClientSideTranslatorPB client) {
+ this.scmSecureClient = client;
+ }
+
+ @Override
+ public void run() {
+ try {
+ // In case root CA certificate is rotated during this SCM is offline
+ // period, fetch the new root CA list from leader SCM and refresh ratis
+ // server's tlsConfig.
+ List<String> rootCAPems = scmSecureClient.getAllRootCaCertificates();
+
+ // SCM certificate client currently sets root CA as CA cert
+ Set<X509Certificate> certList = getAllRootCaCerts();
+ certList = certList.isEmpty() ? getAllCaCerts() : certList;
+
+ List<X509Certificate> rootCAsFromLeaderSCM =
+ OzoneSecurityUtil.convertToX509(rootCAPems);
+ rootCAsFromLeaderSCM.removeAll(certList);
+
+ if (rootCAsFromLeaderSCM.isEmpty()) {
+ LOG.info("CA certificates are not changed.");
+ return;
+ }
+
+ for (X509Certificate cert : rootCAsFromLeaderSCM) {
+ LOG.info("Fetched new root CA certificate {} from leader SCM",
+ cert.getSerialNumber().toString());
+ storeCertificate(
+ CertificateCodec.getPEMEncodedString(cert), CAType.SUBORDINATE);
+ }
+ String scmCertId = getCertificate().getSerialNumber().toString();
+ notifyNotificationReceivers(scmCertId, scmCertId);
Review Comment:
It's elaborate. Because the interface API
CertificateNotification#notifyCertificateRenewed requires two certificate ID as
the input parameters.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
