fapifta commented on code in PR #5150:
URL: https://github.com/apache/ozone/pull/5150#discussion_r1288392048
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.java:
##########
@@ -228,4 +235,69 @@ public String
signAndStoreCertificate(PKCS10CertificationRequest request,
throw new RuntimeException(e);
}
}
+
+ public void refreshCACertificates() throws IOException {
+ if (executorService == null) {
+ executorService = Executors.newSingleThreadExecutor(
+ new ThreadFactoryBuilder().setNameFormat(
+ getComponentName() + "-refreshCACertificates")
+ .setDaemon(true).build());
+ }
+ executorService.execute(new RefreshCACertificates(getScmSecureClient()));
+ }
+
+ /**
+ * Task to refresh root CA certificates for SCM.
+ */
+ public class RefreshCACertificates implements Runnable {
+ private final SCMSecurityProtocolClientSideTranslatorPB scmSecureClient;
+
+ public RefreshCACertificates(
+ SCMSecurityProtocolClientSideTranslatorPB client) {
+ this.scmSecureClient = client;
+ }
+
+ @Override
+ public void run() {
+ try {
+ // In case root CA certificate is rotated during this SCM is offline
+ // period, fetch the new root CA list from leader SCM and refresh ratis
+ // server's tlsConfig.
+ List<String> rootCAPems = scmSecureClient.getAllRootCaCertificates();
+
+ // SCM certificate client currently sets root CA as CA cert
+ Set<X509Certificate> certList = getAllRootCaCerts();
+ certList = certList.isEmpty() ? getAllCaCerts() : certList;
+
+ List<X509Certificate> rootCAsFromLeaderSCM =
+ OzoneSecurityUtil.convertToX509(rootCAPems);
+ rootCAsFromLeaderSCM.removeAll(certList);
+
+ if (rootCAsFromLeaderSCM.isEmpty()) {
+ LOG.info("CA certificates are not changed.");
+ return;
+ }
+
+ for (X509Certificate cert : rootCAsFromLeaderSCM) {
+ LOG.info("Fetched new root CA certificate {} from leader SCM",
+ cert.getSerialNumber().toString());
+ storeCertificate(
+ CertificateCodec.getPEMEncodedString(cert), CAType.SUBORDINATE);
+ }
+ String scmCertId = getCertificate().getSerialNumber().toString();
+ notifyNotificationReceivers(scmCertId, scmCertId);
Review Comment:
As this is pretty much internal within SCM, I am fine with this approach. If
it would be a more open and potentially more frequently used API I would argue
that in this case we should set the old certificate id to null for the
notification, but it is absolutely sufficient for now, and looking at it a bit
deeper, within SCM we don't even use these values, the are important in the
logic of the delegation token generation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
