fapifta commented on PR #6781: URL: https://github.com/apache/ozone/pull/6781#issuecomment-2310481516
Sorry for the long silence here @sadanand48, I was pretty much flooded with things before my summer break, and could not get back to you on this one. I think there was a misunderstanding here, on my end. Now that I am reevaluating this whole thing, I came to the realization that we are talking about a scenario where all three SCM lost their certificates, and therefore the Ratis server could not come up, which also means that their SCMSecurityProtocolServers has not started either... In this case unfortunately the certificate client can not really be helpful, as that communicates with the SCMSecurityProtocolServer of the leader SCM... And that is why the automatic recovery options could not do anything about this, as SCM could not get to the point where the recovery is meaningful. So all in all we would need a command line tool that directly accesses RocksDB on the SCM hosts, similar to what you have posted for the first time. I would suggest the following approach: The tool should get the path to the VERSION file of the SCM, and the path to SCM's RocksDB, then it should emit the certificate based on the serial id find in the VERSION file. It can error out if the VERSION file does not contain the serial ID, as that most likely mean that security were never bootstrapped, and there can be no mistakes about which SCM the certificate is belonging to. The certificate is stored as a PEM encoded string converted to bytes in the DB, we can dump this byte stream to a PEM file without any further ado. Sorry for the extra work caused by my misunderstanding of the actual state in which the tool is useful. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
