[ https://issues.apache.org/jira/browse/HDDS-2731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marton Elek updated HDDS-2731: ------------------------------ Attachment: Certificate Revocation Support for Ozone CA.rtf > Certification Revocation Support for Ozone CA > --------------------------------------------- > > Key: HDDS-2731 > URL: https://issues.apache.org/jira/browse/HDDS-2731 > Project: Hadoop Distributed Data Store > Issue Type: Improvement > Reporter: Marton Elek > Priority: Major > Attachments: Certificate Revocation Support for Ozone CA.rtf > > > Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes > takes place over TLS protocol, which is, through issued security artifacts > i.e. [X509 certificates|https://en.wikipedia.org/wiki/X.509]. These > certificates reside at SCM storage. The “known and trusted” data nodes are > provisioned with corresponding certificates and for smooth communication in > the system, these certificates are also stored on client certificate cache. > Problem is, once these certificates are invalidated on SCM, whether its Admin > or Expired Certs or Cert Rotation Process (future), these certs are not > removed or invalidated on Data Node’s Local Cache. This means that tokens > issues by Ozone Manager (OM), can still be used to access blocks from Data > Nodes since the client certificate case still holds the invalidated > certificate. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org