[
https://issues.apache.org/jira/browse/HDDS-2731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marton Elek updated HDDS-2731:
------------------------------
Attachment: Certificate Revocation Support for Ozone CA.rtf
> Certification Revocation Support for Ozone CA
> ---------------------------------------------
>
> Key: HDDS-2731
> URL: https://issues.apache.org/jira/browse/HDDS-2731
> Project: Hadoop Distributed Data Store
> Issue Type: Improvement
> Reporter: Marton Elek
> Priority: Major
> Attachments: Certificate Revocation Support for Ozone CA.rtf
>
>
> Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes
> takes place over TLS protocol, which is, through issued security artifacts
> i.e. [X509 certificates|https://en.wikipedia.org/wiki/X.509]. These
> certificates reside at SCM storage. The “known and trusted” data nodes are
> provisioned with corresponding certificates and for smooth communication in
> the system, these certificates are also stored on client certificate cache.
> Problem is, once these certificates are invalidated on SCM, whether its Admin
> or Expired Certs or Cert Rotation Process (future), these certs are not
> removed or invalidated on Data Node’s Local Cache. This means that tokens
> issues by Ozone Manager (OM), can still be used to access blocks from Data
> Nodes since the client certificate case still holds the invalidated
> certificate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: ozone-issues-h...@hadoop.apache.org
