Marton Elek created HDDS-2731:
---------------------------------
Summary: Certification Revocation Support for Ozone CA
Key: HDDS-2731
URL: https://issues.apache.org/jira/browse/HDDS-2731
Project: Hadoop Distributed Data Store
Issue Type: Improvement
Reporter: Marton Elek
Attachments: Certificate Revocation Support for Ozone CA.rtf
Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes
takes place over TLS protocol, which is, through issued security artifacts i.e.
[X509 certificates|https://en.wikipedia.org/wiki/X.509]. These certificates
reside at SCM storage. The “known and trusted” data nodes are provisioned with
corresponding certificates and for smooth communication in the system, these
certificates are also stored on client certificate cache.
Problem is, once these certificates are invalidated on SCM, whether its Admin
or Expired Certs or Cert Rotation Process (future), these certs are not removed
or invalidated on Data Node’s Local Cache. This means that tokens issues by
Ozone Manager (OM), can still be used to access blocks from Data Nodes since
the client certificate case still holds the invalidated certificate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
