Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-7401 Cover the PKI system with docker based integration tests
  3. HDDS-10189

Test the change from old to new trust chain encoding approach

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      In a cluster with 1.3 it is possible that newly added Datanodes have different signers for their certificates than the original DataNodes if the leader SCM has been changed from the one that initially signed the certificates for the initial services in the cluster.

      It is an interesting scenario to ensure that in such environments, switching to just using the rootCA in the truststores instead of all CA certificates is working fine, and there are no issues on the cluster after.

      It is a bit complex but we have seen issues in such clusters where DataNodes could not create Pipelines due to the lack of trust, and failed the Pipeline creation with an exception ultimately caused by this:

      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      

      This issue can be fixed by clearing out the DN certificates with that upon restart forcing them to download their new certificate bundle from the SCM, or by clearing our the certificates and keys from the DN with that forcing them to sign a new certificate with a new private-public keypair.

      Attachments

        Activity

          People

            sgal Szabolcs Gál
            pifta István Fajth
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: