Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-2731

Certificate Revocation Support for Ozone CA

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Target Version/s:

      Description

      Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes takes place over TLS protocol, which is, through issued security artifacts i.e. X509 certificates. These certificates reside at SCM storage. The “known and trusted” data nodes are provisioned with corresponding certificates and for smooth communication in the system, these certificates are also stored on client certificate cache.   

      Problem is, once these certificates are invalidated on SCM, whether its Admin or Expired Certs or Cert Rotation Process (future), these certs are not removed or invalidated on Data Node’s Local Cache. This means that tokens issues by Ozone Manager (OM), can still be used to access blocks from Data Nodes since the client certificate case still holds the invalidated certificate. 

        Attachments

        1. Ozone SCM CA Key_Certificate Rotation V2.pdf
          431 kB
          Vivek Ratnavel Subramanian
        2. Ozone SCM CA Key_Certificate Rotation - HDDS-2731.pdf
          377 kB
          Xiaoyu Yao
        3. Certificate Revocation Support for Ozone CA.rtf
          11.58 MB
          Marton Elek
        1.
        Add class CRLCodec - used for certificate revocation list. Sub-task Resolved Abhishek Purohit

        100%

        Original Estimate - Not Specified Original Estimate - Not Specified
        Time Spent - 10m
        2.
        Add Unit Test cases for CRLCodec. Sub-task Resolved Abhishek Purohit

        100%

        Original Estimate - Not Specified Original Estimate - Not Specified
        Time Spent - 20m
        3.
        hdds.x509.CRL.name missing from ozone-default.xml Sub-task Resolved Unassigned  
        4.
        Add SCM CA CLI to query certificate Sub-task Resolved Xiaoyu Yao  
        5.
        DN handle expired certificates when validate block token Sub-task Resolved Xiaoyu Yao  
        6.
        OM handle expired certificate when verify token signature Sub-task Resolved Xiaoyu Yao  
        7.
        SCM should be able to persist CRL Sub-task Resolved Vivek Ratnavel Subramanian  
        8.
        Add timestamp to Revoked Certs table in SCM DB Sub-task Resolved Vivek Ratnavel Subramanian  
        9.
        Revocation Certificate SCM HA Sub-task Resolved Vivek Ratnavel Subramanian  
        10.
        SCM security protocol support for query CRLs and latest CRL id for OM and Datanode. Sub-task Resolved Xiaoyu Yao  
        11.
        CRLInfo should include CRL Sequence ID Sub-task Resolved Vivek Ratnavel Subramanian  
        12.
        Datanodes should be able to persist and load CRL Sub-task Resolved Vivek Ratnavel Subramanian  
        13.
        Add revokeCertificate to SCMSecurityProtocolServer Sub-task Resolved Xiaoyu Yao  
        14.
        Datanodes should send last processed CRL sequence ID in heartbeats Sub-task Resolved Vivek Ratnavel Subramanian  
        15.
        Add SCM GRPC server to publish CRL update Sub-task Resolved Xiaoyu Yao  
        16.
        Move SCMUpdateProtocol to hdds interface-server package Sub-task Resolved Xiaoyu Yao  
        17.
        Handle CRLStatusReport got from DN heartbeats and persist them Sub-task Resolved Vivek Ratnavel Subramanian  
        18.
        Add SCM Cert CLI to revoke certificate Sub-task Open Xiaoyu Yao  
        19.
        Datanodes should get new CRLs from SCM and process them Sub-task Open Unassigned  
        20.
        Datanodes should persist last processed CRL sequence id Sub-task Open Vivek Ratnavel Subramanian  
        21.
        DN handle revoke of its own certificate Sub-task Open Unassigned  
        22.
        OM handle revoke of its own certificate Sub-task Open Unassigned  
        23.
        Make Revoked Certs table change in SCM DB to be backward compatible Sub-task Open Vivek Ratnavel Subramanian  
        24.
        Add Audit to SCM SecurityProtocolServer Sub-task Open Xiaoyu Yao  
        25.
        SCM background thread to check and handle delayed revocation Sub-task Open Xiaoyu Yao  
        26.
        Add TLS TrustManager that honors CRL Sub-task Open Xiaoyu Yao  
        27.
        Add TLS for GRPC based SCMUpdateService Sub-task Open Xiaoyu Yao  
        28.
        Send command to Datanodes to process new CRL Sub-task Open Vivek Ratnavel Subramanian  

          Activity

            People

            • Assignee:
              xyao Xiaoyu Yao
              Reporter:
              elek Marton Elek
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 0.5h
                0.5h