Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-2731

Certificate Revocation Support for Ozone CA

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Abandoned
    • None
    • None
    • None
    • None

    Description

      Currently, in Ozone, communication between Ozone Manager, SCM and Data Nodes takes place over TLS protocol, which is, through issued security artifacts i.e. X509 certificates. These certificates reside at SCM storage. The “known and trusted” data nodes are provisioned with corresponding certificates and for smooth communication in the system, these certificates are also stored on client certificate cache.   

      Problem is, once these certificates are invalidated on SCM, whether its Admin or Expired Certs or Cert Rotation Process (future), these certs are not removed or invalidated on Data Node’s Local Cache. This means that tokens issues by Ozone Manager (OM), can still be used to access blocks from Data Nodes since the client certificate case still holds the invalidated certificate. 

      Attachments

        1. Certificate Revocation Support for Ozone CA.rtf
          11.58 MB
          Marton Elek
        2. Ozone SCM CA Key_Certificate Rotation - HDDS-2731.pdf
          377 kB
          Xiaoyu Yao
        3. Ozone SCM CA Key_Certificate Rotation V2.pdf
          431 kB
          Vivek Ratnavel Subramanian

        Issue Links

          is superceded by

          New Feature - A new feature of the product, which has yet to be developed. HDDS-6030 Support for External Root CA

          • Major - Major loss of function.
          • Resolved
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7331 Ozone PKI improvements

          • Major - Major loss of function.
          • Open
          1.
          		 Add class CRLCodec - used for certificate revocation list. Sub-task Resolved Abhishek Purohit

          100%
          Original Estimate - Not Specified Original Estimate - Not Specified
          Time Spent - 10m
          2.
          		 Add Unit Test cases for CRLCodec. Sub-task Resolved Abhishek Purohit

          100%
          Original Estimate - Not Specified Original Estimate - Not Specified
          Time Spent - 20m
          3.
          		 hdds.x509.CRL.name missing from ozone-default.xml Sub-task Resolved Unassigned  
          4.
          		 Add SCM CA CLI to query certificate Sub-task Resolved Xiaoyu Yao  
          5.
          		 DN handle expired certificates when validate block token Sub-task Resolved Xiaoyu Yao  
          6.
          		 OM handle expired certificate when verify token signature Sub-task Resolved Xiaoyu Yao  
          7.
          		 SCM should be able to persist CRL Sub-task Resolved Vivek Ratnavel Subramanian  
          8.
          		 Add timestamp to Revoked Certs table in SCM DB Sub-task Resolved Vivek Ratnavel Subramanian  
          9.
          		 Revocation Certificate SCM HA Sub-task Resolved Vivek Ratnavel Subramanian  
          10.
          		 SCM security protocol support for query CRLs and latest CRL id for OM and Datanode. Sub-task Resolved Xiaoyu Yao  
          11.
          		 CRLInfo should include CRL Sequence ID Sub-task Resolved Vivek Ratnavel Subramanian  
          12.
          		 Datanodes should be able to persist and load CRL Sub-task Resolved Vivek Ratnavel Subramanian  
          13.
          		 Add revokeCertificate to SCMSecurityProtocolServer Sub-task Resolved Xiaoyu Yao  
          14.
          		 Datanodes should send last processed CRL sequence ID in heartbeats Sub-task Resolved Vivek Ratnavel Subramanian  
          15.
          		 Add SCM GRPC server to publish CRL update Sub-task Resolved Xiaoyu Yao  
          16.
          		 Move SCMUpdateProtocol to hdds interface-server package Sub-task Resolved Xiaoyu Yao  
          17.
          		 Handle CRLStatusReport got from DN heartbeats and persist them Sub-task Resolved Vivek Ratnavel Subramanian  
          18.
          		 Add SCM Cert CLI to revoke certificate Sub-task Resolved Xiaoyu Yao  
          19.
          		 Datanodes should get new CRLs from SCM and process them Sub-task Resolved Unassigned  
          20.
          		 Datanodes should persist last processed CRL sequence id Sub-task Resolved Unassigned  
          21.
          		 DN handle revoke of its own certificate Sub-task Resolved Unassigned  
          22.
          		 OM handle revoke of its own certificate Sub-task Resolved Unassigned  
          23.
          		 Make Revoked Certs table change in SCM DB to be backward compatible Sub-task Resolved Unassigned  
          24.
          		 Add Audit to SCM SecurityProtocolServer Sub-task Resolved Xiaoyu Yao  
          25.
          		 SCM background thread to check and handle delayed revocation Sub-task Resolved Xiaoyu Yao  
          26.
          		 Add TLS TrustManager that honors CRL Sub-task Resolved Xiaoyu Yao  
          27.
          		 Add TLS for GRPC based SCMUpdateService Sub-task Resolved Xiaoyu Yao  
          28.
          		 Send command to Datanodes to process new CRL Sub-task Resolved Unassigned  

          Activity

            People

              xyao Xiaoyu Yao
              elek Marton Elek
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h