Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-7331

Ozone PKI improvements

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Security

    Description

      Ozone's internal Public Key Infrastructure and its related functionalities is incomplete, this new umbrella JIRA is created to collect and track missing pieces.
      What we miss today:

      • automatic rotation of certificates before expiration
      • automatic rotation of CA certificates before expiration
      • certificate revocation support
      • configurability
      • full admin CLI support for handling certificates
      • better test coverage
      • we have discrepancies in SCM HA due to the necessity of a primordial node
      • clear separation of concerns, we use the same certificate and keypair for multiple reasons

      Also as token signatures use the 2048 but RSA keypair generated for our internal certificates, we suffer a performance hit due to the costly RSA signing of tokens.

      See the attached detailed document about the current system, and the planned improvements for more details about the problems and proposed solutions.

      Attachments

        Issue Links

          Activity

            People

              pifta István Fajth
              pifta István Fajth
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: