[HDDS-7332] Automatic OM/DN/Recon certificate rotation before certificate expiration - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.4.0
Component/s: Security
Labels:
- certificate_rotation
- pki

Description

As per the doc in HDDS-7331, the goals here are:

implement a certificate owner driven certificate renewal before expiration in services
implement certificate hotswap without service disruption
introduce multiple certificates for different uses in services, separate these concerns on the certificates level
start to include the whole trust chain in a certificate bundle, and use that instead of the sole certificate (with that allow us to have an arbitrary number of entities in the trust chain that we don't need to pre-distribute to truststores.)

Attachments

Issue Links

blocks

HDDS-7331 Ozone PKI improvements

Open

contains

HDDS-756 Functionality to handle key rotation in OM

Resolved

HDDS-757 Functionality to handle key rotation in DN.

Resolved

is blocked by

RATIS-1747 Support keyManager and trustManager in tlsConfig

Resolved

Sub-Tasks

1.	Check certificate expiration at service startup, renew if necessary	Resolved	István Fajth
2.	Implement Certificate renewal task for services	Resolved	Sammi Chen
3.	Support KeyStoreFactory which supports keyManager and trustManager reload	Resolved	Sammi Chen
4.	Use certificate bundles instead of the sole certificate	Resolved	Szabolcs Gál
5.	Ensure certificate hierarchy is set up properly	Resolved	Szabolcs Gál
6.	Upgrade ratis to 2.4.2-8b8bdda-SNAPSHOT	Resolved	Sammi Chen
7.	Incorrect synchronization during certificate renewal in DefaultCertificateClient	Resolved	István Fajth
8.	Certificate clients are not correctly closed.	Resolved	István Fajth
9.	Support fine grained certificate lifetime for efficient test	Resolved	Sammi Chen
10.	Use keyManager and trustManager provided by keyStoreFactory in datanode grpc services	Resolved	Sammi Chen
11.	Use keyManager and trustManager provided by keyStoreFactory in Ratis group	Resolved	Szabolcs Gál
12.	Use keyManager and trustManager provided by keyStoreFactory in om grpc services	Resolved	Sammi Chen
13.	Remove hadoop security dependency in Ozone org.apache.hadoop.hdds.security.ssl package	Resolved	Sammi Chen
14.	Refresh Keys and Certificate used in OzoneSecretManager after certificate renewed	Resolved	Sammi Chen
15.	Refactor the way to notify keyStoreFactory about certificate renewed	Resolved	Sammi Chen
16.	Support fine grained lifetime for root CA certificate	Resolved	Sammi Chen
17.	Validate that the public key belongs to the certificate during startup	Resolved	Szabolcs Gál
18.	Add cleanup in the certificate renewal logic to remove old pki material.	Resolved	Szabolcs Gál
19.	Remove the renew logic added by HDDS-7453	Resolved	István Fajth
20.	[ozone-cert-rotation][ozone] Multiple InternalCA were created	Resolved	Unassigned
21.	Refine certificate renewer service to avoid it scheduled ahead of time	Resolved	Sammi Chen

Activity

People

Assignee:: István Fajth

Reporter:: István Fajth

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/Oct/22 21:16

Updated:: 04/Jun/24 08:42

Resolved:: 10/May/23 13:44