Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
1.3.0
Description
Issue :
While validating the config duration with multiple negative scenarios and below were the observations :
Config duration accepts 0D as the duration.
Config duration accepts negative days -1D as the duration.
No check was added for hdds.x509.renew.grace.duration value
The only check available currently is for hdds.x509.default.duration not greater than hdds.x509.max.duration.
The logging message is wrong and the config order is reversed.
Scenarios Tried :
Unnatural sequence
Max = 0 | Def = 2 | Grace = 1 Failed
Max = 5 | Def = 0 | Grace = 1 Restarted
Max = 5 | Def = 2 | Grace = 0 Restarted
Max = 5 | Def = 6 | Grace = 1 Failed
Max = 5 | Def = 2 | Grace = 3 Restarted
Max = 5 | Def = 2 | Grace = 6 Restarted
Negative values
Max = -5 | Def = 2 | Grace = 1 Failed
Max = 5 | Def = -2 | Grace = 1 Restarted
Max = 5 | Def = 2 | Grace = -1 Restarted
Fractional values
Max = 5.25 | Def = 2 | Grace = 1 Failed
Max = 5 | Def = 2.5 | Grace = 1 Failed
Max = 5 | Def = 2 | Grace = 1.75 Failed
The scenarios where the restart could go through should have actually failed to start.
Error with Logging Message.
Scenario 1 where Max Duration is 0D and Default Duration is 2D.
Stacktrace :
[root@quasar-gvwabo-2 ~]# vim /var/log/hadoop-ozone/ozone-scm.log
2022-12-22 08:57:25,296 ERROR org.apache.hadoop.hdds.security.x509.SecurityConfig: Certificate duration PT0S should not be greater than Maximum Certificate duration PT48H
Attachments
Issue Links
- fixes
-
HDDS-8412 [pki] Error Log values for certificate duration are switched
- Resolved
- links to