[HDDS-7723] Refresh Keys and Certificate used in OzoneSecretManager after certificate renewed - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.4.0
Component/s: Security
Labels:
- pki
- pull-request-available

Description

There are three child class of OzoneSecretManager. The current behavior is,

OzoneDelegationTokenSecretManager , use OM's private key to calculate the delegation token signature, OM's certificate to verify the delegation token on token renew request on OM.
OzoneBlockTokenSecretManager, use OM's private key to calculate the block token signature, OM's certificate to verify the block token on DN.
ContainerTokenSecretManager, use SCM's private key to calculate the container token signature, SCM's certificate to verify the container token on DN.

OzoneBlockTokenSecretManager and ContainerTokenSecretManager are also leveraged in EC Reconstruction coordinator on DN. This time, DN's private key and certificates are used to do the signature calculation and verification.

This task aims to let the OzoneSecretManager to use the new key and certificate to generate the token once certificate is renewed, in the meanwhile, making sure tokens generated using the old key and certificate still work until they expired.

Attachments

Issue Links

links to

GitHub Pull Request #4179

Activity

People

Assignee:: Sammi Chen

Reporter:: Sammi Chen

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Jan/23 04:02

Updated:: 10/May/23 13:27

Resolved:: 19/Jan/23 09:00