[HDDS-8135] Incorrect synchronization during certificate renewal in DefaultCertificateClient - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.4.0
Fix Version/s: 1.4.0
Component/s: Security
Labels:
- pki
- pull-request-available

Target Version/s:

1.4.0

Description

~~HDDS-7874~~ has revealed that if there are multiple instances of the certificate client, which is possible with the current code, the locking model used for certificate renewal, and the scheduling is duplicated in memory, and can race freely to modify the metadata stored on disk in parallel, as the locking is ineffective.

When there are multiple certificate client instances, then there are multiple single threaded scheduled executors, and multiple reentrant lock objects created, and this way as all thread is scheduled to run at the same time based on the current certificate's lifetime, and all threads run in a different executor instance while they lock on a separate lock objects, there is no mutually exclusive access guaranteed for persisted data and internal in-memory data either.

Attachments

Issue Links

is related to

HDDS-7339 Implement Certificate renewal task for services

Resolved

links to

GitHub Pull Request #4381

Activity

People

Assignee:: István Fajth

Reporter:: István Fajth

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Mar/23 14:10

Updated:: 10/May/23 13:21

Resolved:: 06/Apr/23 07:06