Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-7391 Automated live rotation of CA certificates in a cluster with established trust
  3. HDDS-9015

Block CSR request in SCM for "hdds.x509.rootca.certificate.polling.interval" time period

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.4.0
    • None

    Description

      Once the root CA rotation and sub CA rotation finished, leader SCM will start to serve CSR request from other services, like existing OM, DN, Recon, or newly added OM, DN and SCM.

      But the problem is every service's certificate is signed without coordination, so that there will be some services whose certificates are already signed by new Root CA, and some services whose certificates are still old certificates and the cert renew not happened yet, then these services cannot talk to each other because some already got the new certificate and new root CA certificate, but some are not.

      Blocking the CSR for a "hdds.x509.rootca.certificate.polling.interval" period of time will guarantee that all services get the root CA certificate during this duration, so the above cannot talk to each case can be avoided.

      Attachments

        Issue Links

          fixes

          Sub-task - The sub-task of the issue HDDS-9016 Failed to Read data from previously created key

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #5064

          Activity

            People

              Sammi Sammi Chen
              Sammi Sammi Chen
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: