Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HDDS-1065. OM and DN should persist SCM certificate as the trust root. Contributed by Ajay Kumar. #754

Closed
wants to merge 140 commits into from
Closed

HDDS-1065. OM and DN should persist SCM certificate as the trust root. Contributed by Ajay Kumar. #754

wants to merge 140 commits into from

Conversation

ajayydv
Copy link
Contributor

@ajayydv ajayydv commented Apr 19, 2019

No description provided.

@ajayydv ajayydv added the ozone label Apr 19, 2019
@ajayydv ajayydv requested a review from xiaoyuyao April 19, 2019 00:21
@ajayydv ajayydv self-assigned this Apr 19, 2019
@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Comment
0 reexec 30 Docker mode activated.
_ Prechecks _
+1 @author 0 The patch does not contain any @author tags.
+1 test4tests 0 The patch appears to include 3 new or modified test files.
_ trunk Compile Tests _
0 mvndep 63 Maven dependency ordering for branch
+1 mvninstall 1095 trunk passed
+1 compile 1084 trunk passed
+1 checkstyle 142 trunk passed
+1 mvnsite 201 trunk passed
+1 shadedclient 1054 branch has no errors when building and testing our client artifacts.
0 findbugs 0 Skipped patched modules with no Java source: hadoop-ozone/integration-test
+1 findbugs 183 trunk passed
+1 javadoc 131 trunk passed
_ Patch Compile Tests _
0 mvndep 23 Maven dependency ordering for patch
+1 mvninstall 140 the patch passed
+1 compile 1040 the patch passed
+1 javac 1040 the patch passed
+1 checkstyle 134 the patch passed
+1 mvnsite 157 the patch passed
+1 whitespace 0 The patch has no whitespace issues.
+1 shadedclient 649 patch has no errors when building and testing our client artifacts.
0 findbugs 0 Skipped patched modules with no Java source: hadoop-ozone/integration-test
+1 findbugs 209 the patch passed
+1 javadoc 124 the patch passed
_ Other Tests _
-1 unit 75 common in the patch failed.
+1 unit 63 container-service in the patch passed.
-1 unit 1266 integration-test in the patch failed.
+1 unit 62 ozone-manager in the patch passed.
+1 asflicense 57 The patch does not generate ASF License warnings.
7910
Reason Tests
Failed junit tests hadoop.hdds.scm.net.TestNodeSchemaManager
hadoop.hdds.scm.net.TestNetworkTopologyImpl
hadoop.ozone.container.common.statemachine.commandhandler.TestBlockDeletion
hadoop.ozone.TestOzoneConfigurationFields
hadoop.ozone.client.rpc.TestOzoneRpcClientWithRatis
hadoop.hdds.scm.pipeline.TestRatisPipelineUtils
hadoop.ozone.client.rpc.TestSecureOzoneRpcClient
hadoop.ozone.client.rpc.TestOzoneAtRestEncryption
hadoop.ozone.om.TestContainerReportWithKeys
hadoop.ozone.client.rpc.TestCommitWatcher
Subsystem Report/Notes
Docker Client=17.05.0-ce Server=17.05.0-ce base: https://builds.apache.org/job/hadoop-multibranch/job/PR-754/1/artifact/out/Dockerfile
GITHUB PR #754
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname Linux 051e1ddd5144 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / 518f47b
maven version: Apache Maven 3.3.9
Default Java 1.8.0_191
findbugs v3.1.0-RC1
unit https://builds.apache.org/job/hadoop-multibranch/job/PR-754/1/artifact/out/patch-unit-hadoop-hdds_common.txt
unit https://builds.apache.org/job/hadoop-multibranch/job/PR-754/1/artifact/out/patch-unit-hadoop-ozone_integration-test.txt
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-754/1/testReport/
Max. process+thread count 3724 (vs. ulimit of 5500)
modules C: hadoop-hdds/common hadoop-hdds/container-service hadoop-ozone/integration-test hadoop-ozone/ozone-manager U: .
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-754/1/console
Powered by Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Comment
0 reexec 24 Docker mode activated.
_ Prechecks _
+1 @author 0 The patch does not contain any @author tags.
+1 test4tests 0 The patch appears to include 3 new or modified test files.
_ trunk Compile Tests _
0 mvndep 322 Maven dependency ordering for branch
+1 mvninstall 1058 trunk passed
+1 compile 995 trunk passed
+1 checkstyle 136 trunk passed
+1 mvnsite 254 trunk passed
+1 shadedclient 1058 branch has no errors when building and testing our client artifacts.
0 findbugs 0 Skipped patched modules with no Java source: hadoop-ozone/integration-test
+1 findbugs 174 trunk passed
+1 javadoc 124 trunk passed
_ Patch Compile Tests _
0 mvndep 21 Maven dependency ordering for patch
+1 mvninstall 142 the patch passed
+1 compile 907 the patch passed
+1 javac 907 the patch passed
+1 checkstyle 133 the patch passed
+1 mvnsite 159 the patch passed
+1 whitespace 0 The patch has no whitespace issues.
+1 shadedclient 615 patch has no errors when building and testing our client artifacts.
0 findbugs 0 Skipped patched modules with no Java source: hadoop-ozone/integration-test
+1 findbugs 212 the patch passed
+1 javadoc 128 the patch passed
_ Other Tests _
-1 unit 68 common in the patch failed.
+1 unit 65 container-service in the patch passed.
-1 unit 905 integration-test in the patch failed.
+1 unit 50 ozone-manager in the patch passed.
+1 asflicense 40 The patch does not generate ASF License warnings.
7444
Reason Tests
Failed junit tests hadoop.hdds.scm.net.TestNodeSchemaManager
hadoop.hdds.scm.net.TestNetworkTopologyImpl
hadoop.ozone.TestOzoneConfigurationFields
hadoop.ozone.client.rpc.TestCloseContainerHandlingByClient
hadoop.hdds.scm.pipeline.TestRatisPipelineUtils
hadoop.ozone.client.rpc.TestCommitWatcher
Subsystem Report/Notes
Docker Client=17.05.0-ce Server=17.05.0-ce base: https://builds.apache.org/job/hadoop-multibranch/job/PR-754/2/artifact/out/Dockerfile
GITHUB PR #754
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle
uname Linux 0ce971fa6b0a 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality personality/hadoop.sh
git revision trunk / 317fcba
maven version: Apache Maven 3.3.9
Default Java 1.8.0_191
findbugs v3.1.0-RC1
unit https://builds.apache.org/job/hadoop-multibranch/job/PR-754/2/artifact/out/patch-unit-hadoop-hdds_common.txt
unit https://builds.apache.org/job/hadoop-multibranch/job/PR-754/2/artifact/out/patch-unit-hadoop-ozone_integration-test.txt
Test Results https://builds.apache.org/job/hadoop-multibranch/job/PR-754/2/testReport/
Max. process+thread count 4310 (vs. ulimit of 5500)
modules C: hadoop-hdds/common hadoop-hdds/container-service hadoop-ozone/integration-test hadoop-ozone/ozone-manager U: .
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-754/2/console
Powered by Apache Yetus 0.9.0 http://yetus.apache.org

This message was automatically generated.

yangwwei and others added 3 commits April 20, 2019 21:51
@yangwwei
YARN-9495. Fix findbugs warnings in hadoop-yarn-server-resourcemanage…
adefd37 
…r module. Contributed by Tao Yang.
@xkrogen
HADOOP-16265. Fix bug causing Configuration#getTimeDuration to use in…
1ddb488 
…correct units when the default value is used. Contributed by starphin.
YARN-2889. Limit the number of opportunistic container allocated per …
96e3027 
…AM heartbeat. Contributed by Abhishek Modi.
xiaoyuyao
xiaoyuyao reviewed Apr 22, 2019
View reviewed changes
hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java
datanodeDetails.setCertSerialId(getX509Certificate(pemEncodedCert).
getSerialNumber().toString());
persistDatanodeDetails(datanodeDetails);
// Get SCM CA certificate and store it in filesystem.
String pemEncodedRootCert = secureScmClient.getCACertificate();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we get the CA certificate based on the DN certificate signed by CA? Does that container a signer certificate id?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As of now we don't have functionality to look up certificates by subject or scm id. getCACertificate returns default certificate for SCM who signed it.

xiaoyuyao
xiaoyuyao reviewed Apr 22, 2019
View reviewed changes
...n/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
@@ -80,6 +80,7 @@
public abstract class DefaultCertificateClient implements CertificateClient {

private static final String CERT_FILE_NAME_FORMAT = "%s.crt";
private static final String CA_CERT_PREFIX = "CA-";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remind me where do we actually use this root CA certificate in the code? I don't see reference in this patch. Should we use it in Block token verification?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes for block token and DT validation. It will be used to establish trust of chain.

xiaoyuyao
xiaoyuyao reviewed Apr 22, 2019
View reviewed changes
Copy link
Contributor

@xiaoyuyao xiaoyuyao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. Just two questions added inline.

Inigo Goiri and others added 15 commits April 22, 2019 13:23
HDFS-14445. TestTrySendErrorReportWhenNNThrowsIOException fails in tr…
5321235 
…unk. Contributed by Ayush Saxena.
@xkrogen
HDFS-14435. [SBN Read] Enable ObserverReadProxyProvider to gracefully…
174b7d3 
… handle StandbyException when fetching HAServiceState. Contributed by Erik Krogen.
HDFS-14374. Expose total number of delegation tokens in AbstractDeleg…
fb1c549 
…ationTokenSecretManager. Contributed by CR Hota.
@macroadster
YARN-8551. Project setup for MaWo application.
a54c1e3 
           Contributed by Yesha Vora
@anuengineer
HADOOP-16026:Replace incorrect use of system property user.name.
f4ab937 
Contributed by Dinesh Chitlangia.
@yangwwei
YARN-9325. TestQueueManagementDynamicEditPolicy fails intermittent. C…
1c8046d 
…ontributed by Prabhu Joseph.
@tangzhankun
SUBMARINE-40. Add TonY runtime to Submarine. Contributed by Keqiu Hu.
e79a9c1
@tangzhankun
YARN-9475. [YARN-9473] Create basic VE plugin. Contributed by Peter B…
8a95ea6 
…acsko.
@nandakumar131
HDDS-1368. Cleanup old ReplicationManager code from SCM.
7e1f8d3
@swagle @nandakumar131
HDDS-1411. Add unit test to check if SCM correctly sends close comman…
59ded76 
…ds for containers in closing state after a restart. (apache#755)
YARN-9339. Apps pending metric incorrect after moving app to a new qu…
c504eee 
…eue. Contributed by Abhishek Modi.
YARN-9491. TestApplicationMasterServiceFair#ApplicationMasterServiceT…
4a0ba24 
…estBase.testUpdateTrackingUrl fails intermittent. Contributed by Prabhu Joseph.
YARN-9501. TestCapacitySchedulerOvercommit#testReducePreemptAndCancel…
fec9bf4 
… fails intermittent. Contributed by Prabhu Joseph.
@aajisaka @tasanuma
YARN-9081. Update jackson from 1.9.13 to 2.x in hadoop-yarn-services-…
9d40062 
…core.

Signed-off-by: Takanobu Asanuma <tasanuma@apache.org>
YARN-9424. Change getDeclaredMethods to getMethods in FederationClien…
3f2f418 
…tInterceptor#invokeConcurrent. Contributed by Shen Yinjie.
bibinchundatt and others added 13 commits May 15, 2019 13:30
@bibinchundatt
YARN-9508. YarnConfiguration areNodeLabel enabled is costly in alloca…
570fa2d 
…tion flow. Contributed by Bilwa S T.
@supratimdeka @arp7
HDDS-1511. Space tracking for Open Containers in HDDS Volumes. Contri…
9569015 
…buted by Supratim Deka (apache#812)
YARN-9552. FairScheduler: NODE_UPDATE can cause NoSuchElementExceptio…
55bd359 
…n. Contributed by Peter Bacsko.
@virajith
HDFS-14390. Provide kerberos support for AliasMap service used by Pro…
77170e7 
…vided storage. Contributed by Ashvin Agrawal
@bharatviswa504
HADOOP-16247. NPE in FsUrlConnection. Contributed by Karthik Palanisamy.
d4c8858
@sunilgovind
SUBMARINE-56. Update documentation to describe single-node PyTorch in…
de01422 
…tegration. Contributed by Szilard Nemeth.
@bshashikant
HDDS-1531. Disable the sync flag by default during chunk writes in Da…
e66ecc5 
…tanode (apache#820). Contributed by Shashikant Banerjee.
@steveloughran
HADOOP-16307. Intern User Name and Group Name in FileStatus.
2713dcf 
Author:    David Mollitor
@noslowerdna @steveloughran
HADOOP-16294: Enable access to input options by DistCp subclasses.
c15b3bc 
Adding a protected-scope getter for the DistCpOptions, so that a subclass does
not need to save its own copy of the inputOptions supplied to its constructor,
if it wishes to override the createInputFileListing method with logic similar
to the original implementation, i.e. calling CopyListing#buildListing with a path and input options.

Author:    Andrew Olson
@elek @anuengineer
HDDS-1522. Provide intellij runConfiguration for Ozone components. Co…
b7de735 
…ntributed by Elek, Marton.
HADOOP-16050: s3a SSL connections should use OpenSSL
b067f8a 
(cherry picked from commit aebf229)
@elek
HDDS-1284. Adjust default values of pipline recovery for more resilie…
9248b7d 
…nt service restart.
@elek
HDDS-1297. Fix IllegalArgumentException thrown with MiniOzoneCluster …
03ea8ea 
…Initialization. Contributed by Yiqun Lin.
anuengineer
anuengineer reviewed May 16, 2019
View reviewed changes
...src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
* @throws CertificateException - on Error.
*
*/
void storeCertificate(String pemEncodedCert, boolean force)
void storeCertificate(String pemEncodedCert, boolean force, boolean caCert)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't you write a new function, called storeRootCertificate. That avoids adding this false argument to lots of other parts of the code.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, let's add a new function as @anuengineer suggested.

macroadster and others added 6 commits May 16, 2019 16:39
@macroadster
YARN-9554. Fixed TimelineEntity DAO serialization handling.
fab5b80 
            Contributed by Prabhu Joseph
@swagle @xiaoyuyao
HDDS-1527. HDDS Datanode start fails due to datanode.id file read err…
c183bd8 
…or. Contributed by Siddharth Wagle.

This closes apache#822.
@Alexis-D @steveloughran
HADOOP-16248. MutableQuantiles leak memory under heavy load.
4cb3da6 
Contributed by Alexis Daboville,
@smajeti22 @jojochuang
HDFS-14323. Distcp fails in Hadoop 3.x when 2.x source webhdfs url ha…
3e5e5b0 
…s special characters in hdfs file path. Contributed by Srinivasu Majeti.

Signed-off-by: Wei-Chiu Chuang <weichiu@apache.org>
YARN-9505. Add container allocation latency for Opportunistic Schedul…
12c8161 
…er. Contributed by Abhishek Modi.
HDDS-1065. OM and DN should persist SCM certificate as the trust root…
e985f6f 
…. Contributed by Ajay Kumar.
@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Comment
0 reexec 0 Docker mode activated.
-1 patch 40 #754 does not apply to trunk. Rebase required? Wrong Branch? See https://wiki.apache.org/hadoop/HowToContribute for help.
Subsystem Report/Notes
GITHUB PR #754
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-754/3/console
versions git=2.7.4
Powered by Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

arp7 and others added 5 commits May 20, 2019 09:09
@arp7
HDDS-1422. Exception during DataNode shutdown. Contributed by Arpit A… (
9dfb397 
apache#725)

* HDDS-1422. Exception during DataNode shutdown. Contributed by Arpit Agarwal.

Change-Id: I6db6bdd19839a45e5341ed7e745cd38f68af8378

* Suppress spurious findbugs warning.

* Remove log file that got committed in error
@tangzhankun
SUBMARINE-58. Submarine client needs to generate fat jar. Contributed…
8584f82 
… by Zac Zhou.
HADOOP-16085. S3Guard: use object version or etags to protect against…
269f81f 
… inconsistent read after replace/overwrite.

Contributed by Ben Roling.

S3Guard will now track the etag of uploaded files and, if an S3
bucket is versioned, the object version.

You can then control how to react to a mismatch between the data
in the DynamoDB table and that in the store: warn, fail, or, when
using versions, return the original value.

This adds two new columns to the table: etag and version.
This is transparent to older S3A clients -but when such clients
add/update data to the S3Guard table, they will not add these values.
As a result, the etag/version checks will not work with files uploaded by older clients.

For a consistent experience, upgrade all clients to use the latest hadoop version.
@bharatviswa504
HDDS-1499. OzoneManager Cache. (apache#798)
dd66be2
@sunilgovind
YARN-9546. Add configuration option for YARN Native services AM class…
37b74f8 
…path. Contributed by Gergely Pollak.
@ajayydv ajayydv closed this May 20, 2019
@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Comment
0 reexec 0 Docker mode activated.
-1 patch 51 #754 does not apply to trunk. Rebase required? Wrong Branch? See https://wiki.apache.org/hadoop/HowToContribute for help.
Subsystem Report/Notes
GITHUB PR #754
Console output https://builds.apache.org/job/hadoop-multibranch/job/PR-754/4/console
versions git=2.7.4
Powered by Apache Yetus 0.10.0 http://yetus.apache.org

This message was automatically generated.

@ajayydv ajayydv deleted the HDDS-1065 branch May 20, 2019 16:20
shanthoosh pushed a commit to shanthoosh/hadoop that referenced this pull request Oct 15, 2019
@prateekm
Update hardcoded versions for the 1.0.0 release.
00cd44a 
Author: Prateek Maheshwari <pmaheshwari@apache.org>

Closes apache#754 from prateekm/version-updates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anuengineer anuengineer anuengineer left review comments

@xiaoyuyao xiaoyuyao xiaoyuyao left review comments

Assignees

@ajayydv ajayydv

Labels
ozone
Projects
None yet
Milestone
No milestone