-
Notifications
You must be signed in to change notification settings - Fork 8.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HDDS-1065. OM and DN should persist SCM certificate as the trust root. Contributed by Ajay Kumar. #754
Conversation
…. Contributed by Ajay Kumar.
💔 -1 overall
This message was automatically generated. |
…ontributed by Abhishek Modi.
…Contributed by Eric Yang
💔 -1 overall
This message was automatically generated. |
…r module. Contributed by Tao Yang.
…correct units when the default value is used. Contributed by starphin.
…AM heartbeat. Contributed by Abhishek Modi.
datanodeDetails.setCertSerialId(getX509Certificate(pemEncodedCert). | ||
getSerialNumber().toString()); | ||
persistDatanodeDetails(datanodeDetails); | ||
// Get SCM CA certificate and store it in filesystem. | ||
String pemEncodedRootCert = secureScmClient.getCACertificate(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we get the CA certificate based on the DN certificate signed by CA? Does that container a signer certificate id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As of now we don't have functionality to look up certificates by subject or scm id. getCACertificate returns default certificate for SCM who signed it.
@@ -80,6 +80,7 @@ | |||
public abstract class DefaultCertificateClient implements CertificateClient { | |||
|
|||
private static final String CERT_FILE_NAME_FORMAT = "%s.crt"; | |||
private static final String CA_CERT_PREFIX = "CA-"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you remind me where do we actually use this root CA certificate in the code? I don't see reference in this patch. Should we use it in Block token verification?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes for block token and DT validation. It will be used to establish trust of chain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall. Just two questions added inline.
…unk. Contributed by Ayush Saxena.
… handle StandbyException when fetching HAServiceState. Contributed by Erik Krogen.
…ationTokenSecretManager. Contributed by CR Hota.
Contributed by Yesha Vora
Contributed by Dinesh Chitlangia.
…ontributed by Prabhu Joseph.
…ds for containers in closing state after a restart. (apache#755)
…eue. Contributed by Abhishek Modi.
…estBase.testUpdateTrackingUrl fails intermittent. Contributed by Prabhu Joseph.
… fails intermittent. Contributed by Prabhu Joseph.
…core. Signed-off-by: Takanobu Asanuma <tasanuma@apache.org>
…tInterceptor#invokeConcurrent. Contributed by Shen Yinjie.
…tion flow. Contributed by Bilwa S T.
…buted by Supratim Deka (apache#812)
…n. Contributed by Peter Bacsko.
…vided storage. Contributed by Ashvin Agrawal
…tegration. Contributed by Szilard Nemeth.
…tanode (apache#820). Contributed by Shashikant Banerjee.
Author: David Mollitor
Adding a protected-scope getter for the DistCpOptions, so that a subclass does not need to save its own copy of the inputOptions supplied to its constructor, if it wishes to override the createInputFileListing method with logic similar to the original implementation, i.e. calling CopyListing#buildListing with a path and input options. Author: Andrew Olson
…ntributed by Elek, Marton.
(cherry picked from commit aebf229)
…nt service restart.
…Initialization. Contributed by Yiqun Lin.
* @throws CertificateException - on Error. | ||
* | ||
*/ | ||
void storeCertificate(String pemEncodedCert, boolean force) | ||
void storeCertificate(String pemEncodedCert, boolean force, boolean caCert) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't you write a new function, called storeRootCertificate. That avoids adding this false argument to lots of other parts of the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, let's add a new function as @anuengineer suggested.
Contributed by Prabhu Joseph
…or. Contributed by Siddharth Wagle. This closes apache#822.
Contributed by Alexis Daboville,
…s special characters in hdfs file path. Contributed by Srinivasu Majeti. Signed-off-by: Wei-Chiu Chuang <weichiu@apache.org>
…er. Contributed by Abhishek Modi.
…. Contributed by Ajay Kumar.
💔 -1 overall
This message was automatically generated. |
apache#725) * HDDS-1422. Exception during DataNode shutdown. Contributed by Arpit Agarwal. Change-Id: I6db6bdd19839a45e5341ed7e745cd38f68af8378 * Suppress spurious findbugs warning. * Remove log file that got committed in error
… inconsistent read after replace/overwrite. Contributed by Ben Roling. S3Guard will now track the etag of uploaded files and, if an S3 bucket is versioned, the object version. You can then control how to react to a mismatch between the data in the DynamoDB table and that in the store: warn, fail, or, when using versions, return the original value. This adds two new columns to the table: etag and version. This is transparent to older S3A clients -but when such clients add/update data to the S3Guard table, they will not add these values. As a result, the etag/version checks will not work with files uploaded by older clients. For a consistent experience, upgrade all clients to use the latest hadoop version.
…path. Contributed by Gergely Pollak.
💔 -1 overall
This message was automatically generated. |
Author: Prateek Maheshwari <pmaheshwari@apache.org> Closes apache#754 from prateekm/version-updates
No description provided.