Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HDDS-4788. Enable mTLS for Ratis in OM HA #1912

Merged
merged 1 commit into from
Feb 10, 2021

Conversation

adoroszlai
Copy link
Contributor

What changes were proposed in this pull request?

Let OM HA enable TLS for its internal Ratis if SecurityConfig#isGrpcTlsEnabled is true (ie. if hdds.grpc.tls.enabled=true)

To make this work in docker-compose cluster, we need a small tweak in the OM certificate request. Normally hostname is included in the alternative names list, and subject name can be anything (in our case it's in the form of user@host, eg. root@om1). However, if reverse lookup for OM host's IP does not work, then subject name will be the only information available for certificate verification to match DNS. In this case we should omit the username part, because it will cause DNS match to fail.

https://issues.apache.org/jira/browse/HDDS-4788

How was this patch tested?

Enabled hdds.grpc.tls.enabled=true in ozonesecure-om-ha cluster.

https://github.com/adoroszlai/hadoop-ozone/actions/runs/547953101

@adoroszlai adoroszlai self-assigned this Feb 8, 2021
@swagle swagle requested a review from xiaoyuyao February 8, 2021 16:50
Copy link
Contributor

@xiaoyuyao xiaoyuyao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, +1 pending CI.

@amaliujia
Copy link
Contributor

@bshashikant @xiaoyuyao

Do we need the same change on SCM Ratis?

@bshashikant
Copy link
Contributor

@bshashikant @xiaoyuyao

Do we need the same change on SCM Ratis?

yes , we need and we will enable it when we implement security in SCM HA.

@adoroszlai adoroszlai merged commit d09e4b0 into apache:master Feb 10, 2021
@adoroszlai
Copy link
Contributor Author

Thanks @xiaoyuyao for the review.

@adoroszlai adoroszlai deleted the HDDS-4788 branch February 10, 2021 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants