HDDS-7830. SCM API for OM and Datanode to get secret keys #4345
Conversation
duongkame
changed the title
There was a problem hiding this comment.
Thanks @duongkame for working on this! I started running the new tests and after running them 30 times both testSecretKeyAfterSCMFailover and testSecretKeyApiNotEnabled failed at least once. Could they be flaky, or is this something that comes necessarily with MiniOzoneCluster tests?
Overall the change looks good, I have left 2 suggestions for white space changes.
...ds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.java
Outdated
Show resolved
Hide resolved
| CertificateServer rootCertificateServer, | ||
| CertificateServer scmCertificateServer, | ||
| X509Certificate rootCACert, StorageContainerManager scm) | ||
| CertificateServer rootCertificateServer, |
There was a problem hiding this comment.
Minor note and hint here: this is an unnecessary indentation change. You can disable it by editor/codestyle/java -> wrapping and braces tab and disabling "align when multiline" on method call arguments.
There was a problem hiding this comment.
Thanks, that's helpful. :)
…m/server/SCMSecurityProtocolServer.java Co-authored-by: Galsza <109229906+Galsza@users.noreply.github.com>
| clusterId = UUID.randomUUID().toString(); | ||
| scmId = UUID.randomUUID().toString(); | ||
|
|
||
| startMiniKdc(); |
There was a problem hiding this comment.
Is it possible to reuse one of the existing cluster spin + SCM tests? This will have some overhead on overall testing time and load. It could also be a robot test.
|
It would be good to capture the security model expected for which principals can make the API calls. |
|
Merging this in since this is a dev branch, and we can refactor the code as needed. |
Thanks, @Galsza for the review. I could actually reproduce the failure after running the tests continuously multiple times. Think I found the problem with a short waiting time in |
Thanks for the review @kerneltime. I created HDDS-8164 to address the authorization model for secret key APIs. |
* master: (73 commits) HDDS-8587. Test that CertificateClient can store multiple rootCA certificates (apache#4852) HDDS-8801. ReplicationManager: Add metric to count how often replication is throttled (apache#4864) HDDS-8477. Unit test for Snapdiff using tombstone entries (apache#4678) HDDS-7507. [Snapshot] Implement List Snapshot API Pagination (apache#4065) (apache#4861) HDDS-8373. Document that setquota doesn't accept decimals (apache#4856) HDDS-8779. Recon - Expose flag for enable/disable of heatmap. (apache#4845) HDDS-8677. Ozone admin OM CLI command for block tokens (apache#4760) HDDS-8164. Authorize secret key APIs (apache#4597) HDDS-7945. Integrate secret keys to SCM snapshot (apache#4549) HDDS-8003. E2E integration test cases for block tokens (apache#4547) HDDS-7831. Use symmetric secret key to sign and verify token (apache#4417) HDDS-7830. SCM API for OM and Datanode to get secret keys (apache#4345) HDDS-7734. Implement symmetric SecretKeys lifescycle management in SCM (apache#4194) HDDS-8679. Add dedicated, configurable thread pool for OM gRPC server (apache#4771) HDDS-8790. Split EC acceptance tests (apache#4855) HDDS-8714. TestScmHAFinalization: mark testFinalizationWithRestart as flaky, enable other test cases HDDS-8787. Reduce ozone sh calls in robot tests (apache#4854) HDDS-8774. Log allocation stack trace for leaked CodecBuffer (apache#4840) HDDS-8729. Add metric for count of blocks pending deletion on datanode (apache#4800) HDDS-8780. Leak of ManagedChannel in HASecurityUtils (apache#4850) ...
* tmp-dir-refactor: (73 commits) HDDS-8587. Test that CertificateClient can store multiple rootCA certificates (apache#4852) HDDS-8801. ReplicationManager: Add metric to count how often replication is throttled (apache#4864) HDDS-8477. Unit test for Snapdiff using tombstone entries (apache#4678) HDDS-7507. [Snapshot] Implement List Snapshot API Pagination (apache#4065) (apache#4861) HDDS-8373. Document that setquota doesn't accept decimals (apache#4856) HDDS-8779. Recon - Expose flag for enable/disable of heatmap. (apache#4845) HDDS-8677. Ozone admin OM CLI command for block tokens (apache#4760) HDDS-8164. Authorize secret key APIs (apache#4597) HDDS-7945. Integrate secret keys to SCM snapshot (apache#4549) HDDS-8003. E2E integration test cases for block tokens (apache#4547) HDDS-7831. Use symmetric secret key to sign and verify token (apache#4417) HDDS-7830. SCM API for OM and Datanode to get secret keys (apache#4345) HDDS-7734. Implement symmetric SecretKeys lifescycle management in SCM (apache#4194) HDDS-8679. Add dedicated, configurable thread pool for OM gRPC server (apache#4771) HDDS-8790. Split EC acceptance tests (apache#4855) HDDS-8714. TestScmHAFinalization: mark testFinalizationWithRestart as flaky, enable other test cases HDDS-8787. Reduce ozone sh calls in robot tests (apache#4854) HDDS-8774. Log allocation stack trace for leaked CodecBuffer (apache#4840) HDDS-8729. Add metric for count of blocks pending deletion on datanode (apache#4800) HDDS-8780. Leak of ManagedChannel in HASecurityUtils (apache#4850) ...
What changes were proposed in this pull request?
SCM API to expose SecretKeys to OM and Datanodes. The APIs are implemented in the same SCMSecurityProtocol that is used by OM & Datanodes today to fetch Certificates. List of new APIs:
These APIs will be used by OM and DN to sign and verify tokens. An early code review for that is here: duongkame#3.
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-7830
How was this patch tested?
Integration test.
https://github.com/duongkame/ozone/actions/runs/4326226681