HDDS-9234. OM should shutdown immediately if certificate durations are invalid#5243
Merged
ChenSammi merged 2 commits intoapache:masterfrom Sep 13, 2023
Merged
HDDS-9234. OM should shutdown immediately if certificate durations are invalid#5243ChenSammi merged 2 commits intoapache:masterfrom
ChenSammi merged 2 commits intoapache:masterfrom
Conversation
aryangupta1998
changed the title
ayushtkn
reviewed
Sep 4, 2023
Comment on lines
1335
to
1337
| // Checking certificate duration validity by using | ||
| // validateCertificateValidityConfig() in SecurityConfig constructor. | ||
| new SecurityConfig(conf); |
Member
There was a problem hiding this comment.
new SecurityConfig(conf); is doing much more than just validating, can we refactor the certificate code extraction part & combine with the validation method into a single method & call that here?
Contributor
Author
There was a problem hiding this comment.
In the SecurityConfig constructor we're mostly initializing the member variables and most of them are used in validateCertificateValidityConfig so I don't think there would be too much extra load if we call out an object. If we try to extract a method for initializing variables related to validateCertificateValidityConfig then also we have to explicitly initialize each property being used in validateCertificateValidityConfig, what do you suggest?
ChenSammi
approved these changes
Sep 13, 2023
errose28
added a commit
to errose28/ozone
that referenced
this pull request
Sep 14, 2023
* master: (55 commits) HDDS-9236. Fix snapdiff output for key modification (apache#5258) HDDS-8013. Freon S3 bucket creation test should use unique prefix (apache#5282) HDDS-9228. Poor S3G read performance (apache#5274) HDDS-8941. Disable flaky TestContainerBalancerTask#testDelayedStart HDDS-1159. Remove flaky tag from TestContainerStateManagerIntegration (apache#5291) HDDS-6077. Remove flaky tag from TestAddRemoveOzoneManager (apache#5290) HDDS-6610. Remove support for recursive volume list/delete using ozone fs command (apache#5264) HDDS-7752. GetS3SecretRequest API should not return secret if secret of user already exists (apache#4538) HDDS-9173. Invalidate snapshot cache once snapshot gets purged (apache#5248) HDDS-8920. Ozone is supporting unicode volume and bucket names, unintentionally (apache#5276) HDDS-9275. LegacyReplicationManager: Delete excess unhealthy with force=true (apache#5286) HDDS-9264. Execute EC acceptance test in secure environment (apache#5279) HDDS-9161. Recon Pipelines datanode columns search does not work (apache#5213) HDDS-9107. Reduce the granularity of Container locks for BlockDeletingService (apache#5149) HDDS-9270. Create a script to list all acceptance test splits (apache#5281) HDDS-9220. Let ContainerBalancerConfiguration#toString print more info (apache#5228) HDDS-9208. Add queue limit in ReplicationServer. (apache#5216) HDDS-9268. [Snapshot] Update list of snapshot apis to include lsDiff details in docs. (apache#5278) HDDS-9234. OM should shutdown immediately if certificate durations are invalid (apache#5243) HDDS-9136. Throw exception when rename fails during moveToTrash. (apache#5253) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
As of now if certificate durations are invalid for example, if "hdds.x509.max.duration" is set with a negative value then OM goes into a retry mode as OM tries to communicate with SCM which is already down so in this case after 600 seconds(by default) OM shuts down. In this jira, we will try to check the validity of the certificate duration in the init process and shut down the OM immediately if the durations are invalid.
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-9234
How was this patch tested?
Tested Manually.