[GitHub] [ozone] neils-dev commented on a change in pull request #2945: HDDS-5545. Enable TLS for GRPC OmTransport implementation

Fri, 11 Mar 2022 18:53:25 -0800 


neils-dev commented on a change in pull request #2945:
URL: https://github.com/apache/ozone/pull/2945#discussion_r825234575



##########
File path: 
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/GrpcOzoneManagerServer.java
##########
@@ -46,24 +58,42 @@ public GrpcOzoneManagerServer(OzoneConfiguration config,
                                 OzoneManagerProtocolServerSideTranslatorPB
                                     omTranslator,
                                 OzoneDelegationTokenSecretManager
-                                    delegationTokenMgr) {
+                                    delegationTokenMgr,
+                                CertificateClient caClient) {
     this.port = config.getObject(
         GrpcOzoneManagerServerConfig.class).
         getPort();
     init(omTranslator,
         delegationTokenMgr,
-        config);
+        config,
+        caClient);
   }
 
   public void init(OzoneManagerProtocolServerSideTranslatorPB omTranslator,
                    OzoneDelegationTokenSecretManager delegationTokenMgr,
-                   OzoneConfiguration omServerConfig) {
+                   OzoneConfiguration omServerConfig,
+                   CertificateClient caClient) {
     NettyServerBuilder nettyServerBuilder = NettyServerBuilder.forPort(port)
         .maxInboundMessageSize(OzoneConsts.OZONE_SCM_CHUNK_MAX_SIZE)
         .addService(new OzoneManagerServiceGrpc(omTranslator,
             delegationTokenMgr,
             omServerConfig));
 
+    SecurityConfig secConf = new SecurityConfig(omServerConfig);
+    if (secConf.isGrpcTlsEnabled()) {

Review comment:
       Normal configuration would be for _ozone.security.enabled_ **and** 
_hdds.grpc.tls.enabled_ set to _'true'_ as is the case for our docker secure 
cluster configurations.
   
   In the event GRPC TLS is enabled but Ozone security is not, the certificate 
list (TLS authenication) used by the client (`GrpcOmTransport`) will not be 
available (set to null) and the client will not be able to authenticate the 
server certificate to establish a secure channel between client and server.  On 
the server side (`GrpcOzoneManagerServer`) receives a connection error.  The 
error is logged on the client side as `"x509Certicates empty"` and the client 
receives a 500 http response.  The log and errors should provide useful info to 
the admin to correct configuration errors.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to