neils-dev commented on a change in pull request #2945:
URL: https://github.com/apache/ozone/pull/2945#discussion_r825235685
##########
File path:
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/protocolPB/GrpcOmTransport.java
##########
@@ -93,6 +104,22 @@ public void start() {
.usePlaintext()
.maxInboundMessageSize(maxSize);
+ if (secConfig.isGrpcTlsEnabled()) {
+ try {
+ SslContextBuilder sslContextBuilder = GrpcSslContexts.forClient();
+ if (caCerts != null) {
+ sslContextBuilder.trustManager(caCerts);
+ } else {
+ LOG.error("x509Certicates empty");
Review comment:
Thanks @hanishakoneru for looking at this and for your comments.
If `grpcTlsEnabled` and the caCerts is empty, then the channel connection
between the s3g client (`GrpcOmTransport`) and the om will not be authenticated
by the client. In this case, the error will be logged and the connection will
fail. The client receives a 500 http response "An error occurred (500)
(reached max retries)".
The logged error as a result of TLS enabled with empty caCerts logs that the
`"x509Certicates empty"`. That and the client request failure should provide
/alert the necessary info for the admin.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
