[jira] [Created] (HDDS-9507) [MasterNode decommissioning] Recommissioned SCM certs still signed by RootCA

Thu, 19 Oct 2023 07:15:13 -0700 

Pratyush Bhatt created HDDS-9507:
------------------------------------

             Summary: [MasterNode decommissioning] Recommissioned SCM certs 
still signed by RootCA
                 Key: HDDS-9507
                 URL: https://issues.apache.org/jira/browse/HDDS-9507
             Project: Apache Ozone
          Issue Type: Bug
          Components: SCM
            Reporter: Pratyush Bhatt


*Scenario:* 
Decommission a SCM node, and certs are tuned to be rotated after the new SCM 
recommission is done.

*Steps:*
1. Cert rotation interval set as 30 minutes.
2. Decommission a SCM Node (ozn-decom56-5.ozn-decom56.xyz)
3. Recommission a new SCM Node. (ozn-decom56-4.ozn-decom56.xyz)
4. Cert rotation interval hits now.

_Configs used:_
{code:java}
"hdds.x509.default.duration": "PT1H",
"hdds.x509.renew.grace.duration": "PT30M",
"hdds.x509.ca.rotation.check.interval": "PT10M",
"ozone.manager.delegation.token.renew-interval": "10m",
"hdds.block.token.expiry.time": "10m",
"ozone.manager.delegation.token.max-lifetime": "30m"{code}

*Observed behavior:*

These are certs info for the SCMs and rootCA now:
{code:java}
SerialNumber      Valid From                     Expiry                         
Subject                                                                         
                               Issuer
1                 Thu Oct 19 11:33:32 UTC 2023   Sun Nov 26 11:33:32 UTC 2028   
[email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
 
[email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00

138022366133952767 Thu Oct 19 11:33:32 UTC 2023   Sun Nov 26 11:33:32 UTC 2028  
 
[email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
 
[email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
 

138022392400080904 Thu Oct 19 11:33:58 UTC 2023   Sun Nov 26 11:33:58 UTC 2028  
 
[email protected],OU=c1bec48f-4c89-4edf-92a9-b63e842a1ceb,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
 
[email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00

138022394309457306 Thu Oct 19 11:34:00 UTC 2023   Sun Nov 26 11:34:00 UTC 2028  
 
[email protected],OU=da59dc71-12d2-4a77-a0bd-213491613bc2,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
 
[email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00

138022935946339912 Thu Oct 19 11:43:02 UTC 2023   Sun Nov 26 11:43:02 UTC 2028  
 
[email protected],OU=8c24b790-06a8-4670-97a8-94656d9a13c9,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
 
[email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00{code}
_ozn-decom56-4.ozn-decom56.xyz_ was newly decommissioned and got its cert at 
Thu Oct 19 11:43:02 UTC 2023. 
In the issuer section, can still see that its signed by scm-1, whereas it 
should have been issued by scm-sub.
{noformat}
[email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00{noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to