Example 1 with OMHANodeDetails
use of org.apache.hadoop.ozone.om.ha.OMHANodeDetails in project ozone by apache.
the class OzoneManager method getSCMSignedCert.
/**
* Get SCM signed certificate and store it using certificate client.
*/
private static void getSCMSignedCert(CertificateClient client, OzoneConfiguration config, OMStorage omStore, String scmId) throws IOException {
CertificateSignRequest.Builder builder = client.getCSRBuilder();
KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
InetSocketAddress omRpcAdd;
omRpcAdd = OmUtils.getOmAddress(config);
if (omRpcAdd == null || omRpcAdd.getAddress() == null) {
LOG.error("Incorrect om rpc address. omRpcAdd:{}", omRpcAdd);
throw new RuntimeException("Can't get SCM signed certificate. " + "omRpcAdd: " + omRpcAdd);
}
// Get host name.
String hostname = omRpcAdd.getAddress().getHostName();
String ip = omRpcAdd.getAddress().getHostAddress();
String subject;
if (builder.hasDnsName()) {
subject = UserGroupInformation.getCurrentUser().getShortUserName() + "@" + hostname;
} else {
// With only IP in alt.name, certificate validation would fail if subject
// isn't a hostname either, so omit username.
subject = hostname;
}
builder.setCA(false).setKey(keyPair).setConfiguration(config).setScmID(scmId).setClusterID(omStore.getClusterID()).setSubject(subject);
OMHANodeDetails haOMHANodeDetails = OMHANodeDetails.loadOMHAConfig(config);
String serviceName = haOMHANodeDetails.getLocalNodeDetails().getServiceId();
if (!StringUtils.isEmpty(serviceName)) {
builder.addServiceName(serviceName);
}
LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," + "subject:{}", hostname, ip, scmId, omStore.getClusterID(), subject);
HddsProtos.OzoneManagerDetailsProto.Builder omDetailsProtoBuilder = HddsProtos.OzoneManagerDetailsProto.newBuilder().setHostName(omRpcAdd.getHostName()).setIpAddress(ip).setUuid(omStore.getOmId()).addPorts(HddsProtos.Port.newBuilder().setName(RPC_PORT).setValue(omRpcAdd.getPort()).build());
PKCS10CertificationRequest csr = builder.build();
HddsProtos.OzoneManagerDetailsProto omDetailsProto = omDetailsProtoBuilder.build();
LOG.info("OzoneManager ports added:{}", omDetailsProto.getPortsList());
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
SCMGetCertResponseProto response = secureScmClient.getOMCertChain(omDetailsProto, getEncodedString(csr));
String pemEncodedCert = response.getX509Certificate();
try {
// Store SCM CA certificate.
if (response.hasX509CACertificate()) {
String pemEncodedRootCert = response.getX509CACertificate();
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
// Store Root CA certificate if available.
if (response.hasX509RootCACertificate()) {
client.storeRootCACertificate(response.getX509RootCACertificate(), true);
}
// Persist om cert serial id.
omStore.setOmCertSerialId(CertificateCodec.getX509Certificate(pemEncodedCert).getSerialNumber().toString());
} else {
throw new RuntimeException("Unable to retrieve OM certificate " + "chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
KeyPair(java.security.KeyPair)
OMHANodeDetails(org.apache.hadoop.ozone.om.ha.OMHANodeDetails)
SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)
InetSocketAddress(java.net.InetSocketAddress)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
UncheckedIOException(java.io.UncheckedIOException)
SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)
Aggregations
IOException (java.io.IOException)1
UncheckedIOException (java.io.UncheckedIOException)1
InetSocketAddress (java.net.InetSocketAddress)1
KeyPair (java.security.KeyPair)1
CertificateException (java.security.cert.CertificateException)1
HddsProtos (org.apache.hadoop.hdds.protocol.proto.HddsProtos)1
SCMGetCertResponseProto (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)1
SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)1
CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)1
CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)1
OMHANodeDetails (org.apache.hadoop.ozone.om.ha.OMHANodeDetails)1
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)1
