Search in sources :

Example 1 with OMHANodeDetails

use of org.apache.hadoop.ozone.om.ha.OMHANodeDetails in project ozone by apache.

the class OzoneManager method getSCMSignedCert.

/**
 * Get SCM signed certificate and store it using certificate client.
 */
private static void getSCMSignedCert(CertificateClient client, OzoneConfiguration config, OMStorage omStore, String scmId) throws IOException {
    CertificateSignRequest.Builder builder = client.getCSRBuilder();
    KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
    InetSocketAddress omRpcAdd;
    omRpcAdd = OmUtils.getOmAddress(config);
    if (omRpcAdd == null || omRpcAdd.getAddress() == null) {
        LOG.error("Incorrect om rpc address. omRpcAdd:{}", omRpcAdd);
        throw new RuntimeException("Can't get SCM signed certificate. " + "omRpcAdd: " + omRpcAdd);
    }
    // Get host name.
    String hostname = omRpcAdd.getAddress().getHostName();
    String ip = omRpcAdd.getAddress().getHostAddress();
    String subject;
    if (builder.hasDnsName()) {
        subject = UserGroupInformation.getCurrentUser().getShortUserName() + "@" + hostname;
    } else {
        // With only IP in alt.name, certificate validation would fail if subject
        // isn't a hostname either, so omit username.
        subject = hostname;
    }
    builder.setCA(false).setKey(keyPair).setConfiguration(config).setScmID(scmId).setClusterID(omStore.getClusterID()).setSubject(subject);
    OMHANodeDetails haOMHANodeDetails = OMHANodeDetails.loadOMHAConfig(config);
    String serviceName = haOMHANodeDetails.getLocalNodeDetails().getServiceId();
    if (!StringUtils.isEmpty(serviceName)) {
        builder.addServiceName(serviceName);
    }
    LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," + "subject:{}", hostname, ip, scmId, omStore.getClusterID(), subject);
    HddsProtos.OzoneManagerDetailsProto.Builder omDetailsProtoBuilder = HddsProtos.OzoneManagerDetailsProto.newBuilder().setHostName(omRpcAdd.getHostName()).setIpAddress(ip).setUuid(omStore.getOmId()).addPorts(HddsProtos.Port.newBuilder().setName(RPC_PORT).setValue(omRpcAdd.getPort()).build());
    PKCS10CertificationRequest csr = builder.build();
    HddsProtos.OzoneManagerDetailsProto omDetailsProto = omDetailsProtoBuilder.build();
    LOG.info("OzoneManager ports added:{}", omDetailsProto.getPortsList());
    SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
    SCMGetCertResponseProto response = secureScmClient.getOMCertChain(omDetailsProto, getEncodedString(csr));
    String pemEncodedCert = response.getX509Certificate();
    try {
        // Store SCM CA certificate.
        if (response.hasX509CACertificate()) {
            String pemEncodedRootCert = response.getX509CACertificate();
            client.storeCertificate(pemEncodedRootCert, true, true);
            client.storeCertificate(pemEncodedCert, true);
            // Store Root CA certificate if available.
            if (response.hasX509RootCACertificate()) {
                client.storeRootCACertificate(response.getX509RootCACertificate(), true);
            }
            // Persist om cert serial id.
            omStore.setOmCertSerialId(CertificateCodec.getX509Certificate(pemEncodedCert).getSerialNumber().toString());
        } else {
            throw new RuntimeException("Unable to retrieve OM certificate " + "chain");
        }
    } catch (IOException | CertificateException e) {
        LOG.error("Error while storing SCM signed certificate.", e);
        throw new RuntimeException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) KeyPair(java.security.KeyPair) OMHANodeDetails(org.apache.hadoop.ozone.om.ha.OMHANodeDetails) SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB) InetSocketAddress(java.net.InetSocketAddress) CertificateException(java.security.cert.CertificateException) CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString) IOException(java.io.IOException) UncheckedIOException(java.io.UncheckedIOException) SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto) HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos) CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)

Aggregations

IOException (java.io.IOException)1 UncheckedIOException (java.io.UncheckedIOException)1 InetSocketAddress (java.net.InetSocketAddress)1 KeyPair (java.security.KeyPair)1 CertificateException (java.security.cert.CertificateException)1 HddsProtos (org.apache.hadoop.hdds.protocol.proto.HddsProtos)1 SCMGetCertResponseProto (org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)1 SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)1 CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)1 CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)1 OMHANodeDetails (org.apache.hadoop.ozone.om.ha.OMHANodeDetails)1 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)1