HDDS-7398. Tool to remove old certs from the scm db #3972
Conversation
Galsza
changed the title
adoroszlai
left a comment
adoroszlai
left a comment
There was a problem hiding this comment.
Thanks @Galsza for the patch. Looks good overall.
Executing the following command (even on a datanode) returns success (rc=0), no error messages.
ozone admin cert clean --db /tmp --name asdf
I guess it should complain about not being able to open the DB.
| import org.apache.hadoop.hdds.utils.db.cache.TableCache.CacheType; | ||
|
|
||
| import java.io.File; | ||
| import java.io.IOException; | ||
| import java.util.ArrayList; | ||
| import java.util.Iterator; | ||
| import java.util.List; | ||
| import java.util.Map; |
There was a problem hiding this comment.
Please avoid moving around imports.
There was a problem hiding this comment.
There are also imports movings in other java files.
| @CommandLine.Option(names = {"--db"}, | ||
| required = true, | ||
| description = "Database metadata directory") | ||
| private String dbDirectory; | ||
|
|
||
| @CommandLine.Option(names = {"--name"}, | ||
| required = true, | ||
| description = "Database file name") | ||
| private String dbName; |
There was a problem hiding this comment.
For convenience I would prefer having a single option, then splitting dirname/filename.
| */ | ||
| @CommandLine.Command( | ||
| name = "clean", | ||
| description = "Clean expired certificates from the SCM metadata", |
There was a problem hiding this comment.
Please add description about that this command only support to run when scm is shutdown.
| configuration, new File(dbDirectory), dbName, new SCMDBDefinition())) { | ||
| removeExpiredCertificates(dbStore); | ||
| } catch (IOException e) { | ||
| System.out.println("Error trying to open" + dbName + |
There was a problem hiding this comment.
Please include the exception reason or message in the output error message.
| } | ||
| } | ||
| } catch (IOException e) { | ||
| System.out.println("Error when trying to open certificate table from db"); |
There was a problem hiding this comment.
Please include the detail error cause.
|
@Galsza Thanks for the work. I was just wondering, is it also an option to add this feature as a daemon service in SCM, so that we don't have to do the cleaning manually? |
Restore import order, add detailed exception message and use only one parameter for the db.
@symious Thanks for the comment. This is more of a housekeeping tool for older certificates. There is no need to add this feature as a daemon in SCM. The current plan for certificate rotation is that whenever a certificate is about the expire a new one will be created. This new certificate is used after instead of the old one. After some propagation time, when we can finally ensure that the old certificate is successfully replaced everywhere by the new one, the old certificate can be safely removed, which would be done there. |
Restore import order, add detailed exception message and use only one parameter for the db.
| metaTable = META.getTable(store); | ||
|
|
||
| checkAndPopulateTable(moveTable, META.getName()); | ||
| checkAndPopulateTable(metaTable, META.getName()); |
There was a problem hiding this comment.
Ouch...
Fortunately this affects just metrics as I see the tableMap that is populated here is not used elsewhere...
I believe this is irrelevant for the CLI tool, and this should be in a separate patch under a separate JIRA describing the problem we fix, and we should not hide it here.
fapifta
left a comment
fapifta
left a comment
There was a problem hiding this comment.
Hi @Galsza thank you for taking this on, the patch overall seems to be good, and you had a very nice catch in the db definition. Let's extract that from this patch as it is irrelevant, and I am happy to +1 and commit this change.
As noted for that typo fix we should have a separate JIRA outlining the issue we had due to the typo ;)
fapifta
left a comment
fapifta
left a comment
There was a problem hiding this comment.
Thank you for your work on this @Galsza the changes look good, and as I see all the comments were addressed.
@ChenSammi @adoroszlai @symious please let me know if you have any further comments. if not, I will merge this before EOW.
* master: (88 commits) HDDS-7463. SCM Pipeline scrubber never able to cleanup allocated pipeline. (apache#4093) HDDS-7683. EC: ReplicationManager - UnderRep maintenance handler should not request nodes if none needed (apache#4109) HDDS-7635. Update failure metrics when allocate block fails in preExecute. (apache#4086) HDDS-7565. FSO purge directory for old bucket can update quota for new bucket (apache#4021) HDDS-7654. EC: ReplicationManager - merge mis-rep queue into under replicated queue (apache#4099) HDDS-7621. Update SCM term in datanode from heartbeat without any commands (apache#4101) HDDS-7649. S3 multipart upload EC release space quota wrong for old version (apache#4095) HDDS-7399. Enable specifying external root ca (apache#4053) HDDS-7398. Tool to remove old certs from the scm db (apache#3972) HDDS-6650. S3MultipartUpload support update bucket usedNamespace. (apache#4081) HDDS-7605. Improve logging in Container Balancer (apache#4067) HDDS-7616. EC: Refactor Unhealthy Replicated Processor (apache#4063) HDDS-7426. Add a new acceptance test for Streaming Pipeline. (apache#4019) HDDS-7478. [Ozone-Streaming] NPE in when creating a file with o3fs. (apache#3949) HDDS-7425. Add documentation for the new Streaming Pipeline feature. (apache#3913) HDDS-7438. [Ozone-Streaming] Add a createStreamKey method to OzoneBucket. (apache#3914) HDDS-7431. [Ozone-Streaming] Disable data steam by default. (apache#3900) HDDS-6955. [Ozone-streaming] Add explicit stream flag in ozone shell (apache#3559) HDDS-6867. [Ozone-Streaming] PutKeyHandler should not use streaming to put EC key. (apache#3516) HDDS-6842. [Ozone-Streaming] Reduce the number of watch requests in StreamCommitWatcher. (apache#3492) ...
5 participants
What changes were proposed in this pull request?
Create a command line tool to remove expired certificates from the SCM metadata store.
What is the link to the Apache JIRA
HDDS-7398
How was this patch tested?
Added unit test for the command. There is also an ongoing test with a real cluster to see if the certs really get removed.