diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java index ecc92debdf95..1fe22a45c9a9 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/SecurityConfig.java @@ -186,12 +186,7 @@ public SecurityConfig(ConfigurationSource configuration) { HDDS_X509_RENEW_GRACE_DURATION_DEFAULT); renewalGracePeriod = Duration.parse(renewalGraceDurationString); - if (maxCertDuration.compareTo(defaultCertDuration) < 0) { - LOG.error("Certificate duration {} should not be greater than Maximum " + - "Certificate duration {}", maxCertDuration, defaultCertDuration); - throw new IllegalArgumentException("Certificate duration should not be " + - "greater than maximum Certificate duration"); - } + validateCertificateValidityConfig(); this.externalRootCaCert = this.configuration.get( HDDS_X509_ROOTCA_CERTIFICATE_FILE, @@ -228,6 +223,44 @@ public SecurityConfig(ConfigurationSource configuration) { TimeUnit.MILLISECONDS); } + /** + * Check for certificate validity configuration. + */ + private void validateCertificateValidityConfig() { + if (maxCertDuration.isNegative() || maxCertDuration.isZero()) { + String msg = "Property " + HDDS_X509_MAX_DURATION + + " should not be zero or negative"; + LOG.error(msg); + throw new IllegalArgumentException(msg); + } + if (defaultCertDuration.isNegative() || defaultCertDuration.isZero()) { + String msg = "Property " + HDDS_X509_DEFAULT_DURATION + + " should not be zero or negative"; + LOG.error(msg); + throw new IllegalArgumentException(msg); + } + if (renewalGracePeriod.isNegative() || renewalGracePeriod.isZero()) { + String msg = "Property " + HDDS_X509_RENEW_GRACE_DURATION + + " should not be zero or negative"; + LOG.error(msg); + throw new IllegalArgumentException(msg); + } + + if (maxCertDuration.compareTo(defaultCertDuration) < 0) { + String msg = "Property " + HDDS_X509_DEFAULT_DURATION + + " should not be greater than Property " + HDDS_X509_MAX_DURATION; + LOG.error(msg); + throw new IllegalArgumentException(msg); + } + if (defaultCertDuration.compareTo(renewalGracePeriod) < 0) { + String msg = "Property " + HDDS_X509_RENEW_GRACE_DURATION + + " should not be greater than Property " + + HDDS_X509_DEFAULT_DURATION; + LOG.error(msg); + throw new IllegalArgumentException(msg); + } + } + /** * Returns the CRL Name. * diff --git a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java index ebb8e97ba44c..861f7ca8c4c4 100644 --- a/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java +++ b/hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/container/ozoneimpl/TestOzoneContainerWithTLS.java @@ -74,6 +74,7 @@ import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SECURITY_SSL_KEYSTORE_RELOAD_INTERVAL; import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_SECURITY_SSL_TRUSTSTORE_RELOAD_INTERVAL; import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_DEFAULT_DURATION; +import static org.apache.hadoop.hdds.HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION; import static org.apache.hadoop.hdds.HddsConfigKeys.OZONE_METADATA_DIRS; import static org.apache.hadoop.hdds.scm.ScmConfigKeys.HDDS_DATANODE_DIR_KEY; import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY; @@ -131,9 +132,11 @@ public void setup() throws Exception { conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, true); conf.setInt(HDDS_KEY_LEN, 1024); + // certificate lives for 10s conf.set(HDDS_X509_DEFAULT_DURATION, Duration.ofMillis(certLifetime).toString()); + conf.set(HDDS_X509_RENEW_GRACE_DURATION, "PT2S"); conf.set(HDDS_SECURITY_SSL_KEYSTORE_RELOAD_INTERVAL, "1s"); conf.set(HDDS_SECURITY_SSL_TRUSTSTORE_RELOAD_INTERVAL, "1s");