Skip to content

HDDS-8135. Incorrect synchronization during certificate renewal in DefaultCertificateClient. #4381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ChenSammi merged 1 commit into from
Apr 4, 2023
Merged

HDDS-8135. Incorrect synchronization during certificate renewal in DefaultCertificateClient. #4381

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 11 additions & 18 deletions ...ava/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,6 @@
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.Consumer;

import com.google.common.annotations.VisibleForTesting;
Expand Down Expand Up @@ -122,20 +120,11 @@ public abstract class DefaultCertificateClient implements CertificateClient {
private KeyStoresFactory serverKeyStoresFactory;
private KeyStoresFactory clientKeyStoresFactory;

// Lock to protect the certificate renew process, to make sure there is only
// one renew process is ongoing at one time.
// Certificate renew steps:
// 1. generate new keys and sign new certificate, persist all data to disk
// 2. switch on disk new keys and certificate with current ones
// 3. save new certificate ID into service VERSION file
// 4. refresh in memory certificate ID and reload all new certificates
private Lock renewLock = new ReentrantLock();

private ScheduledExecutorService executorService;
private Consumer<String> certIdSaveCallback;
private Runnable shutdownCallback;
private SCMSecurityProtocolClientSideTranslatorPB scmSecurityProtocolClient;
private Set<CertificateNotification> notificationReceivers;
private final Set<CertificateNotification> notificationReceivers;
private static UserGroupInformation ugi;

protected DefaultCertificateClient(SecurityConfig securityConfig, Logger log,
Expand Down Expand Up @@ -935,7 +924,8 @@ public void registerNotificationReceiver(CertificateNotification receiver) {
@Override
public synchronized void close() throws IOException {
if (executorService != null) {
executorService.shutdown();
executorService.shutdownNow();
executorService = null;
}

if (serverKeyStoresFactory != null) {
Expand Down Expand Up @@ -1249,9 +1239,14 @@ public CertificateLifetimeMonitor(CertificateClient client) {

@Override
public void run() {

renewLock.lock();
try {
// Lock to protect the certificate renew process, to make sure there is
// only one renew process is ongoing at one time.
// Certificate renew steps:
// 1. generate new keys and sign new certificate, persist data to disk
// 2. switch on disk new keys and certificate with current ones
// 3. save new certificate ID into service VERSION file
// 4. refresh in memory certificate ID and reload all new certificates
synchronized (DefaultCertificateClient.class) {
X509Certificate currentCert = getCertificate();
Duration timeLeft = timeBeforeExpiryGracePeriod(currentCert);
if (timeLeft.isZero()) {
Expand Down Expand Up @@ -1288,8 +1283,6 @@ public void run() {
notificationReceivers.forEach(r -> r.notifyCertificateRenewed(
certClient, currentCert.getSerialNumber().toString(), newCertId));
}
} finally {
renewLock.unlock();
}
}
}
Expand Down