Re: [PR] HDDS-8829. Symmetric Keys for Delegation Tokens [ozone]

Fri, 08 Nov 2024 10:21:12 -0800 


duongkame commented on code in PR #7394:
URL: https://github.com/apache/ozone/pull/7394#discussion_r1833544138


##########
hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto:
##########
@@ -1458,6 +1458,7 @@ message OMTokenProto {
     optional string signature      = 13;
     optional string strToSign      = 14;
     optional string omServiceId    = 15;
+    optional string secretKeyId    = 16;

Review Comment:
   Deprecated `omCertSerialId`?



##########
hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/security/OzoneTokenIdentifier.java:
##########
@@ -326,6 +359,18 @@ public String getOmCertSerialId() {
 
   public void setOmCertSerialId(String omCertSerialId) {
     this.omCertSerialId = omCertSerialId;
+    Preconditions.checkArgument(this.omCertSerialId == null || 
this.secretKeyId == null,

Review Comment:
   nit: this would not validate it. Imagine you have `omCertSerialId` already 
set, then call `setOmCertSerialId`. The condition is passed because of the `||` 
operator.



##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java:
##########
@@ -195,9 +209,15 @@ public Token<OzoneTokenIdentifier> createToken(Text owner, 
Text renewer,
     OzoneTokenIdentifier identifier = createIdentifier(owner, renewer,
         realUser);
     updateIdentifierDetails(identifier);
-
-    byte[] password = createPassword(identifier.getBytes(),
-        getCurrentKey().getPrivateKey());
+    byte[] password;
+    if 
(ozoneManager.getVersionManager().isAllowed(OMLayoutFeature.DELEGATION_TOKEN_SYMMETRIC_SIGN))
 {

Review Comment:
   We may not need a new layout version. This looks like a compatible change.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to