《SNIA-SDC23-Fajth-Re-thinking-Security-in-a-Distributed-Storage-System_0.pdf》由会员分享,可在线阅读,更多相关《SNIA-SDC23-Fajth-Re-thinking-Security-in-a-Distributed-Storage-System_0.pdf(81页珍藏版)》请在三个皮匠报告上搜索。
1、Virtual Conference September 28-29,20211Re-thinking security in a distributed storage systemApache Ozone SecurityIstvan Fajth-Apache Ozone PMC-Cloudera Inc.A brief project overview Security in Apache Ozone Tokens Public Key Infrastructure23Apache Ozone4Papers:GFS Mapreduce20032006Sub-projects:Common
2、 HDFS Mapreduce YARN20092014HDFS-7240 Scaling HDFS2018Apache Ozone is a highly scalable,distributed storage for Analytics,Big data and Cloud Native applications.Ozone supports S3 compatible object APIs as well as a Hadoop Compatible File System implementation.It is optimized for both efficient objec
3、t store and file system operations.5/volume 1volume 2volume nS3 volumebucket 1bucket 2bucket nkey 1key 2key nObject StoreFileSystemVolumeA bucket groupTop level directoryBucketA bucketDirectory in a top level directoryKeyA keyDirectory or file in a bucket or directory6Ozone FileSystem APIOzone CLIS3
4、 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerOzone ManagerOzone ManagerOzone ManagerOzone Metadata LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerMetadata operationsData TransferData Replic
5、ationOzone ReconOzone Monitoring8Ozone ManagerOzone ManagerOzone ManagerLeaderFollowerFollowerReplicationA brief project overview Security in Apache Ozone Tokens Public Key Infrastructure910Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerOzone ManagerOzo
6、ne Metadata LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsAuthentication10Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerOzon
7、e ManagerOzone Metadata LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsAuthenticationKerberos/DTSecret and access keyKerberos SPNEGO10Ozone FileSystem APIOzone CLIS3 Gateway
8、HTTPFS GatewayOzone Native RPC ClientOzone Client LayerOzone ManagerOzone Metadata LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsAuthenticationKerberos/DTSecret and access
9、keyKerberos SPNEGO10Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerOzone ManagerOzone Metadata LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone M
10、onitoringClientsAuthenticationKerberos/DTSecret and access keyKerberos SPNEGO10Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerOzone ManagerOzone Metadata LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone
11、 DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsAuthenticationKerberos/DTSecret and access keyKerberos SPNEGOKerberos10Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerOzone ManagerOzone Metadata LayerStorage Container ManagerSt
12、orage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsAuthenticationKerberos/DTSecret and access keyKerberos SPNEGOKerberosContainer and Block Token10Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Nat
13、ive RPC ClientOzone Client LayerOzone ManagerOzone Metadata LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsAuthenticationKerberos/DTSecret and access keyKerberos SPNEGOKerbe
14、rosContainer and Block TokenKerberos SPNEGO12Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone Monitorin
15、gClientsOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAuthorization12Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS St
16、orage LayerOzone ReconOzone MonitoringClientsOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAuthorizationIAccessAuthorizer 12Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container M
17、anagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAuthorizationIAccessAuthorizer OzoneAccessAuthorizer12Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Clien
18、t LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAuthorizationIAccessAuthorizer OzoneAccessAuthorizerOzoneNativeAu
19、thorizer12Ozone FileSystem APIOzone CLIS3 GatewayHTTPFS GatewayOzone Native RPC ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeHDDS Storage LayerOzone ReconOzone MonitoringClientsOzone Metadata LayerOzone M
20、anagerOzone ManagerOzone ManagerAuthorizationIAccessAuthorizer OzoneAccessAuthorizerOzoneNativeAuthorizerRangerOzoneAuthorizer13Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone M
21、etadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-writeKey Management ServerHarwdware Security ModuleOzone Admin13Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone Datanode
22、Ozone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-writeKey Management ServerHarwdware Security ModuleOzone Admin1.hadoop admin key create enckey13Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzo
23、ne DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-writeKey Management ServerHarwdware Security ModuleOzone Admin1.hadoop admin key create enckey2.ozone sh bucket create-k enckey vol1/enc_buck13Ozone ClientOzone Client LayerStorage Co
24、ntainer ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-writeKey Management ServerHarwdware Security ModuleOzone Admin1.hadoop admin key create enckey2.o
25、zone sh bucket create-k enckey vol1/enc_buck3.ozone sh key put vol1/enc_buck/key/tmp/testfile3.1.putKey request13Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOz
26、one ManagerOzone ManagerOzone ManagerAt rest encryption-writeKey Management ServerHarwdware Security ModuleOzone Admin1.hadoop admin key create enckey2.ozone sh bucket create-k enckey vol1/enc_buck3.ozone sh key put vol1/enc_buck/key/tmp/testfile3.1.putKey request3.2.optional generate Data Encryptio
27、n Key13Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-writeKey Management ServerHarwdware Security Modul
28、eOzone Admin1.hadoop admin key create enckey2.ozone sh bucket create-k enckey vol1/enc_buck3.ozone sh key put vol1/enc_buck/key/tmp/testfile3.1.putKey request3.3.decrypt Encrypted Data Encryption Key3.2.optional generate Data Encryption Key13Ozone ClientOzone Client LayerStorage Container ManagerSto
29、rage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-writeKey Management ServerHarwdware Security ModuleOzone Admin1.hadoop admin key create enckey2.ozone sh bucket cre
30、ate-k enckey vol1/enc_buck3.ozone sh key put vol1/enc_buck/key/tmp/testfile3.1.putKey request3.3.decrypt Encrypted Data Encryption Key3.4.send encrypted data3.2.optional generate Data Encryption Key13Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container Ma
31、nagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-writeKey Management ServerHarwdware Security ModuleOzone Admin1.hadoop admin key create enckey2.ozone sh bucket create-k enckey vol1/enc_buck3.ozone sh key p
32、ut vol1/enc_buck/key/tmp/testfile3.1.putKey request3.3.decrypt Encrypted Data Encryption Key3.4.send encrypted data3.2.optional generate Data Encryption KmitKey request14Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone A
33、dminOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-readKey Management ServerHarwdware Security Module14Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerO
34、zone AdminOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-readKey Management ServerHarwdware Security Module1.ozone sh key-get vol1/enc_buck/key14Ozone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerSt
35、orage Container ManagerHDDS Storage LayerOzone AdminOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-readKey Management ServerHarwdware Security Module1.ozone sh key-get vol1/enc_buck/key2.decrypt Encrypted Data Encryption Key14O
36、zone ClientOzone Client LayerStorage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone AdminOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerAt rest encryption-readKey Management ServerHarwdware Security Mod
37、ule1.ozone sh key-get vol1/enc_buck/key2.decrypt Encrypted Data Encryption Key3.read encrypted data and decryptA brief project overview Security in Apache Ozone Tokens Public Key Infrastructure1516TokenTokenIdentifierPasswordKindServiceRenewer16TokenTokenIdentifierPasswordKindServiceRenewerKindUserT
38、rackingIDImplementation dependent identification information18Storage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerTokens in communicationDistributed Job Drive
39、rGet/Renew/Cancel Delegation Token18Storage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerTokens in communicationOzone ClientTry to access a key18Storage Contai
40、ner ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerTokens in communicationOzone ClientAcquire Container Info18Storage Container ManagerStorage Container ManagerStorage Con
41、tainer ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerTokens in communicationOzone ClientReturn Container Info and Token18Storage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone
42、DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerTokens in communicationOzone ClientReturn key info with block and container Tokens18Storage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone Datanode
43、Ozone DatanodeOzone Metadata LayerOzone ManagerOzone ManagerOzone ManagerTokens in communicationOzone ClientSend Data and acquired Tokens18Storage Container ManagerStorage Container ManagerStorage Container ManagerHDDS Storage LayerOzone DatanodeOzone DatanodeOzone DatanodeOzone Metadata LayerOzone
44、ManagerOzone ManagerOzone ManagerTokens in communicationOzone ClientSend Data and acquired TokensToken verification19100 x speedup in request processing?Really?Asymmetric key signatures are expensiveOzone tokens were signed by a 2048 bit RSA key used in PKI RSA signature denominated the affected RPC
45、s(80%runtime share)Introducing symmetric encryption helped Signature generation is down from the 1-2ms range to 10-30 s rangeBut how we can have a shared secret securely distributed?21Storage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone Datanod
46、eOzone ManagerOzone ManagerOzone ManagerSymmetric Key Distribution21Storage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ManagerOzone ManagerOzone ManagerSymmetric Key DistributionLeaderFollowerFollowerRaft replication21Storage Co
47、ntainer ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ManagerOzone ManagerOzone ManagerSymmetric Key DistributionLeaderFollowerFollowerRaft replicationRequest arrives;OM needs to issue a tokenOM has the current keyOM issues a tokenOM acquire
48、s the current key21Storage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ManagerOzone ManagerOzone ManagerSymmetric Key DistributionLeaderFollowerFollowerRaft replicationRequest arrives;Datanode needs to validate a tokenDatanode ha
49、s the key in the tokenDatanode acquires the key in the tokenDatanode verifies the token22Storage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ManagerOzone ManagerOzone ManagerSymmetric Key RotationLeaderFollowerFollowerRaft replic
50、ationCurrent KeyKey 7Key 1Key 2Key 3Key 4Key 5Key 6A brief project overview Security in Apache Ozone Tokens Public Key Infrastructure2326Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone R
51、econOzone ClientInternal PKI system-bootstrap26Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-bootstrapPrimordial node-init26Ozone ManagerOzone Mana
52、gerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-bootstrapPrimordial node-initrootCA server26Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Containe
53、r ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-bootstrapPrimordial node-initrootCA serversub-CA server26Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone Data
54、nodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-bootstrapPrimordial node-initrootCA serversub-CA serverCSR26Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone Rec
55、onOzone ClientInternal PKI system-bootstrapPrimordial node-initrootCA serversub-CA serverx509 certificate26Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI s
56、ystem-bootstraprootCA serversub-CA serverNode-startNode-bootstrapNode-bootstrapsub-CA serversub-CA server26Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI s
57、ystem-bootstraprootCA serversub-CA serverNode-startNode-bootstrapNode-bootstrapsub-CA serversub-CA serverCSR26Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PK
58、I system-bootstraprootCA serversub-CA serverNode-startNode-bootstrapNode-bootstrapsub-CA serversub-CA serverx509 certificate27Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone C
59、lientInternal PKI system-bootstrapsub-CA serversub-CA serversub-CA serverLeaderFollowerFollower27Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-boot
60、strapsub-CA serversub-CA serversub-CA serverLeaderFollowerFollowerCert clientCert clientCert client27Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-
61、bootstrapsub-CA serversub-CA serversub-CA serverLeaderFollowerFollowerCert clientCert clientCert clientCSR27Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI
62、system-bootstrapsub-CA serversub-CA serversub-CA serverLeaderFollowerFollowerCert clientCert clientCert clientX509 Certificate28Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone
63、 ClientInternal PKI system-client interactionsLeaderFollowerFollower28Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-client interactionsLeaderFollow
64、erFollowergetServiceInfo28Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-client interactionsLeaderFollowerFollowerrootCA certificate28Ozone ManagerO
65、zone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientInternal PKI system-client interactionsLeaderFollowerFollowertrust based on rootCA cert29Ozone ManagerOzone ManagerOzone ManagerStorage
66、 Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientCommunication using mTLSFollowerFollowerLeaderFollowerFollowerLeader31Certificate Client responsibilitiesCreation of key material and certificateRotation of certificat
67、e upon expirationDownload and store rootCA certificateInitialize and refresh custom Java keystoreRefresh rootCA certificate upon renewalProvide TLS setup information for connectionsInitialize and refresh custom Java truststore32Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage
68、Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientFollowerFollowerLeaderRotating rootCA certificate32Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone Datanode
69、Ozone DatanodeOzone ReconOzone ClientFollowerFollowerLeaderRotating rootCA certificate1st step:Leader SCM creates a new rootCA certificate32Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzon
70、e ReconOzone ClientFollowerFollowerLeaderRotating rootCA certificate2nd step:Leader SCM initiates rootCA rotation via Raft32Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone Cli
71、entFollowerFollowerLeaderRotating rootCA certificate3rd step:Followers create new CSR and get back their certs signed by the new rootCA32Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone R
72、econOzone ClientFollowerFollowerLeaderRotating rootCA certificate4th step:Followers ack the rootCA rotation32Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientFollowerFoll
73、owerLeaderRotating rootCA certificate5th step:Leader commits the rotation to Raft.New rootCA certificate is available to download for any clients33Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone Datan
74、odeOzone ReconOzone ClientFollowerFollowerLeaderRotating rootCA certificate33Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientFollowerFollowerLeaderRotating rootCA certif
75、icate6th step:CertificateClients poll for new rootCA certificate33Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientFollowerFollowerLeaderRotating rootCA certificate7th st
76、ep:Ozone Manager starts to serve both rootCA certificatesgetServiceInfo33Ozone ManagerOzone ManagerOzone ManagerStorage Container ManagerStorage Container ManagerStorage Container ManagerOzone DatanodeOzone DatanodeOzone DatanodeOzone ReconOzone ClientFollowerFollowerLeaderRotating rootCA certificat
77、e8th step:Clients create their certificates signed by the new sub-CA certsgetServiceInfo34FutureStreamlined certificate revocationSimple tools to ensure the right to be forgottenPluggable storage mechanism for keys and certificatesSecurity implications of clusters stretching over multiple data centersPrescriptive documentation on secure Ozone setup35Questions?36Please take a moment to rate this session.Your feedback is important to us.