HDDS-1065. OM and DN should persist SCM certificate as the trust root. Contributed by Ajay Kumar.

Author: Ajay Kumar

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java

@@ -135,10 +135,11 @@ boolean verifySignature(byte[] data, byte[] signature,
    *
    * @param pemEncodedCert        - pem encoded X509 Certificate
    * @param force                 - override any existing file
+   * @param caCert                - Is CA certificate.
    * @throws CertificateException - on Error.
    *
    */
-  void storeCertificate(String pemEncodedCert, boolean force)
+  void storeCertificate(String pemEncodedCert, boolean force, boolean caCert)
       throws CertificateException;
 
   /**

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java

@@ -80,6 +80,7 @@
 public abstract class DefaultCertificateClient implements CertificateClient {
 
   private static final String CERT_FILE_NAME_FORMAT = "%s.crt";
+  private static final String CA_CERT_PREFIX = "CA-";
   private final Logger logger;
   private final SecurityConfig securityConfig;
   private final KeyCodec keyCodec;
@@ -251,7 +252,7 @@ private X509Certificate getCertificateFromScm(String certId)
           (OzoneConfiguration) securityConfig.getConfiguration());
       String pemEncodedCert =
           scmSecurityProtocolClient.getCertificate(certId);
-      this.storeCertificate(pemEncodedCert, true);
+      this.storeCertificate(pemEncodedCert, true, false);
       return CertificateCodec.getX509Certificate(pemEncodedCert);
     } catch (Exception e) {
       getLogger().error("Error while getting Certificate with " +
@@ -452,14 +453,15 @@ public X509Certificate queryCertificate(String query) {
    * Stores the Certificate  for this client. Don't use this api to add trusted
    * certificates of others.
    *
-   * @param pemEncodedCert - pem encoded X509 Certificate
-   * @param force - override any existing file
+   * @param pemEncodedCert        - pem encoded X509 Certificate
+   * @param force                 - override any existing file
+   * @param caCert                - Is CA certificate.
    * @throws CertificateException - on Error.
    *
    */
   @Override
-  public void storeCertificate(String pemEncodedCert, boolean force)
-      throws CertificateException {
+  public void storeCertificate(String pemEncodedCert, boolean force,
+      boolean caCert) throws CertificateException {
     CertificateCodec certificateCodec = new CertificateCodec(securityConfig);
     try {
       Path basePath = securityConfig.getCertificateLocation();
@@ -469,6 +471,10 @@ public void storeCertificate(String pemEncodedCert, boolean force)
       String certName = String.format(CERT_FILE_NAME_FORMAT,
           cert.getSerialNumber().toString());
 
+      if(caCert) {
+        certName = CA_CERT_PREFIX + certName;
+      }
+
       certificateCodec.writeCertificate(basePath, certName,
           pemEncodedCert, force);
       certificateMap.putIfAbsent(cert.getSerialNumber().toString(), cert);

hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.java

@@ -174,7 +174,7 @@ public void testCertificateOps() throws Exception {
     X509Certificate cert = omCertClient.getCertificate();
     assertNull(cert);
     omCertClient.storeCertificate(getPEMEncodedString(x509Certificate),
-        true);
+        true, false);
 
     cert = omCertClient.getCertificate(
         x509Certificate.getSerialNumber().toString());
@@ -327,9 +327,9 @@ public void testStoreCertificate() throws Exception {
     X509Certificate cert2 = generateX509Cert(keyPair);
     X509Certificate cert3 = generateX509Cert(keyPair);
 
-    dnCertClient.storeCertificate(getPEMEncodedString(cert1), true);
-    dnCertClient.storeCertificate(getPEMEncodedString(cert2), true);
-    dnCertClient.storeCertificate(getPEMEncodedString(cert3), true);
+    dnCertClient.storeCertificate(getPEMEncodedString(cert1), true, false);
+    dnCertClient.storeCertificate(getPEMEncodedString(cert2), true, false);
+    dnCertClient.storeCertificate(getPEMEncodedString(cert3), true, false);
 
     assertNotNull(dnCertClient.getCertificate(cert1.getSerialNumber()
         .toString()));

hadoop-hdds/container-service/src/main/java/org/apache/hadoop/ozone/HddsDatanodeService.java

@@ -268,10 +268,13 @@ private void getSCMSignedCert(OzoneConfiguration config) {
 
       String pemEncodedCert = secureScmClient.getDataNodeCertificate(
           datanodeDetails.getProtoBufMessage(), getEncodedString(csr));
-      dnCertClient.storeCertificate(pemEncodedCert, true);
+      dnCertClient.storeCertificate(pemEncodedCert, true, false);
       datanodeDetails.setCertSerialId(getX509Certificate(pemEncodedCert).
           getSerialNumber().toString());
       persistDatanodeDetails(datanodeDetails);
+      // Get SCM CA certificate and store it in filesystem.
+      String pemEncodedRootCert = secureScmClient.getCACertificate();
+      dnCertClient.storeCertificate(pemEncodedRootCert, true, true);
     } catch (IOException | CertificateException e) {
       LOG.error("Error while storing SCM signed certificate.", e);
       throw new RuntimeException(e);

hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/TestSecureOzoneCluster.java

@@ -40,6 +40,7 @@
 import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
 import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
 import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
+import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
 import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
 import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
 import org.apache.hadoop.io.Text;
@@ -98,6 +99,7 @@
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.TOKEN_EXPIRED;
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.VOLUME_NOT_FOUND;
 import static org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod.KERBEROS;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
@@ -780,6 +782,12 @@ public void testSecureOmInitSuccess() throws Exception {
           "SCM signed certificate"));
       X509Certificate certificate = om.getCertificateClient().getCertificate();
       validateCertificate(certificate);
+      String pemEncodedCACert =
+          scm.getSecurityProtocolServer().getCACertificate();
+      X509Certificate caCert = CertificateCodec.getX509Cert(pemEncodedCACert);
+      X509Certificate caCertStored = om.getCertificateClient().getCertificate(caCert.getSerialNumber().
+          toString());
+      assertEquals(caCert, caCertStored);
     } finally {
       if (scm != null) {
         scm.stop();

hadoop-ozone/integration-test/src/test/java/org/apache/hadoop/ozone/client/CertificateClientTestImpl.java

@@ -137,9 +137,8 @@ public X509Certificate queryCertificate(String query) {
   }
 
   @Override
-  public void storeCertificate(String cert, boolean force)
+  public void storeCertificate(String cert, boolean force, boolean caCert)
       throws CertificateException {
-
   }
 
   /**

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java

@@ -1461,10 +1461,14 @@ private static void getSCMSignedCert(CertificateClient client,
         getEncodedString(csr));
 
     try {
-      client.storeCertificate(pemEncodedCert, true);
+      client.storeCertificate(pemEncodedCert, true, false);
       // Persist om cert serial id.
       omStore.setOmCertSerialId(CertificateCodec.
           getX509Certificate(pemEncodedCert).getSerialNumber().toString());
+
+      // Get SCM CA certificate and store it in filesystem.
+      String pemEncodedRootCert = secureScmClient.getCACertificate();
+      client.storeCertificate(pemEncodedRootCert, true, true);
     } catch (IOException | CertificateException e) {
       LOG.error("Error while storing SCM signed certificate.", e);
       throw new RuntimeException(e);