In secure mode, Ozone issues tokens to authorize each block (and container) access. Each token is signed by Ozone (OM or SCM) using its RSA private keys and verified by datanodes using a public key and certificate. With the RSA private key size of 2048, the sign operation is very costly and contributes more than 80% to the latency of read/write operations in Ozone Manager.

This feature branch contains the implementation to replace RSA token signing with symmetric keys and thus greatly boosts OM performance.

Epic Jira:  HDDS-7733 - Getting issue details... STATUS

1. builds/intermittent test failures

The feature branch has introduced no additional flaky tests.

2. documentation

The documentation for this change is added by  HDDS-8631 - Getting issue details... STATUS .

3. design, attached the docs

Design document can be found here (can be found in the epic JIRA). 

4. s3 compatibility

This feature branch doesn't break any S3 feature.

5. docker-compose / acceptance tests

Block/container tokens are already tested well by the existing acceptance tests. 

6. support of containers / Kubernetes:

No addition yet.

7. coverage/code quality: 

Master and HDDS-7733-Symmetric-Tokens

8. build time

No significant change

9. possible incompatible changes/used feature flag: 

There is no incompatible change introduced with this feature.

10. third party dependencies/licence changes:

No new dependency is added.

11. performance

Performance improvements are documented by  HDDS-8574 - Getting issue details... STATUS

12. security considerations

  • This feature branch adds a couple of new APIs to allow OM and Datanode to access secret keys in OM. Those APIs are protected over Hadoop RPC secure line, with Privacy enabled. Also, the APIs are authorized to only allow Datanode and OM to access, ref: HDDS-8164 - Getting issue details... STATUS .
  • No labels