HDDS-4897. [SCM HA Security] Create SCM Cert Client and change DefaultCA to allow selfsigned and intermediary

[bharatviswa504]

What changes were proposed in this pull request?

This PR implements

1. Create SCM CertClient, which generates a public key, private key, and generates CSR with ClusterID, SCMID.
2. Modify DefaultCA Server to work in 2 modes, SELF_SIGNED_CA and INTERMEDIARY_CA.
3. Modify SCMStorageConfig to persist SCM cert serial ID.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-4897

How was this patch tested?

Added tests

[xiaoyuyao]

Thanks @bharatviswa504 for working on this and the offline discussions. The PR LGTM overall, a few comments added inline.

[xiaoyuyao]

This seems to overlap with most of the existing DefaultCAServer#generateSelfSignedCA, can we dedup the code?

[bharatviswa504]

I see it is completely different. As DefaultCAServer uses its own SelfSignedCertificate builder and persist, whereas this new method uses generate CSR and persist.

Where as taken care of dedup between getRootCASignedSCMCert and this method.

[xiaoyuyao]

Can you add some comments to highlight this is only used for Sub-CA?

[bharatviswa504]

Done

[xiaoyuyao]

Can we keep the root ca subject scm@host to be backward compatible?

[xiaoyuyao]

The sub scm can have scm-sub@host

[bharatviswa504]

Done

[xiaoyuyao]

this sub scm cert should have subject like scm-sub@host.

[bharatviswa504]

Done

[xiaoyuyao]

should we start with the DefaultCAProfile?

[bharatviswa504]

When this PR code is integrated, when 2 CA Servers are started will change this. It will come in next in PR. As to make current code work, used DefaultProfile

[xiaoyuyao]

Can we combine the exception handling if the logic are the same?

[bharatviswa504]

done

[xiaoyuyao]

should we check the result from RPC response before attempting further operations?

[bharatviswa504]

Already ClientSideTranslator has performed this. So, check if it has a certificate should be enough.

  private SCMSecurityResponse handleError(SCMSecurityResponse resp)
      throws SCMSecurityException {
    if (resp.getStatus() != SCMSecurityProtocolProtos.Status.OK) {
      throw new SCMSecurityException(resp.getMessage(),
          SCMSecurityException.ErrorCode.values()[resp.getStatus().ordinal()]);
    }
    return resp;
  }

[xiaoyuyao]

Can you elaborate the logic behind this? Are we assume only the root CA start with the DefaultCAProfile?

[bharatviswa504]

My idea here is DefaultCAProfile when used by CA Server it will issue only CA Certificate.
And RootCA Server right now starts with DefaultCAProfile on fresh installed clusters, where as on upgraded cluster from non-HA rootCAServer will be started like before with DefaultProfile. The integration of DefaultCAServer and starting 2 CA will be taken care in further Jiras.

[xiaoyuyao]

bq. My idea here is DefaultCAProfile when used by CA Server it will issue only CA Certificate.
Should we rename to RootCAProfile in this case?

Also, when Primary starts two DefaultCA server in the follow up JIRA, one with RootCAProfile and one without?

[bharatviswa504]

Also, when Primary starts two DefaultCA server in the follow up JIRA, one with RootCAProfile and one without?
Yes.

[bharatviswa504]

Thank You @xiaoyuyao for the review. I have addressed/replied to the review comments.

[xiaoyuyao]

Thanks @bharatviswa504 for the update. Just few questions inline. Otherwise, LGTM.

[xiaoyuyao]

bq. My idea here is DefaultCAProfile when used by CA Server it will issue only CA Certificate.
Should we rename to RootCAProfile in this case?

Also, when Primary starts two DefaultCA server in the follow up JIRA, one with RootCAProfile and one without?

[bharatviswa504]

Thank You @xiaoyuyao for the review